# image-scanning ## Purpose The image-scanning repository maintain lists of CVEs for multiple releases of Rancher, and other ECM products, and produces GitHub issues corresponding to those CVEs. ## Release scanning The automation supports scanning multiple releases of Rancher, the Charts, Harvester etc. For example, `release/v2.9` for the development branch and `v2.9.0` for the stable branch of Rancher. The name of the branch corresponds to the Git branch name. ### Adding and removing releases New Rancher releases can be added to the scanning script in [`generate-images.sh`]. To scan a new development branch, add, for example, `v2.10`, and to scan a released version add the appropriate version number, for example, `v2.10.0`. To remove a version from the scan, just remove the corresponding version from the script mentioned above. The scan of Harvester and Longhorn versions follow specific scripts, [`generate-images-harvester.sh`] and [`generate-images-longhorn.sh`], respectively, that pull from each related repo the versions that must be scanned. Those files are controlled by the maintainers of each project. ## How it works The following [workflow] is deployed as a GitHub Action (GHA) and runs as a daily cron job: 1. Generate Rancher images in [`generate-images.sh`] for target releases by cloning Rancher and Charts repos and running the [image export] Go script (from Rancher). 1. Generate Harvester and Longhorn images in [`generate-images-harvester.sh`] and [`generate-images-longhorn.sh`], respectively. 1. Sort and deduplicate the images to be scanned in [`images-sources.txt`]. 1. Add the right release versions to track where the images are used and coming from. 1. Download Trivy. 1. Scan each image using Trivy. 1. Save results to [`cves.csv`]. 1. For each image with a CVE that belongs to a `head` or development branch, check if it has an issue in [rancherlabs/image-scanning#issues]. 1. If it has, checks if its contents must be updated and update if needed. 1. If it hasn't, create a new one. 1. Ensure issues have correct labels regarding releases and assigned/owning teams. 1. Generate [specific reports and stats] per releases and CVEs. 1. Generate the CVE data that is sent to the [SUSE CVE database page] for the tier 1 images. Consult the [FAQ] for more information. 1. Update the [CVE dashboard]. The scan takes between 60 to 90 minutes to finish. It might take longer if too many issues have to be created/updated. ## Triggering a scan Execution of the scanning workflow can be [manually triggered] in GHA. It requires `write` access to this repo. If you cannot trigger it, please ask the Security team in [#discuss-rancher-security]. ## image-scanning dashboard Access the [CVE dashboard] for detailed stats about the CVEs, per release related numbers, per teams etc. ## Difference to `rancherlabs/image-scanning` [rancherlabs/image-scanning] is only used for tracking the issues generated by this automation. The issues there, and the comments associate with them, are internal and intended only for engineers working on the issues and the Support team, when reviewing CVEs sent by customers. ## Process workflow for customers' inquiries [ADR-007] contains a detailed process workflow for Engineering teams and Support working on customers' inquiries regarding CVEs in our images. It presents how issues should be received from customers, triaged, communicated back and the expected responsibilities per teams. ## Further documentations Please check the links below for specific documentation about the entire image-scanning process and tools around it. It's recommended to read them in the order that they are presented. - [ADR-007] - the image-scanning ADR. - [How to fix a CVE]. - [VEX] - what is VEX and how the VEX reports are generated. - [FAQ] (frequently asked questions). - Knowledge transfer on 2024-08-21 about VEX - [recording][kt-recording]. - Support focused knowledge transfer on 2024-09-04 about VEX - [recording][kt-2-recording]. - Support focused knowledge transfer on 2024-10-16 about the newly published VEX Hub repo - [recording][kt-3-recording]. [`generate-images.sh`]: scripts/generate-images.sh [`generate-images-harvester.sh`]: scripts/generate-images-harvester.sh [`generate-images-longhorn.sh`]: scripts/generate-images-longhorn.sh [workflow]: .github/workflows/scan.yml [image export]: https://github.com/rancher/rancher/blob/main/pkg/image/export/main.go [`images-sources.txt`]: images-sources.txt [`cves.csv`]: docs/_data/cves.csv [rancherlabs/image-scanning#issues]: https://github.com/rancherlabs/image-scanning/issues [specific reports and stats]: reports/ [SUSE CVE database page]: reports/suse-cve-db/ [CVE dashboard]: https://github.com/rancherlabs/image-scanning/issues/2062 [manually triggered]: https://github.com/rancher/image-scanning/actions/workflows/scan.yml [#discuss-rancher-security]: https://suse.slack.com/archives/C02CP7ZLBDM [rancherlabs/image-scanning]: https://github.com/rancherlabs/image-scanning [ADR-007]: https://github.com/rancher/security-team/blob/main/docs/adrs/007-image-scanning-workflow.md [How to check if a CVE has been fixed]: docs/faq.md#how-to-check-if-a-cve-has-been-fixed [VEX]: docs/vex.md [How to fix a CVE]: docs/how-to-fix-cve.md [FAQ]: docs/faq.md [kt-recording]: https://drive.google.com/file/d/1oMjvd9Aq66VsH0MZ5IRm6o1Nop-0nAG3/view [kt-2-recording]: https://drive.google.com/file/d/1vK5fVy0OcLaM3vPuWwr8EwaKHQkCjhyP/view [kt-3-recording]: https://drive.google.com/file/d/1VZlkd6UwGCFQS2f7RwmLEcdGKUVl75uA/view