feat(vuln): Add --detection-priority flag for accuracy tuning

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -30,6 +30,10 @@ trivy filesystem [flags] PATH
  --custom-headers strings custom headers in client mode
  --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
  --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+ --detection-priority string specify the detection priority:
+ - "precise": Prioritizes precise by minimizing false positives.
+ - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+ (precise,comprehensive) (default "precise")
  --download-db-only download/update vulnerability database but don't run a scan
  --download-java-db-only download/update Java index database but don't run a scan
  --enable-modules strings [EXPERIMENTAL] module names to enable

docs/docs/references/configuration/cli/trivy_image.md

@@ -44,6 +44,10 @@ trivy image [flags] IMAGE_NAME
  --custom-headers strings custom headers in client mode
  --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
  --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+ --detection-priority string specify the detection priority:
+ - "precise": Prioritizes precise by minimizing false positives.
+ - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+ (precise,comprehensive) (default "precise")
  --docker-host string unix domain socket path to use for docker scanning
  --download-db-only download/update vulnerability database but don't run a scan
  --download-java-db-only download/update Java index database but don't run a scan

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -39,6 +39,10 @@ trivy kubernetes [flags] [CONTEXT]
  --config-data strings specify paths from which data for the Rego checks will be recursively loaded
  --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
  --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+ --detection-priority string specify the detection priority:
+ - "precise": Prioritizes precise by minimizing false positives.
+ - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+ (precise,comprehensive) (default "precise")
  --disable-node-collector When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
  --download-db-only download/update vulnerability database but don't run a scan
  --download-java-db-only download/update Java index database but don't run a scan

docs/docs/references/configuration/cli/trivy_repository.md

@@ -30,6 +30,10 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
  --custom-headers strings custom headers in client mode
  --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
  --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+ --detection-priority string specify the detection priority:
+ - "precise": Prioritizes precise by minimizing false positives.
+ - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+ (precise,comprehensive) (default "precise")
  --download-db-only download/update vulnerability database but don't run a scan
  --download-java-db-only download/update Java index database but don't run a scan
  --enable-modules strings [EXPERIMENTAL] module names to enable

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -32,6 +32,10 @@ trivy rootfs [flags] ROOTDIR
  --custom-headers strings custom headers in client mode
  --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
  --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+ --detection-priority string specify the detection priority:
+ - "precise": Prioritizes precise by minimizing false positives.
+ - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+ (precise,comprehensive) (default "precise")
  --download-db-only download/update vulnerability database but don't run a scan
  --download-java-db-only download/update Java index database but don't run a scan
  --enable-modules strings [EXPERIMENTAL] module names to enable

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -25,6 +25,10 @@ trivy sbom [flags] SBOM_PATH
  --compliance string compliance report to generate
  --custom-headers strings custom headers in client mode
  --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
+ --detection-priority string specify the detection priority:
+ - "precise": Prioritizes precise by minimizing false positives.
+ - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+ (precise,comprehensive) (default "precise")
  --download-db-only download/update vulnerability database but don't run a scan
  --download-java-db-only download/update Java index database but don't run a scan
  --exit-code int specify exit code when any security issues are found

docs/docs/references/configuration/cli/trivy_vm.md

@@ -28,6 +28,10 @@ trivy vm [flags] VM_IMAGE
  --custom-headers strings custom headers in client mode
  --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
  --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
+ --detection-priority string specify the detection priority:
+ - "precise": Prioritizes precise by minimizing false positives.
+ - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+ (precise,comprehensive) (default "precise")
  --download-db-only download/update vulnerability database but don't run a scan
  --download-java-db-only download/update Java index database but don't run a scan
  --enable-modules strings [EXPERIMENTAL] module names to enable

docs/docs/scanner/vulnerability.md

@@ -307,6 +307,25 @@ By default, all relationships are included in the scan.
 !!! warning
  As it may not provide a complete package list, `--pkg-relationships` cannot be used with `--dependency-tree`, `--vex` or SBOM generation.
 
+### Detection Priority
+
+Trivy provides a `--detection-priority` flag to control the balance between false positives and false negatives in vulnerability detection.
+This concept is similar to the relationship between [precision and recall][precision-recall] in machine learning evaluation.
+
+```bash
+$ trivy image --detection-priority {precise|comprehensive} alpine:3.15
+```
+
+- `precise`: This mode prioritizes reducing false positives. It results in less noisy vulnerability reports but may miss some potential vulnerabilities.
+- `comprehensive`: This mode aims to detect more vulnerabilities, potentially including some that might be false positives.
+ It provides broader coverage but may increase the noise in the results.
+
+The default value is `precise`.
+
+Regardless of the chosen mode, user review of detected vulnerabilities is crucial:
+
+- `precise`: Review thoroughly, considering potential missed vulnerabilities.
+- `comprehensive`: Carefully investigate each reported vulnerability due to increased false positive possibility.
 
 [^1]: https://github.com/GoogleContainerTools/distroless
 
@@ -353,3 +372,5 @@ By default, all relationships are included in the scan.
 [nvd]: https://nvd.nist.gov/vuln
 
 [k8s-cve]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/
+
+[precision-recall]: https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall

integration/client_server_test.go

@@ -287,7 +287,7 @@ func TestClientServer(t *testing.T) {
 
  for _, tt := range tests {
  t.Run(tt.name, func(t *testing.T) {
- osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
+ osArgs := setupClient(t, tt.args, addr, cacheDir)
 
  if tt.args.secretConfig != "" {
  osArgs = append(osArgs, "--secret-config", tt.args.secretConfig)
@@ -407,7 +407,7 @@ func TestClientServerWithFormat(t *testing.T) {
  t.Run(tt.name, func(t *testing.T) {
  t.Setenv("AWS_REGION", "test-region")
  t.Setenv("AWS_ACCOUNT_ID", "123456789012")
- osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
+ osArgs := setupClient(t, tt.args, addr, cacheDir)
 
  runTest(t, osArgs, tt.golden, "", tt.args.Format, runOptions{
  override: overrideUID,
@@ -435,7 +435,7 @@ func TestClientServerWithCycloneDX(t *testing.T) {
  addr, cacheDir := setup(t, setupOptions{})
  for _, tt := range tests {
  t.Run(tt.name, func(t *testing.T) {
- osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
+ osArgs := setupClient(t, tt.args, addr, cacheDir)
  runTest(t, osArgs, tt.golden, "", types.FormatCycloneDX, runOptions{
  fakeUUID: "3ff14136-e09f-4df9-80ea-%012d",
  })
@@ -488,7 +488,7 @@ func TestClientServerWithToken(t *testing.T) {
 
  for _, tt := range tests {
  t.Run(tt.name, func(t *testing.T) {
- osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
+ osArgs := setupClient(t, tt.args, addr, cacheDir)
  runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{
  override: overrideUID,
  wantErr: tt.wantErr,
@@ -515,7 +515,7 @@ func TestClientServerWithRedis(t *testing.T) {
  golden := "testdata/alpine-39.json.golden"
 
  t.Run("alpine 3.9", func(t *testing.T) {
- osArgs := setupClient(t, testArgs, addr, cacheDir, golden)
+ osArgs := setupClient(t, testArgs, addr, cacheDir)
 
  // Run Trivy client
  runTest(t, osArgs, golden, "", types.FormatJSON, runOptions{
@@ -527,7 +527,7 @@ func TestClientServerWithRedis(t *testing.T) {
  require.NoError(t, redisC.Terminate(ctx))
 
  t.Run("sad path", func(t *testing.T) {
- osArgs := setupClient(t, testArgs, addr, cacheDir, golden)
+ osArgs := setupClient(t, testArgs, addr, cacheDir)
 
  // Run Trivy client
  runTest(t, osArgs, "", "", types.FormatJSON, runOptions{
@@ -592,7 +592,7 @@ func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []stri
  return osArgs
 }
 
-func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden string) []string {
+func setupClient(t *testing.T, c csArgs, addr string, cacheDir string) []string {
  if c.Command == "" {
  c.Command = "image"
  }

integration/standalone_tar_test.go

@@ -8,20 +8,22 @@ import (
  "strings"
  "testing"
 
+ ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
  "github.com/aquasecurity/trivy/pkg/types"
 
  "github.com/stretchr/testify/require"
 )
 
 func TestTar(t *testing.T) {
  type args struct {
- IgnoreUnfixed bool
- Severity []string
- IgnoreIDs []string
- Format types.Format
- Input string
- SkipDirs []string
- SkipFiles []string
+ IgnoreUnfixed bool
+ Severity []string
+ IgnoreIDs []string
+ Format types.Format
+ Input string
+ SkipDirs []string
+ SkipFiles []string
+ DetectionPriority ftypes.DetectionPriority
  }
  tests := []struct {
  name string
@@ -240,7 +242,7 @@ func TestTar(t *testing.T) {
  golden: "testdata/centos-7.json.golden",
  },
  {
- name: "centos 7with --ignore-unfixed option",
+ name: "centos 7 with --ignore-unfixed option",
  args: args{
  IgnoreUnfixed: true,
  Format: types.FormatJSON,
@@ -274,6 +276,15 @@ func TestTar(t *testing.T) {
  },
  golden: "testdata/ubi-7.json.golden",
  },
+ {
+ name: "ubi 7 with comprehensive priority",
+ args: args{
+ Format: types.FormatJSON,
+ Input: "testdata/fixtures/images/ubi-7.tar.gz",
+ DetectionPriority: ftypes.PriorityComprehensive,
+ },
+ golden: "testdata/ubi-7-comprehensive.json.golden",
+ },
  {
  name: "almalinux 8",
  args: args{
@@ -380,7 +391,7 @@ func TestTar(t *testing.T) {
  "-q",
  "--format",
  string(tt.args.Format),
- "--skip-update",
+ "--skip-db-update",
  }
 
  if tt.args.IgnoreUnfixed {
@@ -411,6 +422,10 @@ func TestTar(t *testing.T) {
  }
  }
 
+ if tt.args.DetectionPriority != "" {
+ osArgs = append(osArgs, "--detection-priority", string(tt.args.DetectionPriority))
+ }
+
  // Run Trivy
  runTest(t, osArgs, tt.golden, "", tt.args.Format, runOptions{})
  })

integration/testdata/fixtures/db/python.yaml

@@ -14,3 +14,11 @@
  - 0.11.6
  VulnerableVersions:
  - < 0.11.6
+ - bucket: setuptools
+ pairs:
+ - key: CVE-2022-40897
+ value:
+ PatchedVersions:
+ - 65.5.1
+ VulnerableVersions:
+ - < 65.5.1

integration/testdata/fixtures/db/vulnerability.yaml

@@ -1399,4 +1399,23 @@
  - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155"
  - "https://nvd.nist.gov/vuln/detail/CVE-2020-14155"
  PublishedDate: "2020-06-15T17:15:00Z"
- LastModifiedDate: "2022-04-28T15:06:00Z"
+ LastModifiedDate: "2022-04-28T15:06:00Z"
+ - key: CVE-2022-40897
+ value:
+ Title: "pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py"
+ Description: "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py."
+ Severity: MEDIUM
+ CweIDs:
+ - CWE-1333
+ VendorSeverity:
+ ghsa: 3
+ nvd: 2
+ CVSS:
+ nvd:
+ V3Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ V3Score: 5.9
+ References:
+ - "https://access.redhat.com/errata/RHSA-2023:0952"
+ - "https://access.redhat.com/security/cve/CVE-2022-40897"
+ PublishedDate: "2022-12-23T00:15:13.987Z"
+ LastModifiedDate: "2024-06-21T19:15:23.877Z"