A journey towards comprehensive vulnerability assessment
Bitnami images and the CVE Security Feed for Bitnami Components
Bitnami-packaged container images are well-known and trusted for being secure, hardened, and ready to use. They are built with best practices, put through extensive automated tests and verifications to run in their target platforms with the expected behavior and performance, and delivered as ready-to-use packages. Furthermore, they are kept up to date with the latest official upstream application versions and this has enabled Bitnami to offer updates including security fixes even before CVEs were announced or detected by the scanners on numerous occasions. In addition, they are continuously scanned to detect security vulnerabilities in the sources and components used by the application. The results of all these tests and validations are available for the enterprise version of these packages through the VMware Tanzu Application Catalog UI.
Open Source Software (OSS) scanners have consistently identified most of the CVEs that impact our images. Nevertheless, because of Bitnami components’ custom build and packaging, some vulnerability scanners have struggled to detect vulnerabilities in them.
To better enable vulnerability scanners to detect vulnerabilities in our components, we have launched the Bitnami Vulnerability Database, a public CVE security feed available on GitHub with extensive information about the vulnerabilities on Bitnami components.
Behind the scenes of Bitnami Vulnerability Database
In July 2023, Bitnami published its first CVE security feed — Bitnami Vulnerability Database — which is available on its public GitHub repository.
As part of getting this vulnerability database set up and ready to go, our team had to analyze how some popular scanners work, identify gaps in them, research how to make those scanners locate Bitnami Software Bill of Materials (SBoM), explore available vulnerabilities sources; and took inspiration from other public CVE security feeds available on GitHub such as the Golang Vulnerability database. After collecting the needed information, we created a cron job that uses the data from the National Vulnerability Database (NVD). This cronjob would extract all the CVE data required for analyzing Bitnami’s packaged applications, tools, and libraries, which enables us to report the vulnerabilities affecting each Bitnami component, and periodically update them.
Bitnami Vulnerability Database follows the Open Source Vulnerability schema — a standard format for distributing vulnerability information for open source — to create the JSON files that will assemble the security feed. Additionally, this enables the inclusion of the Bitnami Vulnerability Database as a part of the aggregated vulnerability database available at the Open Source Vulnerability Database (OSV). We see this as a significant accomplishment that can benefit our users as this initiative has been developed in collaboration with Open Source communities and has been adopted by several important security advisories. Also, this makes it possible for any security scanner that supports OSV schema to consume the Bitnami CVE security feed.
As a culmination of all this work, we have been able to set up the Bitnami CVE security feed on GitHub, which can be browsed by anyone to find information about vulnerabilities in Bitnami components.
Integration of Bitnami Vulnerability database with Trivy
Trivy v0.42.0 came with support for analyzing Bitnami images’ SPDX files, and since then Trivy has been able to detect Bitnami SBOMs. However, Trivy couldn’t report vulnerabilities affecting the Bitnami components described in the SBOMs till now, as there was not a Bitnami CVE security feed available.
After the Bitnami Vulnerability Database was published, the Bitnami team actively collaborated with Trivy to include this security feed as a part of its scanning capabilities. This enhancement was added as an experimental feature on version v0.45.0 and highlighted on Trivy release notes:
Bitnami container images have a long-standing reputation for trustworthiness and security, consistently adhering to industry best security practices. We take pride in this integration, as it enhances users' awareness of Bitnami components, which have been specifically designed to contribute to a more secure software supply chain.
Trivy becomes the first security scanner to consume Bitnami Vulnerability Database but the journey doesn't end here. We will continue working on ensuring other popular security scanners consume it. Meanwhile, users who don’t use Trivy as their primary vulnerability scanner can also consume it since it is publicly available and works with any security scanner that supports OSV schema, and there are already a few scanners that have capabilities for detecting Bitnami SBOMs.
Support and Resources
To solve the problems you may have with the Bitnami community packages — including deployment support, operational support, and bug fixes — please open an issue in the Bitnami Helm charts or containers GitHub repository. Also, if you want to contribute to the catalog, feel free to send us a pull request, and the team will check it and guide you in the process for a successful merge.
If you are interested in learning more about the enterprise version of Bitnami packages — VMware Tanzu Application Catalog — check out the product webpage, Tech Zone page, application library, and additional resources. If you would like to get in touch, contact us.