Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(vuln): show suppressed vulnerabilities in table #6084

Merged
merged 24 commits into from
Feb 13, 2024
Merged

feat(vuln): show suppressed vulnerabilities in table #6084

merged 24 commits into from
Feb 13, 2024

Conversation

knqyf263
Copy link
Collaborator

@knqyf263 knqyf263 commented Feb 8, 2024
edited
Loading

Description

This PR extends the request described in #3464 by not only displaying vulnerabilities ignored via .trivyignore but also those suppressed through Rego policies and declared as not affected by Vulnerability Exploitability eXchange (VEX). Furthermore, it shows the rationale behind suppression defined in .trivyignore.yaml and VEX.

When the --show-suppressed flag is specified, it now displays suppressed vulnerabilities alongside the regular detected vulnerabilities as follows:

$ trivy image --vex debian11.csaf.vex --ignorefile .trivyignore.yaml --show-suppressed debian:11
...

Suppressed Vulnerabilities (Total: 9)
======================================
┌───────────────┬───────────────┬──────────┬──────────────┬─────────────────────────────────────────────┬───────────────────┐
│    Library    │ Vulnerability │ Severity │    Status    │                  Statement                  │      Source       │
├───────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────────────────────┼───────────────────┤
│ libdb5.3      │ CVE-2019-8457 │ CRITICAL │ not_affected │ vulnerable_code_not_in_execute_path         │ CSAF VEX          │
├───────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────────────────────┼───────────────────┤
│ bsdutils      │ CVE-2022-0563 │ LOW      │ ignored      │ Accept the risk                             │ .trivyignore.yaml │
├───────────────┤               │          │              │                                             │                   │
│ libblkid1     │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ libmount1     │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ libsmartcols1 │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ libuuid1      │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ mount         │               │          │              │                                             │                   │
├───────────────┼───────────────┤          │              ├─────────────────────────────────────────────┤                   │
│ tar           │ CVE-2005-2541 │          │              │ The vulnerable configuration is not enabled │                   │
├───────────────┼───────────────┤          │              ├─────────────────────────────────────────────┤                   │
│ util-linux    │ CVE-2022-0563 │          │              │ Accept the risk                             │                   │
└───────────────┴───────────────┴──────────┴──────────────┴─────────────────────────────────────────────┴───────────────────┘

It's important to note that vulnerabilities filtered out by --severity --ignore-unfixed or --ignore-status will not be displayed with --show-suppressed. To clarify this, we've defined two phases in the filtering process:

  • Prioritization
  • Suppression

CleanShot 2024-02-08 at 12 19 06

The --show-suppressed flag is specifically designed to reveal vulnerabilities filtered during the Suppression phase.

Caveat

While this extension is applicable beyond vulnerabilities to include misconfigurations, secrets, and licenses, this PR focuses on vulnerabilities due to its size. Future PRs will address other aspects.

Additionally, due to potential changes in internal implementation, the suppressed vulnerabilities are currently only displayed in table format. Support for JSON and other formats is planned once the implementation stabilizes.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

knqyf263 added 11 commits February 8, 2024 11:41
@knqyf263
refactor: rename consts for misconfiguration statuses
7b60b96 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
refactor: add DetectedSecret
96111da 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
feat: add a struct for modified findings
e25f76c 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
feat: include modified findings in results
4ecc6f3 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
refactor: remove unneeded methods
ba8d212 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
test: support modified findings
d9d7cc8 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
feat(cli): add --show-suppressed
009fc61 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
feat(table): print suppressed vulns
4d5304b 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
chore: generate easyjson structs
0ea599e 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
docs: restructure filtering
60b8ced 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
docs: generate CLI references
c40ad45 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263 knqyf263 self-assigned this Feb 8, 2024
@knqyf263 knqyf263 requested a review from DmitriyLewen February 8, 2024 08:22
@knqyf263
Copy link
Collaborator Author

knqyf263 commented Feb 8, 2024
edited
Loading

@DmitriyLewen I carefully split changes into commits. You can see the commits one by one.

This PR is still a draft, but it's 95% done. You can start reviewing. I'm looking to add a log message about --show-suppressed when any vulnerabilities are suppressed.

@knqyf263 knqyf263 requested a review from itaysk February 8, 2024 08:41
@knqyf263
fix(windows): to slash
013cf37 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
DmitriyLewen
DmitriyLewen reviewed Feb 8, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@knqyf263
Looks good. I left some small comments. Take a look, please.

docs/docs/configuration/filtering.md Outdated Show resolved Hide resolved
pkg/vex/cyclonedx.go Outdated Show resolved Hide resolved
pkg/result/filter_test.go Outdated Show resolved Hide resolved
pkg/result/filter_test.go Outdated Show resolved Hide resolved
docs/docs/configuration/filtering.md Outdated Show resolved Hide resolved
docs/docs/configuration/filtering.md Outdated Show resolved Hide resolved
docs/docs/configuration/filtering.md Show resolved Hide resolved
docs/docs/references/configuration/cli/trivy_config.md Outdated Show resolved Hide resolved
pkg/flag/report_flags.go Outdated Show resolved Hide resolved
knqyf263 and others added 8 commits February 8, 2024 15:14
@knqyf263 @DmitriyLewen
Update pkg/result/filter_test.go
af70c69 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
@knqyf263 @DmitriyLewen
Update pkg/result/filter_test.go
00816fb 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
@knqyf263
fix: disable '--show-suppressed` for other than vulns
32191f1 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
docs: fix the description of '--show-suppressed'
15b5c25 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
refactor: remove unnecessary log
07b8fcc 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
fix: filter vulns by VEX at the end
872172b 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263 @DmitriyLewen
Update docs/docs/configuration/filtering.md
9f84fae 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
@knqyf263
docs: add anchors
9ac010c 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@DmitriyLewen
Copy link
Contributor

@knqyf263 I forgot to write you:
can you add test in https://github.com/aquasecurity/trivy/blob/main/pkg/report/table/table_test.go with suppressed table?

@knqyf263
Copy link
Collaborator Author

knqyf263 commented Feb 8, 2024

@DmitriyLewen I missed it. I'll update the test. Thanks!

@knqyf263
test(table): add a test for suppressed vulns
ca63ec9 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
docs: re-generate
49e9d22 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
refactor: remove unused variable
44ed73b 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263
feat: show a log message about "--show-suppressed" once
350191a 
Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263 knqyf263 marked this pull request as ready for review February 9, 2024 04:53
@knqyf263
Copy link
Collaborator Author

knqyf263 commented Feb 9, 2024

@DmitriyLewen It's ready for review!

DmitriyLewen
DmitriyLewen approved these changes Feb 9, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@knqyf263 knqyf263 added this pull request to the merge queue Feb 13, 2024
Merged via the queue into aquasecurity:main with commit 3c1601b Feb 13, 2024
17 checks passed
@knqyf263 knqyf263 deleted the modified_findings branch February 13, 2024 13:04
@aqua-bot aqua-bot mentioned this pull request May 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

@itaysk itaysk itaysk approved these changes

@josedonizetti josedonizetti Awaiting requested review from josedonizetti

@chen-keinan chen-keinan Awaiting requested review from chen-keinan

@simar7 simar7 Awaiting requested review from simar7 simar7 is a code owner

Assignees

@knqyf263 knqyf263

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Include ignored CVEs in report, explicitly marked as ignored
3 participants
@knqyf263 @DmitriyLewen @itaysk