Replies: 6 comments 3 replies
-
|
The problem is the table has a limitation of width. What kind of output do you expect? |
Beta Was this translation helpful? Give feedback.
-
|
Since we cannot include a new column, what do you think about breaking the table down and grouping the vulnerabilities by package? It would look like this: ============================================================================================
Total: 8 (HIGH: 8, CRITICAL: 0)
/PATH/TO/MY/VULNERABLE/PACKAGE (PKGNAME)
┌──────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-44 │ HIGH │ 1.1.1q-r0 │ 1.1.1t-r0 │ openssl: double free after calling PEM_read_bio_ex │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4450 │
│ ├───────────────┤ │ │ ├────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0215 │ │ │ │ openssl: use-after-free following BIO_new_NDEF │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0215 │
│ ├───────────────┤ │ │ ├────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0286 │ │ │ │ openssl: X.400 address type confusion in X.509 GeneralName │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0286 │
│ ├───────────────┤ │ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0464 │ │ │ 1.1.1t-r1 │ openssl: Denial of service by excessive resource usage in │
│ │ │ │ │ │ verifying X509 policy... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-04 │
├──────────────┼───────────────┤ │ ├───────────────┼────────────────────────────────────────────────────────────┤
│ libssl1.1 │ CVE-2022-4450 │ │ │ 1.1.1t-r0 │ openssl: double free after calling PEM_read_bio_ex │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-4450 │
│ ├───────────────┤ │ │ ├────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0215 │ │ │ │ openssl: use-after-free following BIO_new_NDEF │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0215 │
│ ├───────────────┤ │ │ ├────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0286 │ │ │ │ openssl: X.400 address type confusion in X.509 GeneralName │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0286 │
│ ├───────────────┤ │ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2023-0464 │ │ │ 1.1.1t-r1 │ openssl: Denial of service by excessive resource usage in │
│ │ │ │ │ │ verifying X509 policy... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-0464 │
└──────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
/PATH/TO/MY/VULNERABLE/PACKAGE-2 (PKGNAME-2)
==============================
Total: 1 (HIGH: 1, CRITICAL: 0)
┌──────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-41│ HIGH │ v0.5.0 │ 0.7.0 │ golang.org/x/net/http2: avoid quadratic complexity in HPACK │
│ │ │ │ │ │ decoding │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41723 │
└──────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘ |
Beta Was this translation helpful? Give feedback.
-
|
Actually, that is what we did before. Each file (can be 100+) has a table, and the output is overwhelming. |
Beta Was this translation helpful? Give feedback.
-
|
Is it then possible to add support to create reports in multiple formats? That way we can display a table but also create a json output for further analysis. Currently, we have to run the same scan twice to generate the reports in two formats. |
Beta Was this translation helpful? Give feedback.
-
|
Please refer to this section. |
Beta Was this translation helpful? Give feedback.
-
|
We don't see that as a issue, as we only treat HIGH and CRITICAL and the output isn't long. |
Beta Was this translation helpful? Give feedback.
-
|
It may not be a problem for you, but others. |
Beta Was this translation helpful? Give feedback.
-
|
Why don't just parse the pkgpath information together with the library between parenthesis? It can't be that hard to just parse it into the table. |
Beta Was this translation helpful? Give feedback.
-
|
Could you show us an example? |
Beta Was this translation helpful? Give feedback.
-
Problem
Path of the vulnerable package is only included in the JSON. This creates the need to download the artifact generated by the pipeline in order to check where the problem is.
Possible Solution
We would like to have this information more readily available in the table output, which is the most user friendly one for us.
Proposal
Vulnerable Package Pathand the path of the vulnerability in it's information.Beta Was this translation helpful? Give feedback.
All reactions