aquasecurity · knqyf263 · Feb 13, 2024 · Feb 8, 2024 · Feb 8, 2024 · Feb 8, 2024
@@ -31,6 +31,7 @@ trivy convert [flags] RESULT_JSON
       --output-plugin-arg string   [EXPERIMENTAL] output plugin arguments
       --report string              specify a report format for the output (all,summary) (default "all")
   -s, --severity strings           severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed            [EXPERIMENTAL] show suppressed vulnerabilities
   -t, --template string            output template
 ```
 

@@ -75,6 +75,7 @@ trivy filesystem [flags] PATH
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
       --server string                     server address in client mode
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip

@@ -95,6 +95,7 @@ trivy image [flags] IMAGE_NAME
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
       --server string                     server address in client mode
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip

@@ -87,6 +87,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --scanners strings                  comma-separated list of what security issues to detect (vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip

@@ -74,6 +74,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
       --server string                     server address in client mode
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip

@@ -76,6 +76,7 @@ trivy rootfs [flags] ROOTDIR
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
       --server string                     server address in client mode
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip

@@ -52,6 +52,7 @@ trivy sbom [flags] SBOM_PATH
       --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
       --server string               server address in client mode
   -s, --severity strings            severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed             [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update              skip updating vulnerability database
       --skip-dirs strings           specify the directories or glob patterns to skip
       --skip-files strings          specify the files or glob patterns to skip

@@ -67,6 +67,7 @@ trivy vm [flags] VM_IMAGE
       --secret-config string              specify a path to config file for secret scanning (default "trivy-secret.yaml")
       --server string                     server address in client mode
   -s, --severity strings                  severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                   [EXPERIMENTAL] show suppressed vulnerabilities
       --skip-db-update                    skip updating vulnerability database
       --skip-dirs strings                 specify the directories or glob patterns to skip
       --skip-files strings                specify the files or glob patterns to skip

@@ -316,15 +316,17 @@ This section describes misconfiguration-specific configuration.
 Other common options are documented [here](../../configuration/index.md).
 
 ### Enabling a subset of misconfiguration scanners
-It's possible to only enable certain misconfiguration scanners if you prefer. You can do so by passing the `--misconfig-scanners` option.
+It's possible to only enable certain misconfiguration scanners if you prefer.
+You can do so by passing the `--misconfig-scanners` option.
 This flag takes a comma-separated list of configuration scanner types.
+
 ```bash
 trivy config --misconfig-scanners=terraform,dockerfile .
 ```
 
 Will only scan for misconfigurations that pertain to Terraform and Dockerfiles.
 
-### Pass custom policies
+### Passing custom policies
 You can pass policy files or directories including your custom policies through `--policy` option.
 This can be repeated for specifying multiple files or directories.
 
@@ -338,7 +340,7 @@ For more details, see [Custom Policies](./custom/index.md).
 !!! tip
 You also need to specify `--namespaces` option.
 
-### Pass custom data
+### Passing custom data
 You can pass directories including your custom data through `--data` option.
 This can be repeated for specifying multiple directories.
 
@@ -349,7 +351,7 @@ trivy conf --policy ./policy --data ./data --namespaces user ./configs
 
 For more details, see [Custom Data](./custom/data.md).
 
-### Pass namespaces
+### Passing namespaces
 By default, Trivy evaluates policies defined in `builtin.*`.
 If you want to evaluate custom policies in other packages, you have to specify package prefixes through `--namespaces` option.
 This can be repeated for specifying multiple packages.
@@ -358,4 +360,32 @@ This can be repeated for specifying multiple packages.
 trivy conf --policy ./policy --namespaces main --namespaces user ./configs
 ```
 
+### Skipping resources by inline comments
+Some configuration file formats (e.g. Terraform) support inline comments.
+
+In cases where trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to filter/ignore findings from a single point of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned).
+
+The format for these comments is `trivy:ignore:<Vulnerability ID>` immediately following the format-specific line-comment token.
+You can add multiple ignores on the same comment line.
+
+For example, to filter a misconfiguration ID "AVD-GCP-0051" in a Terraform HCL file:
+
+```terraform
+#trivy:ignore:AVD-GCP-0051
+resource "google_container_cluster" "one_off_test" {
+  name     = var.cluster_name
+  location = var.region
+}
+```
+
+For example, to filter misconfigurations "AVD-GCP-0051" and "AVD-GCP-0053" in a Terraform HCL file:
+
+```terraform
+#trivy:ignore:AVD-GCP-0051 trivy:ignore:AVD-GCP-0053
+resource "google_container_cluster" "one_off_test" {
+  name     = var.cluster_name
+  location = var.region
+}
+```
+
 [custom]: custom/index.md
@@ -152,6 +152,76 @@ The default is `ghcr.io/aquasecurity/trivy-java-db`.
 If authentication is required, you need to run `docker login YOUR_REGISTRY`.
 Currently, specifying a username and password is not supported.
 
