feat(vuln): Add `--detection-priority` flag for accuracy tuning #7288

knqyf263 · 2024-08-01T07:20:27Z

Description

This PR introduces a new --detection-priority flag to Trivy, allowing users to control the balance between false positives and false negatives in vulnerability detection. This feature enhances Trivy's flexibility in different use cases and risk tolerance levels.

Red Hat UBI 8

`--detection-priority precise`

$ trivy image registry.access.redhat.com/ubi8/ubi --detection-priority precise --scanners vuln

Result

2024-08-01T11:16:55+04:00       INFO    [vuln] Vulnerability scanning is enabled
2024-08-01T11:17:02+04:00       INFO    Detected OS     family="redhat" version="8.10"
2024-08-01T11:17:02+04:00       INFO    [redhat] Detecting RHEL/CentOS vulnerabilities...       os_version="8" pkg_num=183
2024-08-01T11:17:02+04:00       INFO    Number of language-specific files       num=0

registry.access.redhat.com/ubi8/ubi (redhat 8.10)
=================================================
Total: 180 (UNKNOWN: 0, LOW: 160, MEDIUM: 20, HIGH: 0, CRITICAL: 0)

`--detection-priority comprehensive`

$ trivy image registry.access.redhat.com/ubi8/ubi --detection-priority comprehensive --scanners vuln

Result

2024-08-01T11:18:16+04:00       INFO    [vuln] Vulnerability scanning is enabled
2024-08-01T11:18:23+04:00       INFO    Detected OS     family="redhat" version="8.10"
2024-08-01T11:18:23+04:00       INFO    [redhat] Detecting RHEL/CentOS vulnerabilities...       os_version="8" pkg_num=183
2024-08-01T11:18:23+04:00       INFO    Number of language-specific files       num=1
2024-08-01T11:18:23+04:00       INFO    [python-pkg] Detecting vulnerabilities...

registry.access.redhat.com/ubi8/ubi (redhat 8.10)
=================================================
Total: 180 (UNKNOWN: 0, LOW: 160, MEDIUM: 20, HIGH: 0, CRITICAL: 0)

...

2024-08-01T11:18:23+04:00       INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Python (python-pkg)
===================
Total: 10 (UNKNOWN: 0, LOW: 0, MEDIUM: 8, HIGH: 2, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ idna (PKG-INFO)       │ CVE-2024-3651  │ MEDIUM   │ fixed  │ 2.5               │ 3.7            │ python-idna: potential DoS via resource consumption via     │
│                       │                │          │        │                   │                │ specially crafted inputs to idna.encode()...                │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-3651                   │
├───────────────────────┼────────────────┤          │        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ requests (PKG-INFO)   │ CVE-2023-32681 │          │        │ 2.20.0            │ 2.31.0         │ python-requests: Unintended leak of Proxy-Authorization     │
│                       │                │          │        │                   │                │ header                                                      │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-32681                  │
│                       ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2024-35195 │          │        │                   │ 2.32.0         │ requests: subsequent requests to the same host ignore cert  │
│                       │                │          │        │                   │                │ verification                                                │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-35195                  │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ setuptools (METADATA) │ CVE-2022-40897 │ HIGH     │        │ 39.2.0            │ 65.5.1         │ pypa-setuptools: Regular Expression Denial of Service       │
│                       │                │          │        │                   │                │ (ReDoS) in package_index.py                                 │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2022-40897                  │
│                       ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2024-6345  │          │        │                   │ 70.0.0         │ pypa/setuptools: Remote code execution via download         │
│                       │                │          │        │                   │                │ functions in the package_index module in...                 │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-6345                   │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ urllib3 (PKG-INFO)    │ CVE-2019-11236 │ MEDIUM   │        │ 1.24.2            │ 1.24.3         │ python-urllib3: CRLF injection due to not encoding the      │
│                       │                │          │        │                   │                │ '\r\n' sequence leading to...                               │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2019-11236                  │
│                       ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2020-26137 │          │        │                   │ 1.25.9         │ python-urllib3: CRLF injection via HTTP request method      │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2020-26137                  │
│                       ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-43804 │          │        │                   │ 2.0.6, 1.26.17 │ python-urllib3: Cookie request header isn't stripped during │
│                       │                │          │        │                   │                │ cross-origin redirects                                      │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-43804                  │
│                       ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-45803 │          │        │                   │ 2.0.7, 1.26.18 │ urllib3: Request body not stripped after redirect from 303  │
│                       │                │          │        │                   │                │ status changes request...                                   │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45803                  │
│                       ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2024-37891 │          │        │                   │ 1.26.19, 2.2.2 │ urllib3: proxy-authorization request header is not stripped │
│                       │                │          │        │                   │                │ during cross-origin redirects                               │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-37891                  │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

cgr.dev/chainguard/argocd

`--detection-priority precise`

$ trivy image cgr.dev/chainguard/argocd --detection-priority precise --scanners vuln

Result

2024-08-01T11:27:12+04:00       INFO    [vuln] Vulnerability scanning is enabled
2024-08-01T11:27:12+04:00       INFO    Detected OS     family="wolfi" version="20230201"
2024-08-01T11:27:12+04:00       INFO    [wolfi] Detecting vulnerabilities...    pkg_num=10
2024-08-01T11:27:12+04:00       INFO    Number of language-specific files       num=0
2024-08-01T11:27:12+04:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/dev/docs/scanner/vulnerability#severity-selection for details.

cgr.dev/chainguard/argocd (wolfi 20230201)
==========================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                        │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ argo-cd-2.11        │ CVE-2024-40634 │ HIGH     │ fixed  │ 2.11.5-r0         │ 2.11.6-r0     │ argocd: Unauthenticated Denial of Service (DoS)    │
│                     │                │          │        │                   │               │ Vulnerability via /api/webhook Endpoint in Argo... │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-40634         │
├─────────────────────┤                │          │        │                   │               │                                                    │
│ argo-cd-2.11-compat │                │          │        │                   │               │                                                    │
│                     │                │          │        │                   │               │                                                    │
│                     │                │          │        │                   │               │                                                    │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘

`--detection-priority comprehensive`

$ trivy image cgr.dev/chainguard/argocd --detection-priority comprehensive --scanners vuln

Result

2024-08-01T11:27:54+04:00       INFO    [vuln] Vulnerability scanning is enabled
2024-08-01T11:27:54+04:00       INFO    Detected OS     family="wolfi" version="20230201"
2024-08-01T11:27:54+04:00       INFO    [wolfi] Detecting vulnerabilities...    pkg_num=10
2024-08-01T11:27:54+04:00       INFO    Number of language-specific files       num=2
2024-08-01T11:27:54+04:00       INFO    [gobinary] Detecting vulnerabilities...
2024-08-01T11:27:54+04:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/dev/docs/scanner/vulnerability#severity-selection for details.

cgr.dev/chainguard/argocd (wolfi 20230201)
==========================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                        │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ argo-cd-2.11        │ CVE-2024-40634 │ HIGH     │ fixed  │ 2.11.5-r0         │ 2.11.6-r0     │ argocd: Unauthenticated Denial of Service (DoS)    │
│                     │                │          │        │                   │               │ Vulnerability via /api/webhook Endpoint in Argo... │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-40634         │
├─────────────────────┤                │          │        │                   │               │                                                    │
│ argo-cd-2.11-compat │                │          │        │                   │               │                                                    │
│                     │                │          │        │                   │               │                                                    │
│                     │                │          │        │                   │               │                                                    │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘

usr/bin/argocd (gobinary)
=========================
Total: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────────────┐
│                     Library                      │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                           Title                           │
├──────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/Azure/azure-sdk-for-go/sdk/azidentity │ CVE-2024-35255 │ MEDIUM   │ fixed  │ v1.1.0            │ 1.6.0                            │ azure-identity: Azure Identity Libraries Elevation of     │
│                                                  │                │          │        │                   │                                  │ Privilege Vulnerability in                                │
│                                                  │                │          │        │                   │                                  │ github.com/Azure/azure-sdk-for-go/sdk/azidentity          │
│                                                  │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-35255                │
├──────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/argoproj/argo-cd/v2                   │ CVE-2024-40634 │ HIGH     │        │ 2.11.5            │ 2.9.20, 2.10.15, 2.11.6          │ argocd: Unauthenticated Denial of Service (DoS)           │
│                                                  │                │          │        │                   │                                  │ Vulnerability via /api/webhook Endpoint in Argo...        │
│                                                  │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-40634                │
├──────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes                                │ CVE-2024-5321  │ MEDIUM   │        │ v1.26.11          │ 1.27.16, 1.28.12, 1.29.7, 1.30.3 │ kubelet: Incorrect permissions on Windows containers logs │
│                                                  │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-5321                 │
│                                                  ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                                                  │ CVE-2024-3177  │ LOW      │        │                   │ 1.27.13, 1.29.4, 1.28.9          │ kubernetes: kube-apiserver: bypassing mountable secrets   │
│                                                  │                │          │        │                   │                                  │ policy imposed by the ServiceAccount admission plugin...  │
│                                                  │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-3177                 │
└──────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────────────┘

...

