Skip to content

Commit

Permalink
feat(vuln): show suppressed vulnerabilities in table (#6084)
Browse files Browse the repository at this point in the history
Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>
  • Loading branch information
knqyf263 and DmitriyLewen authored Feb 13, 2024
1 parent c107e1a commit 3c1601b
Show file tree
Hide file tree
Showing 59 changed files with 1,572 additions and 1,275 deletions.
313 changes: 142 additions & 171 deletions docs/docs/configuration/filtering.md

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_convert.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ trivy convert [flags] RESULT_JSON
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
--report string specify a report format for the output (all,summary) (default "all")
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
-t, --template string output template
```

Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_filesystem.md
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ trivy filesystem [flags] PATH
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ trivy image [flags] IMAGE_NAME
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
--scanners strings comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_repository.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_rootfs.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ trivy rootfs [flags] ROOTDIR
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_sbom.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ trivy sbom [flags] SBOM_PATH
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
Expand Down
1 change: 1 addition & 0 deletions docs/docs/references/configuration/cli/trivy_vm.md
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ trivy vm [flags] VM_IMAGE
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
--skip-db-update skip updating vulnerability database
--skip-dirs strings specify the directories or glob patterns to skip
--skip-files strings specify the files or glob patterns to skip
Expand Down
38 changes: 34 additions & 4 deletions docs/docs/scanner/misconfiguration/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -316,15 +316,17 @@ This section describes misconfiguration-specific configuration.
Other common options are documented [here](../../configuration/index.md).

### Enabling a subset of misconfiguration scanners
It's possible to only enable certain misconfiguration scanners if you prefer. You can do so by passing the `--misconfig-scanners` option.
It's possible to only enable certain misconfiguration scanners if you prefer.
You can do so by passing the `--misconfig-scanners` option.
This flag takes a comma-separated list of configuration scanner types.

```bash
trivy config --misconfig-scanners=terraform,dockerfile .
```

Will only scan for misconfigurations that pertain to Terraform and Dockerfiles.

### Pass custom policies
### Passing custom policies
You can pass policy files or directories including your custom policies through `--policy` option.
This can be repeated for specifying multiple files or directories.

Expand All @@ -338,7 +340,7 @@ For more details, see [Custom Policies](./custom/index.md).
!!! tip
You also need to specify `--namespaces` option.

### Pass custom data
### Passing custom data
You can pass directories including your custom data through `--data` option.
This can be repeated for specifying multiple directories.

Expand All @@ -349,7 +351,7 @@ trivy conf --policy ./policy --data ./data --namespaces user ./configs

For more details, see [Custom Data](./custom/data.md).

### Pass namespaces
### Passing namespaces
By default, Trivy evaluates policies defined in `builtin.*`.
If you want to evaluate custom policies in other packages, you have to specify package prefixes through `--namespaces` option.
This can be repeated for specifying multiple packages.
Expand All @@ -358,4 +360,32 @@ This can be repeated for specifying multiple packages.
trivy conf --policy ./policy --namespaces main --namespaces user ./configs
```

### Skipping resources by inline comments
Some configuration file formats (e.g. Terraform) support inline comments.

In cases where trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to filter/ignore findings from a single point of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned).

The format for these comments is `trivy:ignore:<Vulnerability ID>` immediately following the format-specific line-comment token.
You can add multiple ignores on the same comment line.

For example, to filter a misconfiguration ID "AVD-GCP-0051" in a Terraform HCL file:

```terraform
#trivy:ignore:AVD-GCP-0051
resource "google_container_cluster" "one_off_test" {
name = var.cluster_name
location = var.region
}
```

For example, to filter misconfigurations "AVD-GCP-0051" and "AVD-GCP-0053" in a Terraform HCL file:

```terraform
#trivy:ignore:AVD-GCP-0051 trivy:ignore:AVD-GCP-0053
resource "google_container_cluster" "one_off_test" {
name = var.cluster_name
location = var.region
}
```

[custom]: custom/index.md
70 changes: 70 additions & 0 deletions docs/docs/scanner/vulnerability.md
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,76 @@ The default is `ghcr.io/aquasecurity/trivy-java-db`.
If authentication is required, you need to run `docker login YOUR_REGISTRY`.
Currently, specifying a username and password is not supported.

## Configuration
This section describes vulnerability-specific configuration.
Other common options are documented [here](../configuration/index.md).

### Enabling a subset of package types
It's possible to only enable certain package types if you prefer.
You can do so by passing the `--vuln-type` option.
This flag takes a comma-separated list of package types.

