Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(vuln): show suppressed vulnerabilities in table #6084

Merged
merged 24 commits into from
Feb 13, 2024

Conversation

knqyf263
Copy link
Collaborator

@knqyf263 knqyf263 commented Feb 8, 2024

Description

This PR extends the request described in #3464 by not only displaying vulnerabilities ignored via .trivyignore but also those suppressed through Rego policies and declared as not affected by Vulnerability Exploitability eXchange (VEX). Furthermore, it shows the rationale behind suppression defined in .trivyignore.yaml and VEX.

When the --show-suppressed flag is specified, it now displays suppressed vulnerabilities alongside the regular detected vulnerabilities as follows:

$ trivy image --vex debian11.csaf.vex --ignorefile .trivyignore.yaml --show-suppressed debian:11
...

Suppressed Vulnerabilities (Total: 9)
======================================
┌───────────────┬───────────────┬──────────┬──────────────┬─────────────────────────────────────────────┬───────────────────┐
│    Library    │ Vulnerability │ Severity │    Status    │                  Statement                  │      Source       │
├───────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────────────────────┼───────────────────┤
│ libdb5.3      │ CVE-2019-8457 │ CRITICAL │ not_affected │ vulnerable_code_not_in_execute_path         │ CSAF VEX          │
├───────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────────────────────┼───────────────────┤
│ bsdutils      │ CVE-2022-0563 │ LOW      │ ignored      │ Accept the risk                             │ .trivyignore.yaml │
├───────────────┤               │          │              │                                             │                   │
│ libblkid1     │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ libmount1     │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ libsmartcols1 │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ libuuid1      │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ mount         │               │          │              │                                             │                   │
├───────────────┼───────────────┤          │              ├─────────────────────────────────────────────┤                   │
│ tar           │ CVE-2005-2541 │          │              │ The vulnerable configuration is not enabled │                   │
├───────────────┼───────────────┤          │              ├─────────────────────────────────────────────┤                   │
│ util-linux    │ CVE-2022-0563 │          │              │ Accept the risk                             │                   │
└───────────────┴───────────────┴──────────┴──────────────┴─────────────────────────────────────────────┴───────────────────┘

It's important to note that vulnerabilities filtered out by --severity --ignore-unfixed or --ignore-status will not be displayed with --show-suppressed. To clarify this, we've defined two phases in the filtering process:

  • Prioritization
  • Suppression

CleanShot 2024-02-08 at 12 19 06

The --show-suppressed flag is specifically designed to reveal vulnerabilities filtered during the Suppression phase.

Caveat

While this extension is applicable beyond vulnerabilities to include misconfigurations, secrets, and licenses, this PR focuses on vulnerabilities due to its size. Future PRs will address other aspects.

Additionally, due to potential changes in internal implementation, the suppressed vulnerabilities are currently only displayed in table format. Support for JSON and other formats is planned once the implementation stabilizes.

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263 knqyf263 self-assigned this Feb 8, 2024
@knqyf263 knqyf263 requested a review from DmitriyLewen February 8, 2024 08:22
@knqyf263
Copy link
Collaborator Author

knqyf263 commented Feb 8, 2024

@DmitriyLewen I carefully split changes into commits. You can see the commits one by one.

This PR is still a draft, but it's 95% done. You can start reviewing. I'm looking to add a log message about --show-suppressed when any vulnerabilities are suppressed.

@knqyf263 knqyf263 requested a review from itaysk February 8, 2024 08:41
Signed-off-by: knqyf263 <[email protected]>
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@knqyf263
Looks good. I left some small comments. Take a look, please.

docs/docs/configuration/filtering.md Outdated Show resolved Hide resolved
pkg/vex/cyclonedx.go Outdated Show resolved Hide resolved
pkg/result/filter_test.go Outdated Show resolved Hide resolved
pkg/result/filter_test.go Outdated Show resolved Hide resolved
docs/docs/configuration/filtering.md Outdated Show resolved Hide resolved
docs/docs/configuration/filtering.md Outdated Show resolved Hide resolved
docs/docs/configuration/filtering.md Show resolved Hide resolved
docs/docs/references/configuration/cli/trivy_config.md Outdated Show resolved Hide resolved
pkg/flag/report_flags.go Outdated Show resolved Hide resolved
@DmitriyLewen
Copy link
Contributor

@knqyf263 I forgot to write you:
can you add test in https://github.com/aquasecurity/trivy/blob/main/pkg/report/table/table_test.go with suppressed table?

@knqyf263
Copy link
Collaborator Author

knqyf263 commented Feb 8, 2024

@DmitriyLewen I missed it. I'll update the test. Thanks!

@knqyf263 knqyf263 marked this pull request as ready for review February 9, 2024 04:53
@knqyf263
Copy link
Collaborator Author

knqyf263 commented Feb 9, 2024

@DmitriyLewen It's ready for review!

Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@knqyf263 knqyf263 added this pull request to the merge queue Feb 13, 2024
Merged via the queue into aquasecurity:main with commit 3c1601b Feb 13, 2024
17 checks passed
@knqyf263 knqyf263 deleted the modified_findings branch February 13, 2024 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Include ignored CVEs in report, explicitly marked as ignored
3 participants