Notes

OS packages:
- When OS vendors provide sufficient advisories (e.g., Red Hat), --detection-priority comprehensive may not significantly increase true positive detections. Newly detected vulnerabilities are likely to be false positives or duplicates of vulnerabilities already detected via OS vendor advisories (see the above example).
- For cases where OS vendor advisories are insufficient or delayed compared to upstream advisories, the comprehensive mode may detect more relevant vulnerabilities.
Language-specific packages:
- In cases where exact versions cannot be determined (e.g., version ranges), --detection-priority comprehensive uses the lower bound of version ranges for vulnerability detection. This detects possible vulnerabilities, but may lead to false positives if the actual version used is not at this lower bound.

Key changes

Implemented the --detection-priority flag with two modes: precise and comprehensive
Added logic to adjust vulnerability detection based on the chosen mode
Updated relevant tests to cover the new functionality
Added documentation explaining the new flag and its usage

Implementation details

precise mode (default): Focuses on reducing false positives, resulting in less noisy vulnerability reports
comprehensive mode: Aims to detect more vulnerabilities, potentially including some false positives, for broader coverage
- Analyze files installed by an OS package manager
- Use a minimum version of the version ranges
Included brief user review considerations for each mode

Terminology

I chose comprehensive instead of coverage for the following reasons:

Clarity of meaning: comprehensive better describes the broader detection approach
Avoiding confusion with the existing Scanning Coverage documentation
Distinction from technical terms: coverage has specific meanings in testing contexts

Related issues

Close Add --detection-priority #7270

Related PRs

feat: add third party flag for os packages #4109

Checklist

I've read the guidelines for contributing to this repository.
I've followed the conventions in the PR title.
I've added tests that prove my fix is effective or that my feature works.
I've updated the documentation with the relevant information (if needed).
I've added usage information (if the PR introduces new options)
I've included a "before" and "after" example to the description (if the PR is a user interface change).

Signed-off-by: knqyf263 <knqyf263@gmail.com>

DmitriyLewen

LGTM
Left a couple of comments.

docs/docs/scanner/vulnerability.md

pkg/cache/key_test.go

Signed-off-by: knqyf263 <knqyf263@gmail.com>

DmitriyLewen · 2024-08-02T09:41:30Z

docs/docs/coverage/language/python.md

-| Poetry | poetry.lock | ✓ | Exclude | ✓ | - |
+| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
+|-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
+| pip | requirements.txt | - | Include | - | ✓ | - |


we can add table for conda environment.yml files (this file list requirements.txt)

Did we forget to add environment.yaml to the doc?

Oh, I found it under OS. Do you remember why we put it here?
https://aquasecurity.github.io/trivy/v0.54/docs/coverage/os/conda/

Conda doesn't only contain Python packages.
You can install OS packages.
Conda is thus compilation of package manager (like apt) and pip.

I thought about adding Conda to package managers, but we don't have pages for that.
So we decided to put Conda in OS first.

You can install OS packages.

Is there any document about it?

Anyway, I added.
9e8cdb1

https://docs.anaconda.com/working-with-conda/packages/install-packages/#installing-conda-packages

e.g. you can install curl - https://anaconda.org/conda-forge/curl

I have reconsidered this, but my personal definition of "OS packages" is a package distributed by an OS vendor, such as Red Hat and SUSE. Conda is simply building and distributing third-party software, which is different from an operating system. Bitnami does the same and it seems better to create a new category in addition to OS and Language. We should discuss it later.