Available values:

- os
- Scan OS packages managed by the OS package manager (e.g. `dpkg`, `yum`, `apk`).
- library
- Scan language-specific packages (e.g. packages installed by `pip`, `npm`, or `gem`).

```bash
$ trivy image --vuln-type os ruby:2.4.0
```


<details>
<summary>Result</summary>

```bash
2019-05-22T19:36:50.530+0200 INFO Updating vulnerability database...
2019-05-22T19:36:51.681+0200 INFO Detecting Alpine vulnerabilities...
2019-05-22T19:36:51.685+0200 INFO Updating npm Security DB...
2019-05-22T19:36:52.389+0200 INFO Detecting npm vulnerabilities...
2019-05-22T19:36:52.390+0200 INFO Updating pipenv Security DB...
2019-05-22T19:36:53.406+0200 INFO Detecting pipenv vulnerabilities...

ruby:2.4.0 (debian 8.7)
=======================
Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)

+---------+------------------+----------+-------------------+---------------+----------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| curl | CVE-2018-14618 | CRITICAL | 7.61.0-r0 | 7.61.1-r0 | curl: NTLM password overflow |
| | | | | | via integer overflow |
+ +------------------+----------+ +---------------+----------------------------------+
| | CVE-2018-16839 | HIGH | | 7.61.1-r1 | curl: Integer overflow leading |
| | | | | | to heap-based buffer overflow in |
| | | | | | Curl_sasl_create_plain_message() |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| git | CVE-2018-17456 | HIGH | 2.15.2-r0 | 2.15.3-r0 | git: arbitrary code execution |
| | | | | | via .gitmodules |
+ +------------------+ + + +----------------------------------+
| | CVE-2018-19486 | | | | git: Improper handling of |
| | | | | | PATH allows for commands to be |
| | | | | | executed from... |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| libssh2 | CVE-2019-3855 | CRITICAL | 1.8.0-r2 | 1.8.1-r0 | libssh2: Integer overflow in |
| | | | | | transport read resulting in |
| | | | | | out of bounds write... |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| sqlite | CVE-2018-20346 | MEDIUM | 3.21.0-r1 | 3.25.3-r0 | CVE-2018-20505 CVE-2018-20506 |
| | | | | | sqlite: Multiple flaws in |
| | | | | | sqlite which can be triggered |
| | | | | | via... |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| tar | CVE-2018-20482 | LOW | 1.29-r1 | 1.31-r0 | tar: Infinite read loop in |
| | | | | | sparse_dump_region function in |
| | | | | | sparse.c |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
```
</details>
[^1]: https://github.com/GoogleContainerTools/distroless
[nvd-CVE-2023-0464]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464
Expand Down
6 changes: 5 additions & 1 deletion mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,11 @@ theme:

markdown_extensions:
- pymdownx.highlight
- pymdownx.superfences
- pymdownx.superfences:
custom_fences:
- name: mermaid
class: mermaid
format: !!python/name:pymdownx.superfences.fence_code_format
- admonition
- footnotes
- attr_list
Expand Down
6 changes: 3 additions & 3 deletions pkg/cloud/report/convert.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,12 +61,12 @@ func ConvertResults(results scan.Results, provider string, scoped []string) map[
primaryURL = fmt.Sprintf("https://avd.aquasec.com/misconfig/%s", strings.ToLower(result.Rule().AVDID))
}

status := types.StatusFailure
status := types.MisconfStatusFailure
switch result.Status() {
case scan.StatusPassed:
status = types.StatusPassed
status = types.MisconfStatusPassed
case scan.StatusIgnored:
status = types.StatusException
status = types.MisconfStatusException
}

flat := result.Flatten()
Expand Down
2 changes: 2 additions & 0 deletions pkg/commands/app.go
Original file line number Diff line number Diff line change
Expand Up @@ -643,6 +643,7 @@ func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
reportFlagGroup.DependencyTree = nil // disable '--dependency-tree'
reportFlagGroup.ListAllPkgs = nil // disable '--list-all-pkgs'
reportFlagGroup.ExitOnEOL = nil // disable '--exit-on-eol'
reportFlagGroup.ShowSuppressed = nil // disable '--show-suppressed'
reportFormat := flag.ReportFormatFlag.Clone()
reportFormat.Usage = "specify a compliance report format for the output" // @TODO: support --report summary for non compliance reports
reportFlagGroup.ReportFormat = reportFormat
Expand Down Expand Up @@ -988,6 +989,7 @@ func NewAWSCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
}
reportFlagGroup.Compliance = &compliance // override usage as the accepted values differ for each subcommand.
reportFlagGroup.ExitOnEOL = nil // disable '--exit-on-eol'
reportFlagGroup.ShowSuppressed = nil // disable '--show-suppressed'

