-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The enhancement of the amount of cveContents information included in trivy-to-vuls #1919
Labels
Comments
This is an patch that retrieves all vendor severities from Trivy Result. :100644 100644 33ad98d 0000000 M contrib/trivy/pkg/converter.go
diff --git a/contrib/trivy/pkg/converter.go b/contrib/trivy/pkg/converter.go
index 33ad98d..aba3a1c 100644
--- a/contrib/trivy/pkg/converter.go
+++ b/contrib/trivy/pkg/converter.go
@@ -5,6 +5,7 @@ import (
"sort"
"time"
+ trivydbTypes "github.com/aquasecurity/trivy-db/pkg/types"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"
@@ -68,16 +69,17 @@ func Convert(results types.Results) (result *models.ScanResult, err error) {
lastModified = *vuln.LastModifiedDate
}
- vulnInfo.CveContents = models.CveContents{
- models.Trivy: []models.CveContent{{
- Cvss3Severity: vuln.Severity,
+ for source, severity := range vuln.VendorSeverity {
+ vulnInfo.CveContents[models.CveContentType(fmt.Sprintf("%s:%s", models.Trivy, source))] = []models.CveContent{{
+ Cvss3Severity: trivydbTypes.SeverityNames[severity],
References: references,
Title: vuln.Title,
Summary: vuln.Description,
Published: published,
LastModified: lastModified,
- }},
+ }}
}
+
// do only if image type is Vuln
if isTrivySupportedOS(trivyResult.Type) {
pkgs[vuln.PkgName] = models.Package{
|
9 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature Request
In the current implementation of trivy-to-vuls, the type of data source that contributed to the determination of Severity is not considered, and the data source of cveContents' Cvss3Severity is treated as trivy. This means that if the same CVE is detected in different scan targets, it is impossible to distinguish whether the change in Severity is due to the difference in data sources or the change in Severity of the data source itself.
And We need to use the CVSS information from Trivy's scan results in FutureVuls.
The execution result of trivy-to-vuls
image debian:12
trivy -q image -f=json debian:12 | trivy-to-vuls parse --stdin
image ubuntu:22.04
trivy -q image -f=json ubuntu:22.04 | trivy-to-vuls parse --stdin
Therefore, instead of lumping the data source into
trivy
, it is necessary to manage the Cvss3Severity of cveContents for each data source. By doing so, the value of Cvss3Severity, which is determined by the combination of data source and CVE, should be unique.Remarks
The scan results of Trivy
In Trivy, when the same CVE is detected for different scan targets (in this case, assuming debian and ubuntu), the data source that contributes to the determination of Severity may differ depending on the scan target, which means that the same CVE can have different Severities.
image debian:12
image ubuntu:22.04
The decision logic of Severity in Trivy
The text was updated successfully, but these errors were encountered: