docs(issue): added docs for wrong detection issues (#1961)

Co-authored-by: knqyf263 <[email protected]>
aquasecurity · Apr 12, 2022 · 72d94b2 · 72d94b2
1 parent b4a7d6a
commit 72d94b2
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 0 deletions.
diff --git a/.github/ISSUE_TEMPLATE/WRONG_DETECTION.md b/.github/ISSUE_TEMPLATE/WRONG_DETECTION.md
@@ -0,0 +1,33 @@
+---
+name: Wrong Detection
+labels: ["kind/bug"]
+about: If Trivy doesn't detect something, or shows false positive detection
+---
+
+## Checklist
+- [ ] I've read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/#wrong-detection).
+- [ ] I've confirmed that a security advisory in data sources was correct.
+    - Run Trivy with `-f json` that shows data sources and make sure that the security advisory is correct.
+
+
+## Description
+
+<!--
+Briefly describe the CVE that aren't detected and information about artifacts with this CVE.
+-->
+
+## JSON Output of run with `-debug`:
+
+```
+(paste your output here)
+```
+
+## Output of `trivy -v`:
+
+```
+(paste your output here)
+```
+
+## Additional details (base image name, container registry info...):
+
+
diff --git a/docs/community/contribute/issue.md b/docs/community/contribute/issue.md
@@ -4,3 +4,28 @@ Thank you for taking interest in contributing to Trivy!
 - Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
 - Remember that users might search for your issue in the future, so please give it a meaningful title to help others.
 - The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
+
+## Wrong detection
+Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/).
+Sometime these databases contain mistakes.
+
+If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps:
+
+1. Run Trivy with `-f json` that shows data sources.
+2. According to the shown data source, make sure that the security advisory in the data source is correct.
+
+If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy.
+
+### GitHub Advisory Database
+Visit [here](https://github.com/advisories) and search CVE-ID.
+
+If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/)
+
+### GitLab Advisory Database
+Visit [here](https://advisories.gitlab.com/) and search CVE-ID.
+
+If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new)
+
+### Red Hat CVE Database
+Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID.
+