Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(vuln): show suppressed vulnerabilities in table #6084

Merged
merged 24 commits into from
Feb 13, 2024
Merged
Changes from 1 commit
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
7b60b96
refactor: rename consts for misconfiguration statuses
knqyf263 Feb 8, 2024
96111da
refactor: add DetectedSecret
knqyf263 Feb 8, 2024
e25f76c
feat: add a struct for modified findings
knqyf263 Feb 8, 2024
4ecc6f3
feat: include modified findings in results
knqyf263 Feb 8, 2024
ba8d212
refactor: remove unneeded methods
knqyf263 Feb 8, 2024
d9d7cc8
test: support modified findings
knqyf263 Feb 8, 2024
009fc61
feat(cli): add --show-suppressed
knqyf263 Feb 8, 2024
4d5304b
feat(table): print suppressed vulns
knqyf263 Feb 8, 2024
0ea599e
chore: generate easyjson structs
knqyf263 Feb 8, 2024
60b8ced
docs: restructure filtering
knqyf263 Feb 8, 2024
c40ad45
docs: generate CLI references
knqyf263 Feb 8, 2024
013cf37
fix(windows): to slash
knqyf263 Feb 8, 2024
af70c69
Update pkg/result/filter_test.go
knqyf263 Feb 8, 2024
00816fb
Update pkg/result/filter_test.go
knqyf263 Feb 8, 2024
32191f1
fix: disable '--show-suppressed` for other than vulns
knqyf263 Feb 8, 2024
15b5c25
docs: fix the description of '--show-suppressed'
knqyf263 Feb 8, 2024
07b8fcc
refactor: remove unnecessary log
knqyf263 Feb 8, 2024
872172b
fix: filter vulns by VEX at the end
knqyf263 Feb 8, 2024
9f84fae
Update docs/docs/configuration/filtering.md
knqyf263 Feb 8, 2024
9ac010c
docs: add anchors
knqyf263 Feb 8, 2024
ca63ec9
test(table): add a test for suppressed vulns
knqyf263 Feb 8, 2024
49e9d22
docs: re-generate
knqyf263 Feb 8, 2024
44ed73b
refactor: remove unused variable
knqyf263 Feb 9, 2024
350191a
feat: show a log message about "--show-suppressed" once
knqyf263 Feb 9, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
docs: add anchors
Signed-off-by: knqyf263 <knqyf263@gmail.com>
  • Loading branch information
knqyf263 committed Feb 8, 2024

Verified

This commit was signed with the committer’s verified signature.
knqyf263 Teppei Fukuda
commit 9ac010c8470ee637d3330a13ed2c14bb1175e240
152 changes: 76 additions & 76 deletions docs/docs/configuration/filtering.md
Original file line number Diff line number Diff line change
@@ -28,79 +28,6 @@ You can filter the results by
- [Severity](#by-severity)
- [Status](#by-status)

### By Status

| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | |
| Secret | |
| License | |

Trivy supports the following vulnerability statuses:

- `unknown`
- `not_affected`: this package is not affected by this vulnerability on this platform
- `affected`: this package is affected by this vulnerability on this platform, but there is no patch released yet
- `fixed`: this vulnerability is fixed on this platform
- `under_investigation`: it is currently unknown whether or not this vulnerability affects this package on this platform, and it is under investigation
- `will_not_fix`: this package is affected by this vulnerability on this platform, but there is currently no intention to fix it (this would primarily be for flaws that are of Low or Moderate impact that pose no significant risk to customers)
- `fix_deferred`: this package is affected by this vulnerability on this platform, and may be fixed in the future
- `end_of_life`: this package has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed

Note that vulnerabilities with the `unknown`, `not_affected` or `under_investigation` status are not detected.
These are only defined for comprehensiveness, and you will not have the opportunity to specify these statuses.

Some statuses are supported in limited distributions.

| OS | Fixed | Affected | Under Investigation | Will Not Fix | Fix Deferred | End of Life |
|:----------:|:-----:|:--------:|:-------------------:|:------------:|:------------:|:-----------:|
| Debian | ✓ | ✓ | | | ✓ | ✓ |
| RHEL | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Other OSes | ✓ | ✓ | | | | |


To ignore vulnerabilities with specific statuses, use the `--ignore-status <list_of_statuses>` option.


```bash
$ trivy image --ignore-status affected,fixed ruby:2.4.0
```

<details>
<summary>Result</summary>

```
2019-05-16T12:50:14.786+0900 INFO Detecting Debian vulnerabilities...

ruby:2.4.0 (debian 8.7)
=======================
Total: 527 (UNKNOWN: 0, LOW: 276, MEDIUM: 83, HIGH: 158, CRITICAL: 10)

┌─────────────────────────────┬──────────────────┬──────────┬──────────────┬────────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────┼──────────────────┼──────────┼──────────────┼────────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ binutils │ CVE-2014-9939 │ CRITICAL │ will_not_fix │ 2.25-5 │ │ binutils: buffer overflow in ihex.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2014-9939 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2017-6969 │ │ │ │ │ binutils: Heap-based buffer over-read in readelf when │
│ │ │ │ │ │ │ processing corrupt RL78 binaries │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-6969 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
...
```

</details>

!!! tip
To skip all unfixed vulnerabilities, you can use the `--ignore-unfixed` flag .
It is a shorthand of `--ignore-status affected,will_not_fix,fix_deferred,end_of_life`.
It displays "fixed" vulnerabilities only.

```bash
$ trivy image --ignore-unfixed ruby:2.4.0
```

### By Severity

| Scanner | Supported |
@@ -228,12 +155,85 @@ See https://avd.aquasec.com/misconfig/avd-aws-0081
```
</details>

### By Status

| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability | ✓ |
| Misconfiguration | |
| Secret | |
| License | |

Trivy supports the following vulnerability statuses:

- `unknown`
- `not_affected`: this package is not affected by this vulnerability on this platform
- `affected`: this package is affected by this vulnerability on this platform, but there is no patch released yet
- `fixed`: this vulnerability is fixed on this platform
- `under_investigation`: it is currently unknown whether or not this vulnerability affects this package on this platform, and it is under investigation
- `will_not_fix`: this package is affected by this vulnerability on this platform, but there is currently no intention to fix it (this would primarily be for flaws that are of Low or Moderate impact that pose no significant risk to customers)
- `fix_deferred`: this package is affected by this vulnerability on this platform, and may be fixed in the future
- `end_of_life`: this package has been identified to contain the impacted component, but analysis to determine whether it is affected or not by this vulnerability was not performed

Note that vulnerabilities with the `unknown`, `not_affected` or `under_investigation` status are not detected.
These are only defined for comprehensiveness, and you will not have the opportunity to specify these statuses.

Some statuses are supported in limited distributions.

| OS | Fixed | Affected | Under Investigation | Will Not Fix | Fix Deferred | End of Life |
|:----------:|:-----:|:--------:|:-------------------:|:------------:|:------------:|:-----------:|
| Debian | ✓ | ✓ | | | ✓ | ✓ |
| RHEL | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Other OSes | ✓ | ✓ | | | | |


To ignore vulnerabilities with specific statuses, use the `--ignore-status <list_of_statuses>` option.


```bash
$ trivy image --ignore-status affected,fixed ruby:2.4.0
```

<details>
<summary>Result</summary>

```
2019-05-16T12:50:14.786+0900 INFO Detecting Debian vulnerabilities...

ruby:2.4.0 (debian 8.7)
=======================
Total: 527 (UNKNOWN: 0, LOW: 276, MEDIUM: 83, HIGH: 158, CRITICAL: 10)

┌─────────────────────────────┬──────────────────┬──────────┬──────────────┬────────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────┼──────────────────┼──────────┼──────────────┼────────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ binutils │ CVE-2014-9939 │ CRITICAL │ will_not_fix │ 2.25-5 │ │ binutils: buffer overflow in ihex.c │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2014-9939 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2017-6969 │ │ │ │ │ binutils: Heap-based buffer over-read in readelf when │
│ │ │ │ │ │ │ processing corrupt RL78 binaries │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-6969 │
│ ├──────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
...
```

</details>

!!! tip
To skip all unfixed vulnerabilities, you can use the `--ignore-unfixed` flag .
It is a shorthand of `--ignore-status affected,will_not_fix,fix_deferred,end_of_life`.
It displays "fixed" vulnerabilities only.

```bash
$ trivy image --ignore-unfixed ruby:2.4.0
```

## Suppression
You can filter the results by

- Finding IDs
- Rego
- Vulnerability Exploitability Exchange (VEX)
- [Finding IDs](#by-finding-ids)
- [Rego](#by-rego)
- [Vulnerability Exploitability Exchange (VEX)](#by-vulnerability-exploitability-exchange-vex)

To show the suppressed results, use the `--show-suppressed` flag.