Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add --severity-src flag #8269

Draft
wants to merge 14 commits into
base: main
Choose a base branch
from
Draft

feat: add --severity-src flag #8269

wants to merge 14 commits into from

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Jan 21, 2025
edited
Loading

Description

Add --severity-src flag to set db sources order for vulnerability severity.

If severities didn't found in this list - use UNKNOWN severity + show Warning about that.

Examples:

  "VendorSeverity": {
    "azure": 2,
    "cbl-mariner": 2,
    "nvd": 2,
    "redhat": 2,
    "ubuntu": 1
  },

auto (default) mode:

➜ ./trivy -q --severity-src auto image ubuntu -f json  | jq '.Results[].Vulnerabilities[] | select(.VulnerabilityID=="CVE-2016-2781") | "SeveritySource: \(.SeveritySource); Severity \(.Severity)"'
"SeveritySource: ubuntu; Severity LOW"

severity from another source (nvd):

➜  ./trivy -q --severity-src alpine,nvd image ubuntu -f json  | jq '.Results[].Vulnerabilities[] | select(.VulnerabilityID=="CVE-2016-2781") | "SeveritySource: \(.SeveritySource); Severity \(.Severity)"'
"SeveritySource: nvd; Severity MEDIUM"

severity didn't found:

➜ ./trivy --severity-src alpine,alma image ubuntu -f json  | jq '.Results[].Vulnerabilities[] | select(.VulnerabilityID=="CVE-2016-2781") | "SeveritySource: \(.SeveritySource); Severity \(.Severity)"'
...
2025-01-22T15:38:25+06:00       WARN    No severity found in specified sources  vulnID="CVE-2016-2781" severity sources="alpine,alma"
2025-01-22T15:38:25+06:00       WARN    No severity found in specified sources  vulnID="CVE-2022-3219" severity sources="alpine,alma"
2025-01-22T15:38:25+06:00       WARN    No severity found in specified sources  vulnID="CVE-2016-20013" severity sources="alpine,alma"
2025-01-22T15:38:25+06:00       WARN    No severity found in specified sources  vulnID="CVE-2016-20013" severity sources="alpine,alma"
2025-01-22T15:38:25+06:00       WARN    No severity found in specified sources  vulnID="CVE-2024-41996" severity sources="alpine,alma"
2025-01-22T15:38:25+06:00       WARN    No severity found in specified sources  vulnID="CVE-2024-56433" severity sources="alpine,alma"
2025-01-22T15:38:25+06:00       WARN    No severity found in specified sources  vulnID="CVE-2024-56433" severity sources="alpine,alma"
"SeveritySource: null; Severity UNKNOWN"

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this Jan 21, 2025
DmitriyLewen
DmitriyLewen commented Jan 22, 2025
View reviewed changes
pkg/vulnerability/vulnerability.go
}
}
if len(severitySrc) != 1 || severitySrc[0] != "auto" {
log.Warn("No severity found in specified sources",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know these logs may be noise, but warnings should be rare occurrences and we should draw the user's attention to each vulnerability.

But we can also show the warning once and use debug logs for each vulnerability:

2025-01-22T15:47:14+06:00       WARN    For one or more vulnerabilities, the severity level is not found in the specified sources
2025-01-22T15:47:14+06:00       DEBUG   No severity found in specified sources  vulnID="CVE-2016-2781" severity sources="alpine,alma"
2025-01-22T15:47:14+06:00       DEBUG   No severity found in specified sources  vulnID="CVE-2022-3219" severity sources="alpine,alma"
2025-01-22T15:47:14+06:00       DEBUG   No severity found in specified sources  vulnID="CVE-2016-20013" severity sources="alpine,alma"
2025-01-22T15:47:14+06:00       DEBUG   No severity found in specified sources  vulnID="CVE-2016-20013" severity sources="alpine,alma"
2025-01-22T15:47:14+06:00       DEBUG   No severity found in specified sources  vulnID="CVE-2024-41996" severity sources="alpine,alma"
2025-01-22T15:47:14+06:00       DEBUG   No severity found in specified sources  vulnID="CVE-2024-56433" severity sources="alpine,alma"
2025-01-22T15:47:14+06:00       DEBUG   No severity found in specified sources  vulnID="CVE-2024-56433" severity sources="alpine,alma"

DmitriyLewen
DmitriyLewen commented Jan 22, 2025
View reviewed changes
docs/docs/references/configuration/cli/trivy_image.md
@@ -105,6 +105,7 @@ trivy image [flags] IMAGE_NAME
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--severity-src strings order of data sources for selecting vulnerability severity level (nvd,redhat,redhat-oval,debian,ubuntu,alpine,amazon,oracle-oval,suse-cvrf,photon,arch-linux,alma,rocky,cbl-mariner,azure,ruby-advisory-db,php-security-advisories,nodejs-security-wg,ghsa,glad,aqua,osv,k8s,wolfi,chainguard,bitnami,govulndb,auto) (default [auto])
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line is very long, but I wanted to immediately stop Trivy for the incorrect sourceID.

@DmitriyLewen
Copy link
Contributor Author

@knqyf263 I think this PR is ready for review.
Take a look when you have time.

If you don't have comments about trivy-db changes - we can merge aquasecurity/trivy-db#485.
After merging aquasecurity/trivy-db#485 - I will change the status of this PR to ready for review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 will be requested when the pull request is marked ready for review knqyf263 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat: add --severity-src flag to customize vulnerability severity selection
1 participant
@DmitriyLewen