awsFlags := &flag.Flags{
GlobalFlagGroup: globalFlags,
Expand Down
15 changes: 12 additions & 3 deletions pkg/compliance/report/json_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,10 @@ func TestJSONWriter_Write(t *testing.T) {
Results: types.Results{
{
Misconfigurations: []types.DetectedMisconfiguration{
{AVDID: "AVD-KSV012", Status: types.StatusFailure},
{
AVDID: "AVD-KSV012",
Status: types.MisconfStatusFailure,
},
},
},
},
Expand All @@ -38,7 +41,10 @@ func TestJSONWriter_Write(t *testing.T) {
Results: types.Results{
{
Misconfigurations: []types.DetectedMisconfiguration{
{AVDID: "AVD-KSV013", Status: types.StatusFailure},
{
AVDID: "AVD-KSV013",
Status: types.MisconfStatusFailure,
},
},
},
},
Expand Down Expand Up @@ -69,7 +75,10 @@ func TestJSONWriter_Write(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
buf := new(bytes.Buffer)
tr := report.JSONWriter{Report: tt.reportType, Output: buf}
tr := report.JSONWriter{
Report: tt.reportType,
Output: buf,
}
err := tr.Write(tt.input)
require.NoError(t, err)

Expand Down
6 changes: 3 additions & 3 deletions pkg/compliance/report/report_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,13 +57,13 @@ func TestBuildComplianceReport(t *testing.T) {
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
"https://avd.aquasec.com/misconfig/ksv001",
},
Status: types.StatusPassed,
Status: types.MisconfStatusPassed,
},
{
Type: "Kubernetes Security Check",
ID: "KSV002",
AVDID: "AVD-KSV-9999",
Status: types.StatusFailure,
Status: types.MisconfStatusFailure,
},
},
},
Expand Down Expand Up @@ -179,7 +179,7 @@ func TestBuildComplianceReport(t *testing.T) {
"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
"https://avd.aquasec.com/misconfig/ksv001",
},
Status: types.StatusPassed,
Status: types.MisconfStatusPassed,
},
},
},
Expand Down
20 changes: 16 additions & 4 deletions pkg/compliance/report/summary_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,10 @@ func TestBuildSummary(t *testing.T) {
Results: types.Results{
{
Misconfigurations: []types.DetectedMisconfiguration{
{AVDID: "AVD-KSV012", Status: types.StatusFailure},
{
AVDID: "AVD-KSV012",
Status: types.MisconfStatusFailure,
},
},
},
},
Expand All @@ -44,7 +47,10 @@ func TestBuildSummary(t *testing.T) {
Results: types.Results{
{
Misconfigurations: []types.DetectedMisconfiguration{
{AVDID: "AVD-KSV013", Status: types.StatusFailure},
{
AVDID: "AVD-KSV013",
Status: types.MisconfStatusFailure,
},
},
},
},
Expand Down Expand Up @@ -86,7 +92,10 @@ func TestBuildSummary(t *testing.T) {
Results: types.Results{
{
Misconfigurations: []types.DetectedMisconfiguration{
{AVDID: "AVD-KSV012", Status: types.StatusFailure},
{
AVDID: "AVD-KSV012",
Status: types.MisconfStatusFailure,
},
},
},
},
Expand All @@ -98,7 +107,10 @@ func TestBuildSummary(t *testing.T) {
Results: types.Results{
{
Misconfigurations: []types.DetectedMisconfiguration{
{AVDID: "AVD-KSV013", Status: types.StatusFailure},
{
AVDID: "AVD-KSV013",
Status: types.MisconfStatusFailure,
},
},
},
},
Expand Down
6 changes: 2 additions & 4 deletions pkg/compliance/report/table.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ package report
import (
"context"
"io"
"sync"

"golang.org/x/xerrors"

Expand Down Expand Up @@ -31,9 +30,8 @@ func (tw TableWriter) Write(ctx context.Context, report *ComplianceReport) error
switch tw.Report {
case allReport:
t := pkgReport.Writer{
Output: tw.Output,
Severities: tw.Severities,
ShowMessageOnce: &sync.Once{},
Output: tw.Output,
Severities: tw.Severities,
}
for _, cr := range report.Results {
r := types.Report{Results: cr.Results}
Expand Down
Loading

0 comments on commit 3c1601b

Please sign in to comment.