Comments (4)
👋 hey @knqyf263 - I just came across similar behaviour yesterday when looking at using Trivy to scan some images along with a VEX file.
I'm having a related issue - suppose I had a VEX statement like the following to represent an attestation made about the bash
package in blah
container:
{
"vulnerability": {
"name": "CVE-2022-3715"
},
"products": [
{
"@id": "pkg:oci/blah",
"subcomponents": [
{
"@id": "pkg:deb/ubuntu/[email protected]"
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path"
},
In Trivy, this doesn't work to match when scanning the blah
container with the --vex
flag - the product ID needs to be pkg:deb/ubuntu/[email protected]
in order to make it work. But this means that there's no way of representing which container (which in my case is the product itself) is affected.
In Grype, the above statement would correctly match when scanning the blah
container, and excludes only the result affecting the bash
deb if the CVE affects multiple packages within the container.
To me, Grype's behaviour is more intuitive. I'd be keen to see Trivy and Grype support a consistent interpretation of VEX documents as well, to avoid having to publish multiple VEX documents, one for each scanner.
I'd be interested to know your thoughts on this, and happy to help contributing to any changes that are required. Should this be a separate issue, or does it fit in with the changes that you are proposing here?
from trivy.
Yes, it's in the scope of this issue, but it's broader support than the relationship between container image and packages. We'll correctly build the dependency graph and apply VEX to the graph.
from trivy.
@ferozsalam This task is yet incomplete, but your case is already supported in v0.50.0.
from trivy.
@knqyf263 awesome, thank you!
from trivy.
Related Issues (20)
- Extra "db" string in the trivy cache path. HOT 6
- bug(template): `Message` field not escaped in `asff.tpl` HOT 1
- Unknown license and download location information should be NOASSERTION instead of NONE in SPDX
- bug(secret): long secrets with short line prefix/suffix contain characters from other lines
- reafactor(spdx): save undetected liceneses in `ExtractedLicensingInfo`
- fix(misconf): display irrelevant warnings HOT 2
- Init of Trivy from the `main` branch is slow. HOT 2
- fix(CycloneDX): parse `framework` type as library
- feat(misconf): Improve check registration and loading
- feat(pom): add empty versions if dependency versions cannot be detected
- feat(redhat): migrate to CSAF VEX HOT 4
- bug(misconf): False positive reporting `aws_vpc_security_group_ingress_rule` terraform resource as too permissive HOT 2
- feat(misconf): Support symlinks in misconfiguration scanning
- chore(docs): Better document how to scan arbitrary JSON/YAML inputs
- feat(misconf): Scan multiple Helm Charts at once HOT 1
- bug(convert): unable to decode ModifiedFinding.Results.ExperimentalModifiedFindings.Finding field
- bug(template): incorrect JSON marshaling for some fields HOT 15
- enhancement(report): include/exclude dev deps in analyzers HOT 12
- Add CVE-2024-34156 to VEX HOT 6
- bug(pom): use dependencyManagement's for dependencies from parents
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trivy.