BREAKING: add new classes for vulnerabilities (#2541)

aquasecurity · Jul 31, 2022 · f396c67 · f396c67
1 parent 3cd88ab
commit f396c67
Show file tree

Hide file tree

Showing 51 changed files with 332 additions and 214 deletions.
diff --git a/docs/docs/sbom/cyclonedx.md b/docs/docs/sbom/cyclonedx.md
@@ -6,8 +6,16 @@ Note that XML format is not supported at the moment.
 
 You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option.
 
+CycloneDX can represent either or both SBOM or BOV.
+
+- [Software Bill of Materials (SBOM)][sbom]
+- [Bill of Vulnerabilities (BOV)][bov]
+
+By default, `--format cyclonedx` represents SBOM and doesn't include vulnerabilities in the CycloneDX output.
+
 ```
 $ trivy image --format cyclonedx --output result.json alpine:3.15
+2022-07-19T07:47:27.624Z        INFO    "--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
 ```
 
 <details>
@@ -231,6 +239,12 @@ $ cat result.json | jq .
 
 </details>
 
+If you want to include vulnerabilities, you can enable vulnerability scanning via `--security-checks vuln`.
+
+```
+$ trivy image --security-checks vuln --format cyclonedx --output result.json alpine:3.15
+```
+
 ## Scanning
 Trivy can take CycloneDX as an input and scan for vulnerabilities.
 To scan SBOM, you can use the `sbom` subcommand and pass the path to your CycloneDX report. 
@@ -258,5 +272,8 @@ Total: 3 (CRITICAL: 3)
 
 !!! note
     If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components.
+    The report is called [BOV][bov].
 
-[cyclonedx]: https://cyclonedx.org/
+[cyclonedx]: https://cyclonedx.org/
+[sbom]: https://cyclonedx.org/capabilities/sbom/
+[bov]: https://cyclonedx.org/capabilities/bov/
diff --git a/docs/docs/sbom/index.md b/docs/docs/sbom/index.md
@@ -9,9 +9,10 @@ Trivy can generate the following SBOM formats.
 To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`.
 
 ```
-$ trivy image --format cyclonedx --output result.json alpine:3.15
+$ trivy image --format spdx-json --output result.json alpine:3.15
 ```
 
+
 ```
 $ trivy fs --format cyclonedx --output result.json /app/myproject
 ```