+## Configuration
+This section describes vulnerability-specific configuration.
+Other common options are documented [here](../configuration/index.md).
+
+### Enabling a subset of package types
+It's possible to only enable certain package types if you prefer.
+You can do so by passing the `--vuln-type` option.
+This flag takes a comma-separated list of package types.
+
+Available values:
+
+- os
+    - Scan OS packages managed by the OS package manager (e.g. `dpkg`, `yum`, `apk`).
+- library
+    - Scan language-specific packages (e.g. packages installed by `pip`, `npm`, or `gem`).
+
+```bash
+$ trivy image --vuln-type os ruby:2.4.0
+```
+
+
+<details>
+<summary>Result</summary>
+
+```bash
+2019-05-22T19:36:50.530+0200    [34mINFO[0m    Updating vulnerability database...
+2019-05-22T19:36:51.681+0200    [34mINFO[0m    Detecting Alpine vulnerabilities...
+2019-05-22T19:36:51.685+0200    [34mINFO[0m    Updating npm Security DB...
+2019-05-22T19:36:52.389+0200    [34mINFO[0m    Detecting npm vulnerabilities...
+2019-05-22T19:36:52.390+0200    [34mINFO[0m    Updating pipenv Security DB...
+2019-05-22T19:36:53.406+0200    [34mINFO[0m    Detecting pipenv vulnerabilities...
+
+ruby:2.4.0 (debian 8.7)
+=======================
+Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
+
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |              TITLE               |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| curl    | CVE-2018-14618   | CRITICAL | 7.61.0-r0         | 7.61.1-r0     | curl: NTLM password overflow     |
+|         |                  |          |                   |               | via integer overflow             |
++         +------------------+----------+                   +---------------+----------------------------------+
+|         | CVE-2018-16839   | HIGH     |                   | 7.61.1-r1     | curl: Integer overflow leading   |
+|         |                  |          |                   |               | to heap-based buffer overflow in |
+|         |                  |          |                   |               | Curl_sasl_create_plain_message() |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| git     | CVE-2018-17456   | HIGH     | 2.15.2-r0         | 2.15.3-r0     | git: arbitrary code execution    |
+|         |                  |          |                   |               | via .gitmodules                  |
++         +------------------+          +                   +               +----------------------------------+
+|         | CVE-2018-19486   |          |                   |               | git: Improper handling of        |
+|         |                  |          |                   |               | PATH allows for commands to be   |
+|         |                  |          |                   |               | executed from...                 |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| libssh2 | CVE-2019-3855    | CRITICAL | 1.8.0-r2          | 1.8.1-r0      | libssh2: Integer overflow in     |
+|         |                  |          |                   |               | transport read resulting in      |
+|         |                  |          |                   |               | out of bounds write...           |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| sqlite  | CVE-2018-20346   | MEDIUM   | 3.21.0-r1         | 3.25.3-r0     | CVE-2018-20505 CVE-2018-20506    |
+|         |                  |          |                   |               | sqlite: Multiple flaws in        |
+|         |                  |          |                   |               | sqlite which can be triggered    |
+|         |                  |          |                   |               | via...                           |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| tar     | CVE-2018-20482   | LOW      | 1.29-r1           | 1.31-r0       | tar: Infinite read loop in       |
+|         |                  |          |                   |               | sparse_dump_region function in   |
+|         |                  |          |                   |               | sparse.c                         |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+```
+
+</details>
+
 [^1]: https://github.com/GoogleContainerTools/distroless
 
 [nvd-CVE-2023-0464]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464

@@ -202,7 +202,11 @@ theme:
 
 markdown_extensions:
   - pymdownx.highlight
-  - pymdownx.superfences
+  - pymdownx.superfences:
+      custom_fences:
+        - name: mermaid
+          class: mermaid
+          format: !!python/name:pymdownx.superfences.fence_code_format
   - admonition
   - footnotes
   - attr_list

@@ -61,12 +61,12 @@ func ConvertResults(results scan.Results, provider string, scoped []string) map[
 					primaryURL = fmt.Sprintf("https://avd.aquasec.com/misconfig/%s", strings.ToLower(result.Rule().AVDID))
 				}
 
-				status := types.StatusFailure
+				status := types.MisconfStatusFailure
 				switch result.Status() {
 				case scan.StatusPassed:
-					status = types.StatusPassed
+					status = types.MisconfStatusPassed
 				case scan.StatusIgnored:
-					status = types.StatusException
+					status = types.MisconfStatusException
 				}
 
 				flat := result.Flatten()

