Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(vuln): add --pkg-relationships #7237

Merged
merged 12 commits into from
Jul 29, 2024

Conversation

knqyf263
Copy link
Collaborator

Description

Add --pkg-relationships to filter vulnerabilities by relationships. It cannot be used with --dependency-tree, --vex or --format spdx|spdx-json|cyclonedx|github.

Usage

Withot --pkg-relationships

$ trivy repo ./go.mod
...

go.mod (gomod)
==============
Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│        Library         │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ google.golang.org/grpc │ GHSA-xr7q-jx4m-x55m │ LOW      │ fixed  │ 1.64.0            │ 1.64.1        │ Private tokens could appear in logs if context containing │
│                        │                     │          │        │                   │               │ gRPC metadata is...                                       │
│                        │                     │          │        │                   │               │ https://github.com/advisories/GHSA-xr7q-jx4m-x55m         │
└────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

With --pkg-relationships

$ trivy repo --scanners vuln --pkg-relationships direct ./go.mod
2024-07-26T11:19:11+04:00       INFO    [vuln] Vulnerability scanning is enabled
2024-07-26T11:19:13+04:00       INFO    Number of language-specific files       num=1
2024-07-26T11:19:13+04:00       INFO    [gomod] Detecting vulnerabilities...

With --pkg-relationships and --format spdx

$ trivy repo --pkg-relationships direct --format spdx ./go.mod
2024-07-26T11:20:33+04:00       INFO    "--format spdx" and "--format spdx-json" disable security scanning
2024-07-26T11:20:33+04:00       FATAL   Fatal error     flag error: align options error: '--pkg-relationships' cannot be used with '--dependency-tree', '--vex' or SBOM formats

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263 knqyf263 self-assigned this Jul 26, 2024
@knqyf263 knqyf263 marked this pull request as ready for review July 26, 2024 12:23
@knqyf263 knqyf263 requested a review from DmitriyLewen as a code owner July 26, 2024 12:23
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Left a couple of comments.

By default, all relationships are included in the scan.

!!! info
This flag filters the packages themselves, so it also affects the `--list-all-pkgs` option and SBOM generation.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add warning that this flag can't be used with --dependency-tree, --vex or --format spdx|spdx-json|cyclonedx|github.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I deleted the warning in aaea1ea as it now returns an error. Do you want to document it?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I think it won't be superfluous

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done
f0e1104

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume that users will want to use new flag in convert mode.
e.g. scan image once, but show 2 tables - with direct and indirect dependencies.

But for this change we need to change location of new logic.
So I suggest waiting for user requests.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, I was also thinking about it. --include-dev-deps and --pkg-types cannot be used in convert now. Detecting vulnerabilities is not expensive. We might want to move it in the filtering process.

Copy link
Contributor

@DmitriyLewen DmitriyLewen Jul 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--include-dev-deps and --pkg-types cannot be used in convert now.

Users can't use --pkg-types (--vuln-type) in v0.53.0 (or earlier) in convert mode:

➜ trivy -d convert --vuln-type os
...
2024-07-29T11:42:11+06:00	FATAL	Fatal error	unknown flag: --vuln-type

But I haven't seen any requests to add this flag for convert mode.

We might want to wait for user feedback on --pkg-relationships.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it.

Signed-off-by: knqyf263 <[email protected]>
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@knqyf263 knqyf263 added this pull request to the merge queue Jul 29, 2024
Merged via the queue into aquasecurity:main with commit 5c37361 Jul 29, 2024
17 checks passed
@knqyf263 knqyf263 deleted the add_relationship branch July 29, 2024 06:40
romulets added a commit to romulets/cloudbeat that referenced this pull request Aug 9, 2024
Package relationship has been introduced on aquasecurity/trivy#7237 and using CLI there are default relationship values (all). Using the library directly there is no default value and having 0 relationships and retrieving 0 finginds. Therefore on this commit we added the default value with all relationships
romulets added a commit to elastic/cloudbeat that referenced this pull request Aug 9, 2024
* Bump trivy to v0.54.1 and fix breaking changes

* Add default cli values of --pkg-relationships

Package relationship has been introduced on aquasecurity/trivy#7237 and using CLI there are default relationship values (all). Using the library directly there is no default value and having 0 relationships and retrieving 0 finginds. Therefore on this commit we added the default value with all relationships
romulets added a commit to elastic/cloudbeat that referenced this pull request Aug 13, 2024
- Fix --vuln-type flag renamed into --pkg-types aquasecurity/trivy#7104; \n- Adopt package relationships aquasecurity/trivy#7237
romulets added a commit to romulets/cloudbeat that referenced this pull request Aug 13, 2024
- Fix --vuln-type flag renamed into --pkg-types aquasecurity/trivy#7104; \n- Adopt package relationships aquasecurity/trivy#7237
romulets added a commit to elastic/cloudbeat that referenced this pull request Aug 13, 2024
* Bump trivy to v0.49.1

* Bump trivy to v0.51.4
    - Fix registry version aquasecurity/trivy#6219; 
    - Fix replace zap with slog aquasecurity/trivy#6466;
        - The fix with slog used a zap to slog bridge (official from zap, but exp). It didn't have a license file, so I hardcoded a commit version that had; 
  - Adopt opts.Align() to validate options object;

* Bump trivy to v0.52.2

* Temp change the workflow trigger to test changes

* Free up space on runner

* Bump trivy to v0.53.0
  - Fix go clear cache aquasecurity/trivy#7010

* Bump trivy to v0.54.1
  - Fix --vuln-type flag renamed into --pkg-types aquasecurity/trivy#7104; 
  - Adopt package relationships aquasecurity/trivy#7237

* Rollback CI run on target

* Clean 'scan cache clean' code and add timeout to it
afsmeira added a commit to codacy/codacy-trivy that referenced this pull request Aug 29, 2024
It's only necessary to specifiy these types when running the scanners directly, as we do.
When running Trivy via the command line it's not necessary.

See aquasecurity/trivy#7237
afsmeira added a commit to codacy/codacy-trivy that referenced this pull request Aug 29, 2024
It's only necessary to specifiy these types when running the scanners directly, as we do.
When running Trivy via the command line it's not necessary.

See aquasecurity/trivy#7237
afsmeira added a commit to codacy/codacy-trivy that referenced this pull request Aug 29, 2024
It's only necessary to specifiy these types when running the scanners directly, as we do.
When running Trivy via the command line it's not necessary.

See aquasecurity/trivy#7237
github-actions bot pushed a commit to codacy/codacy-trivy that referenced this pull request Aug 29, 2024
…#83)

* chore(deps): bump github.com/aquasecurity/trivy from 0.53.0 to 0.54.1

Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.53.0 to 0.54.1.
- [Release notes](https://github.com/aquasecurity/trivy/releases)
- [Changelog](https://github.com/aquasecurity/trivy/blob/v0.54.1/CHANGELOG.md)
- [Commits](aquasecurity/trivy@v0.53.0...v0.54.1)

---
updated-dependencies:
- dependency-name: github.com/aquasecurity/trivy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* fix: Use new flag for vulnerability type

See aquasecurity/trivy#7104

* bump: Trivy version for vulnerability DB updates

* fix: Specify types of dependencies to analyze

It's only necessary to specifiy these types when running the scanners directly, as we do.
When running Trivy via the command line it's not necessary.

See aquasecurity/trivy#7237

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: André Meira <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

feat(vuln): add --relationship flag to filter vulnerabilities by package relationship
2 participants