Replies: 3 comments 11 replies
-
@DmitriyLewen Please let me know your thoughts. |
Beta Was this translation helpful? Give feedback.
-
Some more ideas on this flag. But then, it also affects SBOM as well as vulnerabilities. We may want to change a flag name back to |
Beta Was this translation helpful? Give feedback.
-
Here are some more ideas:
|
Beta Was this translation helpful? Give feedback.
-
Description
Description
Trivy doesn't analyze files managed by an OS package manager. It's important to reduce false positives. Let's take an example of RPM. In case
rh-maven35-log4j12-1.2.17-19.2
is installed in a RHEL7 container image, we will find a JAR file,/opt/rh/rh-maven35/root/usr/share/java/log4j-1.2.17.jar
in the image.Log4j 1.2.17 looks vulnerable to CVE-2022-23302, which affect
<=1.2.17
. However, Red Hat applied a patch to 1.27.17 and released 1.2.17-18 in RHSA-2022:0442. So, this package is actually not affected by the vulnerability.If Trivy analyzes
/opt/rh/rh-maven35/root/usr/share/java/log4j-1.2.17.jar
in the same way as a normal JAR, it leads to false positives. Even if we are lucky and it doesn't lead to a false positive, the result will be duplicated. It is necessary to determine where the file came from and apply the advisory correctly (e.g., upstream advisory vs vendor advisory).This also applies to Go and Rust binaries, for example. However, some vendors may be delayed to provide advisories. In such cases, users may want to force detection even at the risk of identifying the wrong version or using the wrong advisory, leading to false detection of vulnerabilities.
There is also a possibility that vendors may not provide SBOMs or vulnerabilities for dependent packages of the packages they provide. Let's see an example.
Example
cgr.dev/chainguard/argocd
has a go binary at/usr/local/bin/argocd
, managed by apk.So, Trivy skips analyzing
/usr/local/bin/argocd
, but this binary actually contains some vulnerable dependencies, likeCVE-2024-35255 in github.com/Azure/azure-sdk-for-go/sdk/azidentity.
Their SBOM doesn't provide any information on ArgoCD's dependencies.
Therefore, Trivy misses CVE-2024-35255 in this case. Ideally, the SBOM should include the package's dependencies, like Bitnami images.
Proposal
Still, it might be good to have an option to force analysis since there must be such a container image (and a vendor) with missing information. It produces false positives, so I don't think we should enable it by default, though.
Similar to #4109, but it's not easy for users to understand the details. I think we may want to provide a more abstract flag, like
--vuln-detection-level=normal (default)
,--vuln-detection-level=lax
(inspired by Cookie SameSite) and--vuln-detection-level=strict (in the future)
. This flag can be used for trade-off between false positives vs false negatives in the future.Target
None
Scanner
Vulnerability
Beta Was this translation helpful? Give feedback.
All reactions