We just didn't have a suitable category.
But in general we can separate conda + bitnami into a separate category.

docs/docs/coverage/language/java.md

Signed-off-by: knqyf263 <knqyf263@gmail.com>

DmitriyLewen

LGTM

knqyf263 added 13 commits July 31, 2024 19:59

feat: add --detection-priority

b173d30

Signed-off-by: knqyf263 <knqyf263@gmail.com>

feat(dart): use minimum version only with coverage priority

6746c17

Signed-off-by: knqyf263 <knqyf263@gmail.com>

feat: not filter system files in post analysis

c0bee63

Signed-off-by: knqyf263 <knqyf263@gmail.com>

feat: deregister post handler for filtering system files

e97ff02

Signed-off-by: knqyf263 <knqyf263@gmail.com>

feat: consider detection priority for calculating cache key

b21a66d

Signed-off-by: knqyf263 <knqyf263@gmail.com>

test: delete unused arg

b985f50

Signed-off-by: knqyf263 <knqyf263@gmail.com>

test: rename flag

ff573bb

Signed-off-by: knqyf263 <knqyf263@gmail.com>

test(integration): add a case for coverage priority

6c9985c

Signed-off-by: knqyf263 <knqyf263@gmail.com>

docs: add --detection-priority

0fa8f52

Signed-off-by: knqyf263 <knqyf263@gmail.com>

feat: rename coverage to comprehensive

41a86ee

Signed-off-by: knqyf263 <knqyf263@gmail.com>

docs: auto-generate

aefe131

Signed-off-by: knqyf263 <knqyf263@gmail.com>

fix: omitempty

3e79c5c

Signed-off-by: knqyf263 <knqyf263@gmail.com>

fix: use disabled handlers

1626611

Signed-off-by: knqyf263 <knqyf263@gmail.com>

knqyf263 marked this pull request as ready for review August 1, 2024 09:23

knqyf263 requested a review from DmitriyLewen as a code owner August 1, 2024 09:23

DmitriyLewen reviewed Aug 2, 2024

View reviewed changes

docs/docs/scanner/vulnerability.md Show resolved Hide resolved

pkg/cache/key_test.go Outdated Show resolved Hide resolved

knqyf263 added 2 commits August 2, 2024 12:06

docs: add more details

67b80d3

Signed-off-by: knqyf263 <knqyf263@gmail.com>

test: calc cache key with detection priority

1ce2e4b

Signed-off-by: knqyf263 <knqyf263@gmail.com>

DmitriyLewen reviewed Aug 2, 2024

View reviewed changes

docs(conda): add a table

9e8cdb1

Signed-off-by: knqyf263 <knqyf263@gmail.com>

DmitriyLewen approved these changes Aug 2, 2024

View reviewed changes

knqyf263 added this pull request to the merge queue Aug 2, 2024

Merged via the queue into aquasecurity:main with commit fd8348d Aug 2, 2024
17 checks passed

knqyf263 deleted the feat/detection_priority branch August 2, 2024 11:02

aqua-bot mentioned this pull request Aug 2, 2024

release: v0.55.0 [main] #7271

Merged

knqyf263 mentioned this pull request Aug 7, 2024

feat: add third party flag for os packages #4109

Closed

10 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(vuln): Add `--detection-priority` flag for accuracy tuning #7288

feat(vuln): Add `--detection-priority` flag for accuracy tuning #7288

knqyf263 commented Aug 1, 2024 •

edited

Loading

DmitriyLewen left a comment

DmitriyLewen Aug 2, 2024

knqyf263 Aug 2, 2024

knqyf263 Aug 2, 2024

DmitriyLewen Aug 2, 2024

knqyf263 Aug 2, 2024

DmitriyLewen Aug 2, 2024

knqyf263 Aug 2, 2024

DmitriyLewen Aug 2, 2024

DmitriyLewen left a comment

feat(vuln): Add --detection-priority flag for accuracy tuning #7288

feat(vuln): Add --detection-priority flag for accuracy tuning #7288

Conversation

knqyf263 commented Aug 1, 2024 • edited Loading

Description

Red Hat UBI 8

--detection-priority precise

--detection-priority comprehensive

cgr.dev/chainguard/argocd

--detection-priority precise

--detection-priority comprehensive

Notes

Key changes

Implementation details

Terminology

Related issues

Related PRs

Checklist

DmitriyLewen left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

DmitriyLewen left a comment

Choose a reason for hiding this comment

feat(vuln): Add `--detection-priority` flag for accuracy tuning #7288

feat(vuln): Add `--detection-priority` flag for accuracy tuning #7288

knqyf263 commented Aug 1, 2024 •

edited

Loading

`--detection-priority precise`

`--detection-priority comprehensive`

`--detection-priority precise`

`--detection-priority comprehensive`