Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BREAKING: add new classes for vulnerabilities #2541

Merged
merged 11 commits into from
Jul 31, 2022
Merged

BREAKING: add new classes for vulnerabilities #2541

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
546fa58
BREAKING: add new classes for packages
knqyf263 Jul 18, 2022
2a7ee22
test(integration): fix classes
knqyf263 Jul 18, 2022
844b0d3
feat: add --security-checks none
knqyf263 Jul 18, 2022
cd71697
fix: skip results with no vulnerabilities
knqyf263 Jul 18, 2022
79c12ca
feat: disable vulnerability scanning for CycloneDX
knqyf263 Jul 19, 2022
b6e3f92
test(integration): fix rocky golden
knqyf263 Jul 19, 2022
1c1ca86
change debug to info
knqyf263 Jul 19, 2022
164da35
replace spdx with spdx-json
knqyf263 Jul 19, 2022
7a885bc
change the order in if-statement
knqyf263 Jul 19, 2022
1ed1d28
add a comment
knqyf263 Jul 19, 2022
45d0549
Merge branch 'main' into no_scanning
knqyf263 Jul 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion docs/docs/sbom/cyclonedx.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,16 @@ Note that XML format is not supported at the moment.

You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option.

CycloneDX can represent either or both SBOM or BOV.

- [Software Bill of Materials (SBOM)][sbom]
- [Bill of Vulnerabilities (BOV)][bov]

By default, `--format cyclonedx` represents SBOM and doesn't include vulnerabilities in the CycloneDX output.

```
$ trivy image --format cyclonedx --output result.json alpine:3.15
2022-07-19T07:47:27.624Z INFO "--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
```

<details>
Expand Down Expand Up @@ -231,6 +239,12 @@ $ cat result.json | jq .

</details>

If you want to include vulnerabilities, you can enable vulnerability scanning via `--security-checks vuln`.

```
$ trivy image --security-checks vuln --format cyclonedx --output result.json alpine:3.15
```

## Scanning
Trivy can take CycloneDX as an input and scan for vulnerabilities.
To scan SBOM, you can use the `sbom` subcommand and pass the path to your CycloneDX report.
Expand Down Expand Up @@ -258,5 +272,8 @@ Total: 3 (CRITICAL: 3)

!!! note
If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components.
The report is called [BOV][bov].

[cyclonedx]: https://cyclonedx.org/
[cyclonedx]: https://cyclonedx.org/
[sbom]: https://cyclonedx.org/capabilities/sbom/
[bov]: https://cyclonedx.org/capabilities/bov/
3 changes: 2 additions & 1 deletion docs/docs/sbom/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,10 @@ Trivy can generate the following SBOM formats.
To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`.

```
$ trivy image --format cyclonedx --output result.json alpine:3.15
$ trivy image --format spdx-json --output result.json alpine:3.15
```


```
$ trivy fs --format cyclonedx --output result.json /app/myproject
```
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/almalinux-8.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/almalinux-8.tar.gz (alma 8.5)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "alma",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/alpine-310-registry.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@
"Results": [
{
"Target": "localhost:63577/alpine:3.10 (alpine 3.10.2)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/alpine-310.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/alpine-39-high-critical.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/alpine-39-ignore-cveids.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/alpine-39.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/alpine-distroless.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/alpine-distroless.tar.gz (alpine 3.16)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/amazon-1.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/amazon-1.tar.gz (amazon AMI release 2018.03)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "amazon",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/amazon-2.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/amazon-2.tar.gz (amazon 2 (Karoo))",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "amazon",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/busybox-with-lockfile.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
"Results": [
{
"Target": "Cargo.lock",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "cargo",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/centos-6.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/centos-6.tar.gz (centos 6.10)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "centos",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/centos-7-ignore-unfixed.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "centos",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/centos-7-medium.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "centos",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/centos-7.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "centos",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/debian-buster-ignore-unfixed.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/debian-buster.tar.gz (debian 10.1)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/debian-buster.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/debian-buster.tar.gz (debian 10.1)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
Expand Down
4 changes: 2 additions & 2 deletions integration/testdata/debian-stretch.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"OS": {
"Family": "debian",
"Name": "9.9",
"Eosl": true
"EOSL": true
},
"ImageID": "sha256:f26939cc87ef44a6fc554eedd0a976ab30b5bc2769d65d2e986b6c5f1fd4053d",
"DiffIDs": [
Expand Down Expand Up @@ -50,7 +50,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/debian-stretch.tar.gz (debian 9.9)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
Expand Down
4 changes: 2 additions & 2 deletions integration/testdata/distroless-base.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"OS": {
"Family": "debian",
"Name": "9.9",
"Eosl": true
"EOSL": true
},
"ImageID": "sha256:7f04a8d247173b1f2546d22913af637bbab4e7411e00ae6207da8d94c445750d",
"DiffIDs": [
Expand Down Expand Up @@ -48,7 +48,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/distroless-base.tar.gz (debian 9.9)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
Expand Down
4 changes: 2 additions & 2 deletions integration/testdata/distroless-python27.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"OS": {
"Family": "debian",
"Name": "9.9",
"Eosl": true
"EOSL": true
},
"ImageID": "sha256:6fcac2cc8a710f21577b5bbd534e0bfc841c0cca569b57182ba19054696cddda",
"DiffIDs": [
Expand Down Expand Up @@ -65,7 +65,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/distroless-python27.tar.gz (debian 9.9)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
Expand Down
4 changes: 2 additions & 2 deletions integration/testdata/fluentd-gems.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz (debian 10.2)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
Expand Down Expand Up @@ -165,7 +165,7 @@
},
{
"Target": "Ruby",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "gemspec",
"Vulnerabilities": [
{
Expand Down
6 changes: 3 additions & 3 deletions integration/testdata/gomod.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"Results": [
{
"Target": "go.mod",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "gomod",
"Vulnerabilities": [
{
Expand Down Expand Up @@ -103,7 +103,7 @@
},
{
"Target": "submod/go.mod",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "gomod",
"Vulnerabilities": [
{
Expand Down Expand Up @@ -131,7 +131,7 @@
},
{
"Target": "submod2/go.mod",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "gomod",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/mariner-1.0.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0.20220122)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "cbl-mariner",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/nodejs.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"Results": [
{
"Target": "package-lock.json",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "npm",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/opensuse-leap-151.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/opensuse-leap-151.tar.gz (opensuse.leap 15.1)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "opensuse.leap",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/oraclelinux-8.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/oraclelinux-8.tar.gz (oracle 8.0)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "oracle",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/photon-30.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/photon-30.tar.gz (photon 3.0)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "photon",
"Vulnerabilities": [
{
Expand Down
7 changes: 6 additions & 1 deletion integration/testdata/pip.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,12 @@
"Version": "2.0.0",
"Layer": {}
}
],
]
},
{
"Target": "requirements.txt",
"Class": "vuln-lang-pkgs",
"Type": "pip",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-14806",
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/pnpm.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"Results": [
{
"Target": "pnpm-lock.yaml",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "pnpm",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/pom.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"Results": [
{
"Target": "pom.xml",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "pom",
"Vulnerabilities": [
{
Expand Down
7 changes: 1 addition & 6 deletions integration/testdata/rockylinux-8.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/rockylinux-8.tar.gz (rocky 8.5)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "rocky",
"Vulnerabilities": [
{
Expand Down Expand Up @@ -118,11 +118,6 @@
"LastModifiedDate": "2022-01-06T09:15:00Z"
}
]
},
{
"Target": "Python",
"Class": "lang-pkgs",
"Type": "python-pkg"
}
]
}
Loading