Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The enhancement of the amount of cveContents information included in trivy-to-vuls #1919

Closed
TsubasaKanemitsu opened this issue May 15, 2024 · 1 comment · Fixed by #1921
Closed

The enhancement of the amount of cveContents information included in trivy-to-vuls #1919

TsubasaKanemitsu opened this issue May 15, 2024 · 1 comment · Fixed by #1921
Assignees
@MaineK00n
Labels
enhancement

Comments

@TsubasaKanemitsu
Copy link
Contributor

Feature Request

  • To make the Severity unique by combining the data source and CVE by putting the VendorSeverity of the Trivy scan result into the Severity of the cveContents.
  • CVSS of Trivy's scan results to be put into cvss3Vector and cvss3Score of the execution results of trivy-to-vuls.

In the current implementation of trivy-to-vuls, the type of data source that contributed to the determination of Severity is not considered, and the data source of cveContents' Cvss3Severity is treated as trivy. This means that if the same CVE is detected in different scan targets, it is impossible to distinguish whether the change in Severity is due to the difference in data sources or the change in Severity of the data source itself.
And We need to use the CVSS information from Trivy's scan results in FutureVuls.

The execution result of trivy-to-vuls

image debian:12 
 trivy -q image -f=json debian:12 | trivy-to-vuls parse --stdin
"CVE-2023-50495": {
         "cveID": "CVE-2023-50495",
         "confidences": [
            {
               "score": 100,
               "detectionMethod": "TrivyMatch"
            }
         ],
         "affectedPackages": [
            {
               "name": "libtinfo6",
               "notFixedYet": true,
               "fixState": "Affected"
            },
            {
               "name": "ncurses-base",
               "notFixedYet": true,
               "fixState": "Affected"
            },
            {
               "name": "ncurses-bin",
               "notFixedYet": true,
               "fixState": "Affected"
            }
         ],
         "cveContents": {
            "trivy": [
               {
                  "type": "",
                  "cveID": "",
                  "title": "ncurses: segmentation fault via _nc_wrap_entry()",
                  "summary": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().",
                  "cvss2Score": 0,
                  "cvss2Vector": "",
                  "cvss2Severity": "",
                  "cvss3Score": 0,
                  "cvss3Vector": "",
                  "cvss3Severity": "MEDIUM", // difference
                  "sourceLink": "",
.......
}
image ubuntu:22.04 
 trivy -q image -f=json ubuntu:22.04 | trivy-to-vuls parse --stdin
"CVE-2023-50495": {
         "cveID": "CVE-2023-50495",
         "confidences": [
            {
               "score": 100,
               "detectionMethod": "TrivyMatch"
            }
         ],
         "affectedPackages": [
            {
               "name": "libncurses6",
               "notFixedYet": true,
               "fixState": "Affected"
            },
            {
               "name": "libncursesw6",
               "notFixedYet": true,
               "fixState": "Affected"
            },
            {
               "name": "libtinfo6",
               "notFixedYet": true,
               "fixState": "Affected"
            },
            {
               "name": "ncurses-base",
               "notFixedYet": true,
               "fixState": "Affected"
            },
            {
               "name": "ncurses-bin",
               "notFixedYet": true,
               "fixState": "Affected"
            }
         ],
         "cveContents": {
            "trivy": [
               {
                  "type": "",
                  "cveID": "",
                  "title": "ncurses: segmentation fault via _nc_wrap_entry()",
                  "summary": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().",
                  "cvss2Score": 0,
                  "cvss2Vector": "",
                  "cvss2Severity": "",
                  "cvss3Score": 0,
                  "cvss3Vector": "",
                  "cvss3Severity": "LOW", // difference
                  "sourceLink": "",
                  .....
}

Therefore, instead of lumping the data source into trivy, it is necessary to manage the Cvss3Severity of cveContents for each data source. By doing so, the value of Cvss3Severity, which is determined by the combination of data source and CVE, should be unique.

