Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

trivy return different vulns output when scanning regular compare to scanning with sbom cyclonedx #4781

Closed
chen-keinan opened this issue Jul 6, 2023 · 6 comments · Fixed by #4794
Closed

trivy return different vulns output when scanning regular compare to scanning with sbom cyclonedx #4781

chen-keinan opened this issue Jul 6, 2023 · 6 comments · Fixed by #4794
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/sbom Issues relating to SBOM scan/vulnerability Issues relating to vulnerability scanning

Comments

@chen-keinan
Copy link
Contributor

chen-keinan commented Jul 6, 2023
edited
Loading

when using trivy cyclonedx with scanner vuln flag,
compare to regular trivy scanning the result output of vulnerabilitieson regular scanning is different from the one I get with cyclonedx , for example on regular scanning I get 215 vulns compare to 156 vulns when I scan with cylonedx

1st using the following command:

trivy  image --format cyclonedx --scanners vuln nginx:1.14.2

output: num of vulns is 156

2nd using the following command:

trivy  image --format json  nginx:1.14.2

output: num of vulns is 216

trivy version:
Version: 0.43.0
Vulnerability DB:
Version: 2
UpdatedAt: 2023-07-06 06:10:31.117953059 +0000 UTC
NextUpdate: 2023-07-06 12:10:31.117952559 +0000 UTC
DownloadedAt: 2023-07-06 06:32:21.27869 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2023-07-04 01:08:01.820433584 +0000 UTC
NextUpdate: 2023-07-07 01:08:01.820433284 +0000 UTC
DownloadedAt: 2023-07-04 12:10:07.552494 +0000 UTC
Policy Bundle:
Digest: sha256:9db84b217f767f81ec98ca40c94e81562dbd6cf5f10083da236322ed99eecfda
DownloadedAt: 2023-06-28 12:28:08.758582 +0000 UTC
@chen-keinan chen-keinan added kind/bug Categorizes issue or PR as related to a bug. scan/vulnerability Issues relating to vulnerability scanning scan/sbom Issues relating to SBOM labels Jul 6, 2023
@chen-keinan
Copy link
Contributor Author

in addition :
here is an example of the same vuln found on debian package however trivy prefer different severity and datasource on each scan type:
with cyclonedx:

{
    "advisories": [
        {
            "url": "http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html"
        },
        {
            "url": "https://access.redhat.com/security/cve/CVE-2020-16156"
        },
        {
            "url": "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/"
        },
        {
            "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16156"
        },
        {
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/"
        },
        {
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/"
        },
        {
            "url": "https://metacpan.org/pod/distribution/CPAN/scripts/cpan"
        },
        {
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16156"
        },
        {
            "url": "https://ubuntu.com/security/notices/USN-5689-1"
        },
        {
            "url": "https://ubuntu.com/security/notices/USN-5689-2"
        },
        {
            "url": "https://www.cve.org/CVERecord?id=CVE-2020-16156"
        }
    ],
    "affects": [
        {
            "ref": "pkg:deb/debian/perl-base@5.24.1-3+deb9u5?arch=amd64&distro=debian-9.8",
            "versions": [
                {
                    "status": "affected",
                    "version": "5.24.1-3+deb9u5"
                }
            ]
        }
    ],
    "cwes": [
        347
    ],
    "description": "CPAN 2.28 allows Signature Verification Bypass.",
    "id": "CVE-2020-16156",
    "published": "2021-12-13T18:15:00+00:00",
    "ratings": [
        {
            "severity": "medium",
            "source": {
                "name": "arch-linux"
            }
        },
        {
            "method": "CVSSv2",
            "score": 6.8,
            "severity": "medium",
            "source": {
                "name": "nvd"
            },
            "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"
        },
        {
            "method": "CVSSv31",
            "score": 7.8,
            "severity": "high",
            "source": {
                "name": "nvd"
            },
            "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        },
        {
            "method": "CVSSv31",
            "score": 7.8,
            "severity": "medium",
            "source": {
                "name": "redhat"
            },
            "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        },
        {
            "severity": "medium",
            "source": {
                "name": "ubuntu"
            }
        }
    ],
    "source": {
        "name": "debian",
        "url": "https://salsa.debian.org/security-tracker-team/security-tracker"
    },
    "updated": "2022-04-01T13:26:00+00:00"
}

with regular scanning:

