From 72d94b21cfb748c5608b19711bf04f384e4c50d5 Mon Sep 17 00:00:00 2001 From: afdesk Date: Tue, 12 Apr 2022 12:57:27 +0600 Subject: [PATCH] docs(issue): added docs for wrong detection issues (#1961) Co-authored-by: knqyf263 --- .github/ISSUE_TEMPLATE/WRONG_DETECTION.md | 33 +++++++++++++++++++++++ docs/community/contribute/issue.md | 25 +++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/WRONG_DETECTION.md diff --git a/.github/ISSUE_TEMPLATE/WRONG_DETECTION.md b/.github/ISSUE_TEMPLATE/WRONG_DETECTION.md new file mode 100644 index 000000000000..bc0e5cb28240 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/WRONG_DETECTION.md @@ -0,0 +1,33 @@ +--- +name: Wrong Detection +labels: ["kind/bug"] +about: If Trivy doesn't detect something, or shows false positive detection +--- + +## Checklist +- [ ] I've read [the documentation regarding wrong detection](https://aquasecurity.github.io/trivy/latest/community/contribute/issue/#wrong-detection). +- [ ] I've confirmed that a security advisory in data sources was correct. + - Run Trivy with `-f json` that shows data sources and make sure that the security advisory is correct. + + +## Description + + + +## JSON Output of run with `-debug`: + +``` +(paste your output here) +``` + +## Output of `trivy -v`: + +``` +(paste your output here) +``` + +## Additional details (base image name, container registry info...): + + diff --git a/docs/community/contribute/issue.md b/docs/community/contribute/issue.md index 526c5ec4c66b..21dd88d11361 100644 --- a/docs/community/contribute/issue.md +++ b/docs/community/contribute/issue.md @@ -4,3 +4,28 @@ Thank you for taking interest in contributing to Trivy! - Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue. - Remember that users might search for your issue in the future, so please give it a meaningful title to help others. - The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information. + +## Wrong detection +Trivy depends on [multiple data sources](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/detection/data-source/). +Sometime these databases contain mistakes. + +If Trivy can't detect any CVE-IDs or shows false positive result, at first please follow the next steps: + +1. Run Trivy with `-f json` that shows data sources. +2. According to the shown data source, make sure that the security advisory in the data source is correct. + +If the data source is correct and Trivy shows wrong results, please raise an issue on Trivy. + +### GitHub Advisory Database +Visit [here](https://github.com/advisories) and search CVE-ID. + +If you find a problem, it'll be nice to fix it: [How to contribute to a GitHub security advisory](https://github.blog/2022-02-22-github-advisory-database-now-open-to-community-contributions/) + +### GitLab Advisory Database +Visit [here](https://advisories.gitlab.com/) and search CVE-ID. + +If you find a problem, it'll be nice to fix it: [Create an issue to GitLab Advisory Database](https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/new) + +### Red Hat CVE Database +Visit [here](https://access.redhat.com/security/security-updates/?cwe=476#/cve) and search CVE-ID. +