Remarks

The scan results of Trivy

In Trivy, when the same CVE is detected for different scan targets (in this case, assuming debian and ubuntu), the data source that contributes to the determination of Severity may differ depending on the scan target, which means that the same CVE can have different Severities.

image debian:12 
trivy -q image -f=json debian:12
// 一部
{
          "VulnerabilityID": "CVE-2023-50495",
          "PkgID": "ncurses-base@6.4-4",
          "PkgName": "ncurses-base",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/ncurses-base@6.4-4?arch=all\u0026distro=debian-12.5"
          },
          "InstalledVersion": "6.4-4",
          "Status": "affected",
          "Layer": {
            "Digest": "sha256:1468e7ff95fcb865fbc4dee7094f8b99c4dcddd6eb2180cf044c7396baf6fc2f",
            "DiffID": "sha256:072686bcd3db19834cd1e0b1e18acf50b7876043f9c38d5308e5e579cbefa6be"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-50495",
          "DataSource": {
            "ID": "debian",
            "Name": "Debian Security Tracker",
            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
          },
          "Title": "ncurses: segmentation fault via _nc_wrap_entry()",
          "Description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().",
          "Severity": "MEDIUM", // difference
          "VendorSeverity": {
            "amazon": 2,
            "nvd": 2,
            "redhat": 1,
            "ubuntu": 1
          },
          "CVSS": {
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "V3Score": 6.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "V3Score": 6.5
            }
          },
image ubuntu:22.04 
trivy -q image -f=json ubuntu:22.04
// 一部
{
          "VulnerabilityID": "CVE-2023-50495",
          "PkgID": "libtinfo6@6.3-2ubuntu0.1",
          "PkgName": "libtinfo6",
          "PkgIdentifier": {
            "PURL": "pkg:deb/ubuntu/libtinfo6@6.3-2ubuntu0.1?arch=amd64\u0026distro=ubuntu-22.04"
          },
          "InstalledVersion": "6.3-2ubuntu0.1",
          "Status": "affected",
          "Layer": {
            "Digest": "sha256:a8b1c5f80c2d2a757adc963e3fe2dad0b4d229f83df3349fbb70e4d12dd48822",
            "DiffID": "sha256:629ca62fb7c791374ce57626d6b8b62c76378be091a0daf1a60d32700b49add7"
          },
          "SeveritySource": "ubuntu",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-50495",
          "DataSource": {
            "ID": "ubuntu",
            "Name": "Ubuntu CVE Tracker",
            "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
          },
          "Title": "ncurses: segmentation fault via _nc_wrap_entry()",
          "Description": "NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().",
          "Severity": "LOW", // difference
          "VendorSeverity": {
            "amazon": 2,
            "nvd": 2,
            "redhat": 1,
            "ubuntu": 1
          },
          "CVSS": {
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "V3Score": 6.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "V3Score": 6.5
            }
          },

The decision logic of Severity in Trivy
@MaineK00n
Copy link
Collaborator

This is an patch that retrieves all vendor severities from Trivy Result.

:100644 100644 33ad98d 0000000 M	contrib/trivy/pkg/converter.go

diff --git a/contrib/trivy/pkg/converter.go b/contrib/trivy/pkg/converter.go
index 33ad98d..aba3a1c 100644
--- a/contrib/trivy/pkg/converter.go
+++ b/contrib/trivy/pkg/converter.go
@@ -5,6 +5,7 @@ import (
 	"sort"
 	"time"
 
+	trivydbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/types"
 
@@ -68,16 +69,17 @@ func Convert(results types.Results) (result *models.ScanResult, err error) {
 				lastModified = *vuln.LastModifiedDate
 			}
 
-			vulnInfo.CveContents = models.CveContents{
-				models.Trivy: []models.CveContent{{
-					Cvss3Severity: vuln.Severity,
+			for source, severity := range vuln.VendorSeverity {
+				vulnInfo.CveContents[models.CveContentType(fmt.Sprintf("%s:%s", models.Trivy, source))] = []models.CveContent{{
+					Cvss3Severity: trivydbTypes.SeverityNames[severity],
 					References:    references,
 					Title:         vuln.Title,
 					Summary:       vuln.Description,
 					Published:     published,
 					LastModified:  lastModified,
-				}},
+				}}
 			}
+
 			// do only if image type is Vuln
 			if isTrivySupportedOS(trivyResult.Type) {
 				pkgs[vuln.PkgName] = models.Package{

@MaineK00n MaineK00n mentioned this issue May 15, 2024
Merged
9 tasks
@MaineK00n MaineK00n self-assigned this May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MaineK00n MaineK00n

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(detector, contrib/trivy-to-vuls): collect vendor severity and cvss future-architect/vuls
2 participants
@MaineK00n @TsubasaKanemitsu