{
          "VulnerabilityID": "CVE-2020-16156",
          "PkgID": "perl-base@5.24.1-3+deb9u5",
          "PkgName": "perl-base",
          "InstalledVersion": "5.24.1-3+deb9u5",
          "Layer": {
            "Digest": "sha256:27833a3ba0a545deda33bb01eaf95a14d05d43bf30bce9267d92d17f069fe897",
            "DiffID": "sha256:5dacd731af1b0386ead06c8b1feff9f65d9e0bdfec032d2cd0bc03690698feda"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-16156",
          "DataSource": {
            "ID": "debian",
            "Name": "Debian Security Tracker",
            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
          },
          "Title": "perl-CPAN: Bypass of verification of signatures in CHECKSUMS files",
          "Description": "CPAN 2.28 allows Signature Verification Bypass.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-347"
          ],
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "V2Score": 6.8,
              "V3Score": 7.8
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "V3Score": 7.8
            }
          },
          "References": [
            "http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html",
            "https://access.redhat.com/security/cve/CVE-2020-16156",
            "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16156",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/",
            "https://metacpan.org/pod/distribution/CPAN/scripts/cpan",
            "https://nvd.nist.gov/vuln/detail/CVE-2020-16156",
            "https://ubuntu.com/security/notices/USN-5689-1",
            "https://ubuntu.com/security/notices/USN-5689-2",
            "https://www.cve.org/CVERecord?id=CVE-2020-16156"
          ],
          "PublishedDate": "2021-12-13T18:15:00Z",
          "LastModifiedDate": "2022-04-01T13:26:00Z"
        }

@chen-keinan
Copy link
Contributor Author

I think I see where is the diff:
cyclonedx show multi affected version , however when a fix version is available it do not show as , recommendation on cyclonedx is a single string:

"affects": [
        {
          "ref": "pkg:deb/debian/gzip@1.6-5+b1?arch=amd64\u0026distro=debian-9.8",
          "versions": [
            {
              "version": "1.6-5+b1",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:deb/debian/liblzma5@5.2.2-1.2+b1?arch=amd64\u0026distro=debian-9.8",
          "versions": [
            {
              "version": "5.2.2-1.2+b1",
              "status": "affected"
            }
          ]
        }
      ]

@DmitriyLewen DmitriyLewen mentioned this issue Jul 7, 2023
Merged
6 tasks
@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Jul 7, 2023
edited
Loading

Hello @chen-keinan
Thank you very much for your investigation!

You are right. As you said, we need to include all package names and fixed versions in recommendation.
I created #4794 for this.

Regards, Dmitriy

@knqyf263
Copy link
Collaborator

Thanks, Dmitriy. I got it.
Do we want to stop aggregating vulnerabilities so the differences between CycloneDX and the JSON report won't confuse users?

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Jul 13, 2023
edited
Loading

I am not sure that users are associating CycloneDX and JSON formats.
I didn't see any issues with asking about this case.

Currently, CycloneDX format has fewer lines and more like advisories from databases (when there is 1 advisory and this advisory contains all affected packages).

I am not sure that we need to change this logic.

We can open new Discussion and ask users about that.

@knqyf263
Copy link
Collaborator

knqyf263 commented Jul 13, 2023
edited
Loading

Thanks for your thoughts. Let's keep it, then. If we see more people confusing, we will change it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/sbom Issues relating to SBOM scan/vulnerability Issues relating to vulnerability scanning
Projects
None yet
Milestone
No milestone
3 participants
@knqyf263 @chen-keinan @DmitriyLewen