Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(vuln): Add --detection-priority flag for accuracy tuning #7288

Merged
merged 16 commits into from
Aug 2, 2024
Merged
Show file tree
Hide file tree
Changes from 13 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/docs/references/configuration/cli/trivy_filesystem.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,10 @@ trivy filesystem [flags] PATH
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
Expand Down
4 changes: 4 additions & 0 deletions docs/docs/references/configuration/cli/trivy_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,10 @@ trivy image [flags] IMAGE_NAME
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--docker-host string unix domain socket path to use for docker scanning
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
Expand Down
4 changes: 4 additions & 0 deletions docs/docs/references/configuration/cli/trivy_kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ trivy kubernetes [flags] [CONTEXT]
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--disable-node-collector When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
Expand Down
4 changes: 4 additions & 0 deletions docs/docs/references/configuration/cli/trivy_repository.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,10 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
Expand Down
4 changes: 4 additions & 0 deletions docs/docs/references/configuration/cli/trivy_rootfs.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ trivy rootfs [flags] ROOTDIR
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
Expand Down
4 changes: 4 additions & 0 deletions docs/docs/references/configuration/cli/trivy_sbom.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ trivy sbom [flags] SBOM_PATH
--compliance string compliance report to generate
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--exit-code int specify exit code when any security issues are found
Expand Down
4 changes: 4 additions & 0 deletions docs/docs/references/configuration/cli/trivy_vm.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@ trivy vm [flags] VM_IMAGE
--custom-headers strings custom headers in client mode
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
(precise,comprehensive) (default "precise")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
Expand Down
21 changes: 21 additions & 0 deletions docs/docs/scanner/vulnerability.md
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,25 @@ By default, all relationships are included in the scan.
!!! warning
As it may not provide a complete package list, `--pkg-relationships` cannot be used with `--dependency-tree`, `--vex` or SBOM generation.

### Detection Priority

Trivy provides a `--detection-priority` flag to control the balance between false positives and false negatives in vulnerability detection.
This concept is similar to the relationship between [precision and recall][precision-recall] in machine learning evaluation.

```bash
$ trivy image --detection-priority {precise|comprehensive} alpine:3.15
```

- `precise`: This mode prioritizes reducing false positives. It results in less noisy vulnerability reports but may miss some potential vulnerabilities.
- `comprehensive`: This mode aims to detect more vulnerabilities, potentially including some that might be false positives.
It provides broader coverage but may increase the noise in the results.

The default value is `precise`.

Regardless of the chosen mode, user review of detected vulnerabilities is crucial:

- `precise`: Review thoroughly, considering potential missed vulnerabilities.
- `comprehensive`: Carefully investigate each reported vulnerability due to increased false positive possibility.
DmitriyLewen marked this conversation as resolved.
Show resolved Hide resolved

[^1]: https://github.com/GoogleContainerTools/distroless

Expand Down Expand Up @@ -353,3 +372,5 @@ By default, all relationships are included in the scan.
[nvd]: https://nvd.nist.gov/vuln

[k8s-cve]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/

[precision-recall]: https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall
14 changes: 7 additions & 7 deletions integration/client_server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -287,7 +287,7 @@ func TestClientServer(t *testing.T) {

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
osArgs := setupClient(t, tt.args, addr, cacheDir)

if tt.args.secretConfig != "" {
osArgs = append(osArgs, "--secret-config", tt.args.secretConfig)
Expand Down Expand Up @@ -407,7 +407,7 @@ func TestClientServerWithFormat(t *testing.T) {
t.Run(tt.name, func(t *testing.T) {
t.Setenv("AWS_REGION", "test-region")
t.Setenv("AWS_ACCOUNT_ID", "123456789012")
osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
osArgs := setupClient(t, tt.args, addr, cacheDir)

runTest(t, osArgs, tt.golden, "", tt.args.Format, runOptions{
override: overrideUID,
Expand Down Expand Up @@ -435,7 +435,7 @@ func TestClientServerWithCycloneDX(t *testing.T) {
addr, cacheDir := setup(t, setupOptions{})
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
osArgs := setupClient(t, tt.args, addr, cacheDir)
runTest(t, osArgs, tt.golden, "", types.FormatCycloneDX, runOptions{
fakeUUID: "3ff14136-e09f-4df9-80ea-%012d",
})
Expand Down Expand Up @@ -488,7 +488,7 @@ func TestClientServerWithToken(t *testing.T) {

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
osArgs := setupClient(t, tt.args, addr, cacheDir, tt.golden)
osArgs := setupClient(t, tt.args, addr, cacheDir)
runTest(t, osArgs, tt.golden, "", types.FormatJSON, runOptions{
override: overrideUID,
wantErr: tt.wantErr,
Expand All @@ -515,7 +515,7 @@ func TestClientServerWithRedis(t *testing.T) {
golden := "testdata/alpine-39.json.golden"

t.Run("alpine 3.9", func(t *testing.T) {
osArgs := setupClient(t, testArgs, addr, cacheDir, golden)
osArgs := setupClient(t, testArgs, addr, cacheDir)

// Run Trivy client
runTest(t, osArgs, golden, "", types.FormatJSON, runOptions{
Expand All @@ -527,7 +527,7 @@ func TestClientServerWithRedis(t *testing.T) {
require.NoError(t, redisC.Terminate(ctx))

t.Run("sad path", func(t *testing.T) {
osArgs := setupClient(t, testArgs, addr, cacheDir, golden)
osArgs := setupClient(t, testArgs, addr, cacheDir)

// Run Trivy client
runTest(t, osArgs, "", "", types.FormatJSON, runOptions{
Expand Down Expand Up @@ -592,7 +592,7 @@ func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []stri
return osArgs
}

func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden string) []string {
func setupClient(t *testing.T, c csArgs, addr string, cacheDir string) []string {
if c.Command == "" {
c.Command = "image"
}
Expand Down
33 changes: 24 additions & 9 deletions integration/standalone_tar_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,20 +8,22 @@ import (
"strings"
"testing"

ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"

"github.com/stretchr/testify/require"
)

func TestTar(t *testing.T) {
type args struct {
IgnoreUnfixed bool
Severity []string
IgnoreIDs []string
Format types.Format
Input string
SkipDirs []string
SkipFiles []string
IgnoreUnfixed bool
Severity []string
IgnoreIDs []string
Format types.Format
Input string
SkipDirs []string
SkipFiles []string
DetectionPriority ftypes.DetectionPriority
}
tests := []struct {
name string
Expand Down Expand Up @@ -240,7 +242,7 @@ func TestTar(t *testing.T) {
golden: "testdata/centos-7.json.golden",
},
{
name: "centos 7with --ignore-unfixed option",
name: "centos 7 with --ignore-unfixed option",
args: args{
IgnoreUnfixed: true,
Format: types.FormatJSON,
Expand Down Expand Up @@ -274,6 +276,15 @@ func TestTar(t *testing.T) {
},
golden: "testdata/ubi-7.json.golden",
},
{
name: "ubi 7 with comprehensive priority",
args: args{
Format: types.FormatJSON,
Input: "testdata/fixtures/images/ubi-7.tar.gz",
DetectionPriority: ftypes.PriorityComprehensive,
},
golden: "testdata/ubi-7-comprehensive.json.golden",
},
{
name: "almalinux 8",
args: args{
Expand Down Expand Up @@ -380,7 +391,7 @@ func TestTar(t *testing.T) {
"-q",
"--format",
string(tt.args.Format),
"--skip-update",
"--skip-db-update",
}

if tt.args.IgnoreUnfixed {
Expand Down Expand Up @@ -411,6 +422,10 @@ func TestTar(t *testing.T) {
}
}

if tt.args.DetectionPriority != "" {
osArgs = append(osArgs, "--detection-priority", string(tt.args.DetectionPriority))
}

// Run Trivy
runTest(t, osArgs, tt.golden, "", tt.args.Format, runOptions{})
})
Expand Down
8 changes: 8 additions & 0 deletions integration/testdata/fixtures/db/python.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,11 @@
- 0.11.6
VulnerableVersions:
- < 0.11.6
- bucket: setuptools
pairs:
- key: CVE-2022-40897
value:
PatchedVersions:
- 65.5.1
VulnerableVersions:
- < 65.5.1
21 changes: 20 additions & 1 deletion integration/testdata/fixtures/db/vulnerability.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1399,4 +1399,23 @@
- "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14155"
- "https://nvd.nist.gov/vuln/detail/CVE-2020-14155"
PublishedDate: "2020-06-15T17:15:00Z"
LastModifiedDate: "2022-04-28T15:06:00Z"
LastModifiedDate: "2022-04-28T15:06:00Z"
- key: CVE-2022-40897
value:
Title: "pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py"
Description: "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py."
Severity: MEDIUM
CweIDs:
- CWE-1333
VendorSeverity:
ghsa: 3
nvd: 2
CVSS:
nvd:
V3Vector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
V3Score: 5.9
References:
- "https://access.redhat.com/errata/RHSA-2023:0952"
- "https://access.redhat.com/security/cve/CVE-2022-40897"
PublishedDate: "2022-12-23T00:15:13.987Z"
LastModifiedDate: "2024-06-21T19:15:23.877Z"
Loading