diff --git a/integration/testdata/almalinux-8.json.golden b/integration/testdata/almalinux-8.json.golden
@@ -48,7 +48,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/almalinux-8.tar.gz (alma 8.5)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "alma",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/alpine-310-registry.json.golden b/integration/testdata/alpine-310-registry.json.golden
@@ -56,7 +56,7 @@
   "Results": [
     {
       "Target": "localhost:63577/alpine:3.10 (alpine 3.10.2)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "alpine",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/alpine-310.json.golden b/integration/testdata/alpine-310.json.golden
@@ -50,7 +50,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "alpine",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/alpine-39-high-critical.json.golden b/integration/testdata/alpine-39-high-critical.json.golden
@@ -50,7 +50,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "alpine",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/alpine-39-ignore-cveids.json.golden b/integration/testdata/alpine-39-ignore-cveids.json.golden
@@ -50,7 +50,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "alpine",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/alpine-39.json.golden b/integration/testdata/alpine-39.json.golden
@@ -50,7 +50,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "alpine",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/alpine-distroless.json.golden b/integration/testdata/alpine-distroless.json.golden
@@ -45,7 +45,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/alpine-distroless.tar.gz (alpine 3.16)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "alpine",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/amazon-1.json.golden b/integration/testdata/amazon-1.json.golden
@@ -49,7 +49,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/amazon-1.tar.gz (amazon AMI release 2018.03)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "amazon",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/amazon-2.json.golden b/integration/testdata/amazon-2.json.golden
@@ -49,7 +49,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/amazon-2.tar.gz (amazon 2 (Karoo))",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "amazon",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/busybox-with-lockfile.json.golden b/integration/testdata/busybox-with-lockfile.json.golden
@@ -49,7 +49,7 @@
   "Results": [
     {
       "Target": "Cargo.lock",
-      "Class": "lang-pkgs",
+      "Class": "vuln-lang-pkgs",
       "Type": "cargo",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/centos-6.json.golden b/integration/testdata/centos-6.json.golden
@@ -71,7 +71,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/centos-6.tar.gz (centos 6.10)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "centos",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/centos-7-ignore-unfixed.json.golden b/integration/testdata/centos-7-ignore-unfixed.json.golden
@@ -61,7 +61,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "centos",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/centos-7-medium.json.golden b/integration/testdata/centos-7-medium.json.golden
@@ -61,7 +61,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "centos",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/centos-7.json.golden b/integration/testdata/centos-7.json.golden
@@ -61,7 +61,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "centos",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/debian-buster-ignore-unfixed.json.golden b/integration/testdata/debian-buster-ignore-unfixed.json.golden
@@ -49,7 +49,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/debian-buster.tar.gz (debian 10.1)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "debian",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/debian-buster.json.golden b/integration/testdata/debian-buster.json.golden
@@ -49,7 +49,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/debian-buster.tar.gz (debian 10.1)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "debian",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/debian-stretch.json.golden b/integration/testdata/debian-stretch.json.golden
@@ -6,7 +6,7 @@
     "OS": {
       "Family": "debian",
       "Name": "9.9",
-      "Eosl": true
+      "EOSL": true
     },
     "ImageID": "sha256:f26939cc87ef44a6fc554eedd0a976ab30b5bc2769d65d2e986b6c5f1fd4053d",
     "DiffIDs": [
@@ -50,7 +50,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/debian-stretch.tar.gz (debian 9.9)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "debian",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/distroless-base.json.golden b/integration/testdata/distroless-base.json.golden
@@ -6,7 +6,7 @@
     "OS": {
       "Family": "debian",
       "Name": "9.9",
-      "Eosl": true
+      "EOSL": true
     },
     "ImageID": "sha256:7f04a8d247173b1f2546d22913af637bbab4e7411e00ae6207da8d94c445750d",
     "DiffIDs": [
@@ -48,7 +48,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/distroless-base.tar.gz (debian 9.9)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "debian",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/distroless-python27.json.golden b/integration/testdata/distroless-python27.json.golden
@@ -6,7 +6,7 @@
     "OS": {
       "Family": "debian",
       "Name": "9.9",
-      "Eosl": true
+      "EOSL": true
     },
     "ImageID": "sha256:6fcac2cc8a710f21577b5bbd534e0bfc841c0cca569b57182ba19054696cddda",
     "DiffIDs": [
@@ -65,7 +65,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/distroless-python27.tar.gz (debian 9.9)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "debian",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/fluentd-gems.json.golden b/integration/testdata/fluentd-gems.json.golden
@@ -102,7 +102,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz (debian 10.2)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "debian",
       "Vulnerabilities": [
         {
@@ -165,7 +165,7 @@
     },
     {
       "Target": "Ruby",
-      "Class": "lang-pkgs",
+      "Class": "vuln-lang-pkgs",
       "Type": "gemspec",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/gomod.json.golden b/integration/testdata/gomod.json.golden
@@ -17,7 +17,7 @@
   "Results": [
     {
       "Target": "go.mod",
-      "Class": "lang-pkgs",
+      "Class": "vuln-lang-pkgs",
       "Type": "gomod",
       "Vulnerabilities": [
         {
@@ -103,7 +103,7 @@
     },
     {
       "Target": "submod/go.mod",
-      "Class": "lang-pkgs",
+      "Class": "vuln-lang-pkgs",
       "Type": "gomod",
       "Vulnerabilities": [
         {
@@ -131,7 +131,7 @@
     },
     {
       "Target": "submod2/go.mod",
-      "Class": "lang-pkgs",
+      "Class": "vuln-lang-pkgs",
       "Type": "gomod",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/mariner-1.0.json.golden b/integration/testdata/mariner-1.0.json.golden
@@ -34,7 +34,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0.20220122)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "cbl-mariner",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/nodejs.json.golden b/integration/testdata/nodejs.json.golden
@@ -17,7 +17,7 @@
   "Results": [
     {
       "Target": "package-lock.json",
-      "Class": "lang-pkgs",
+      "Class": "vuln-lang-pkgs",
       "Type": "npm",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/opensuse-leap-151.json.golden b/integration/testdata/opensuse-leap-151.json.golden
@@ -57,7 +57,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/opensuse-leap-151.tar.gz (opensuse.leap 15.1)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "opensuse.leap",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/oraclelinux-8.json.golden b/integration/testdata/oraclelinux-8.json.golden
@@ -58,7 +58,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/oraclelinux-8.tar.gz (oracle 8.0)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "oracle",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/photon-30.json.golden b/integration/testdata/photon-30.json.golden
@@ -59,7 +59,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/photon-30.tar.gz (photon 3.0)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "photon",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/pip.json.golden b/integration/testdata/pip.json.golden
@@ -55,7 +55,12 @@
           "Version": "2.0.0",
           "Layer": {}
         }
-      ],
+      ]
+    },
+    {
+      "Target": "requirements.txt",
+      "Class": "vuln-lang-pkgs",
+      "Type": "pip",
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2019-14806",

diff --git a/integration/testdata/pnpm.json.golden b/integration/testdata/pnpm.json.golden
@@ -5,7 +5,7 @@
   "Results": [
     {
       "Target": "pnpm-lock.yaml",
-      "Class": "lang-pkgs",
+      "Class": "vuln-lang-pkgs",
       "Type": "pnpm",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/pom.json.golden b/integration/testdata/pom.json.golden
@@ -17,7 +17,7 @@
   "Results": [
     {
       "Target": "pom.xml",
-      "Class": "lang-pkgs",
+      "Class": "vuln-lang-pkgs",
       "Type": "pom",
       "Vulnerabilities": [
         {

diff --git a/integration/testdata/rockylinux-8.json.golden b/integration/testdata/rockylinux-8.json.golden
@@ -48,7 +48,7 @@
   "Results": [
     {
       "Target": "testdata/fixtures/images/rockylinux-8.tar.gz (rocky 8.5)",
-      "Class": "os-pkgs",
+      "Class": "vuln-os-pkgs",
       "Type": "rocky",
       "Vulnerabilities": [
         {
@@ -118,11 +118,6 @@
           "LastModifiedDate": "2022-01-06T09:15:00Z"
         }
       ]
-    },
-    {
-      "Target": "Python",
-      "Class": "lang-pkgs",
-      "Type": "python-pkg"
     }
   ]
 }