@@ -643,6 +643,7 @@ func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	reportFlagGroup.DependencyTree = nil // disable '--dependency-tree'
 	reportFlagGroup.ListAllPkgs = nil    // disable '--list-all-pkgs'
 	reportFlagGroup.ExitOnEOL = nil      // disable '--exit-on-eol'
+	reportFlagGroup.ShowSuppressed = nil // disable '--show-suppressed'
 	reportFormat := flag.ReportFormatFlag.Clone()
 	reportFormat.Usage = "specify a compliance report format for the output" // @TODO: support --report summary for non compliance reports
 	reportFlagGroup.ReportFormat = reportFormat
@@ -988,6 +989,7 @@ func NewAWSCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	}
 	reportFlagGroup.Compliance = &compliance // override usage as the accepted values differ for each subcommand.
 	reportFlagGroup.ExitOnEOL = nil          // disable '--exit-on-eol'
+	reportFlagGroup.ShowSuppressed = nil     // disable '--show-suppressed'
 
 	awsFlags := &flag.Flags{
 		GlobalFlagGroup:  globalFlags,

@@ -26,7 +26,10 @@ func TestJSONWriter_Write(t *testing.T) {
 				Results: types.Results{
 					{
 						Misconfigurations: []types.DetectedMisconfiguration{
-							{AVDID: "AVD-KSV012", Status: types.StatusFailure},
+							{
+								AVDID:  "AVD-KSV012",
+								Status: types.MisconfStatusFailure,
+							},
 						},
 					},
 				},
@@ -38,7 +41,10 @@ func TestJSONWriter_Write(t *testing.T) {
 				Results: types.Results{
 					{
 						Misconfigurations: []types.DetectedMisconfiguration{
-							{AVDID: "AVD-KSV013", Status: types.StatusFailure},
+							{
+								AVDID:  "AVD-KSV013",
+								Status: types.MisconfStatusFailure,
+							},
 						},
 					},
 				},
@@ -69,7 +75,10 @@ func TestJSONWriter_Write(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			buf := new(bytes.Buffer)
-			tr := report.JSONWriter{Report: tt.reportType, Output: buf}
+			tr := report.JSONWriter{
+				Report: tt.reportType,
+				Output: buf,
+			}
 			err := tr.Write(tt.input)
 			require.NoError(t, err)
 

@@ -57,13 +57,13 @@ func TestBuildComplianceReport(t *testing.T) {
 										"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
 										"https://avd.aquasec.com/misconfig/ksv001",
 									},
-									Status: types.StatusPassed,
+									Status: types.MisconfStatusPassed,
 								},
 								{
 									Type:   "Kubernetes Security Check",
 									ID:     "KSV002",
 									AVDID:  "AVD-KSV-9999",
-									Status: types.StatusFailure,
+									Status: types.MisconfStatusFailure,
 								},
 							},
 						},
@@ -179,7 +179,7 @@ func TestBuildComplianceReport(t *testing.T) {
 											"https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted",
 											"https://avd.aquasec.com/misconfig/ksv001",
 										},
-										Status: types.StatusPassed,
+										Status: types.MisconfStatusPassed,
 									},
 								},
 							},

@@ -32,7 +32,10 @@ func TestBuildSummary(t *testing.T) {
 						Results: types.Results{
 							{
 								Misconfigurations: []types.DetectedMisconfiguration{
-									{AVDID: "AVD-KSV012", Status: types.StatusFailure},
+									{
+										AVDID:  "AVD-KSV012",
+										Status: types.MisconfStatusFailure,
+									},
 								},
 							},
 						},
@@ -44,7 +47,10 @@ func TestBuildSummary(t *testing.T) {
 						Results: types.Results{
 							{
 								Misconfigurations: []types.DetectedMisconfiguration{
-									{AVDID: "AVD-KSV013", Status: types.StatusFailure},
+									{
+										AVDID:  "AVD-KSV013",
+										Status: types.MisconfStatusFailure,
+									},
 								},
 							},
 						},
@@ -86,7 +92,10 @@ func TestBuildSummary(t *testing.T) {
 						Results: types.Results{
 							{
 								Misconfigurations: []types.DetectedMisconfiguration{
-									{AVDID: "AVD-KSV012", Status: types.StatusFailure},
+									{
+										AVDID:  "AVD-KSV012",
+										Status: types.MisconfStatusFailure,
+									},
 								},
 							},
 						},
@@ -98,7 +107,10 @@ func TestBuildSummary(t *testing.T) {
 						Results: types.Results{
 							{
 								Misconfigurations: []types.DetectedMisconfiguration{
-									{AVDID: "AVD-KSV013", Status: types.StatusFailure},
+									{
+										AVDID:  "AVD-KSV013",
+										Status: types.MisconfStatusFailure,
+									},
 								},
 							},
 						},

@@ -3,7 +3,6 @@ package report
 import (
 	"context"
 	"io"
-	"sync"
 
 	"golang.org/x/xerrors"
 
@@ -31,9 +30,8 @@ func (tw TableWriter) Write(ctx context.Context, report *ComplianceReport) error
 	switch tw.Report {
 	case allReport:
 		t := pkgReport.Writer{
-			Output:          tw.Output,
-			Severities:      tw.Severities,
-			ShowMessageOnce: &sync.Once{},
+			Output:     tw.Output,
+			Severities: tw.Severities,
 		}
 		for _, cr := range report.Results {
 			r := types.Report{Results: cr.Results}