# This is a combination of 17 commits.

parent 4b57c0d author Simarpreet Singh <simar@linux.com> 1594135002 -0700 committer Yashvardhan Kukreja <yash.kukreja.98@gmail.com> 1597228077 +0530 gpgsig -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEo6kc/h77LUwnQeM/dxKAODWqo7oFAl8zxC0ACgkQdxKAODWq o7pG3g//VIXCQt6z8dhORimZEAXLbwI7WuUYxkkGGKceuhCWwEs7HVJLkNBiIml1 6gDnc8sMkG7FqFGAi5RHvdez9vqWZRxaoWgJ2J39u/sTow3QEwvzIAdjG7+4LHOs 7mgg82qQp5Vb0UVudEitc3bqukoO61B0pszC3S8wacq3uWfq5IPRvVePBA0SD9+W jykmLzVp5NGeKRnOCuJw9HkRP9+lKfCJwb4K8xbTjJjuWUDj9k6oRV1XKNQcyWCi KzEEV1snKne8dsUYPf9dN6FuJFi6c+a4L7vX96dlKLKJDQD0y1qQHhdBSNwqP7Wj RHL/WuMt3Yx6sZe30dPA3I7Tj2zizodjRs+Qst1Jfyjv/5e4Ap2gqmf39pse4O8n Ct4UA+5zTsulyT/5aUa/gIYFUH+luznCqiYoQtQ7TgELtcVOcgGfJciq+kPp6NWP GS2IcBH/XSOkQ4nRQrbQ/vutItYNUcE2Oe0xLerTih3+Sx+SKufSecLoSqOTgJdG TEqU6UkZB3mV3Y5j9MYmvF2Yvq+Ll2tw5FzxLA6kg+eTa1ochn/xwi11/kDQYqf3 CkH8Z4/ZgHx5xHwLkLxMleaiQP3EbyxaEBZYgzrOzp8rnT4HU+FeSUrkqlcyBrRN HSFMQlKXq+o/yfgVVh51LyGSFlHncVm1Jv6UirsGj7NAvso+BqA= =QhX4 -----END PGP SIGNATURE----- # This is a combination of 6 commits. # This is the 1st commit message: db: Update trivy-db to include CVSS score info (aquasecurity#530) * mod: Update trivy-db to include CVSS score info Signed-off-by: Simarpreet Singh <simar@linux.com> * mod: Update go.mod Signed-off-by: Simarpreet Singh <simar@linux.com> * mod: Update trivy-db to latest Signed-off-by: Simarpreet Singh <simar@linux.com> # This is the commit message aquasecurity#2: Adding contrib/junit.tpl to docker image (aquasecurity#554) # This is the commit message aquasecurity#3: Fixing `Error retrieving template from path` when --format is not template but template is provided (aquasecurity#556) # This is the commit message aquasecurity#4: added: display last db update whenever trivy server is started in trivy client/server setup # This is the commit message aquasecurity#5: Added: entry for prometheus/client_golang package # This is the commit message aquasecurity#6: Added: prometheus metrics endpoint support for Last DB Update and Last DB Update Attempt metric # This is the commit message aquasecurity#7: Added: entry for prometheus/client_golang package # This is the commit message aquasecurity#8: Added: prometheus metrics endpoint support for Last DB Update and Last DB Update Attempt metric # This is the commit message aquasecurity#9: Refactored: Shifted the GaugeVec global var to config.go . Removed unnecessarily repeated vars. Added nil check for GaugeVec # This is the commit message aquasecurity#10: Added: Nil GaugeVec Fail check # This is the commit message aquasecurity#11: Added: nil check for metrics registry # This is the commit message aquasecurity#12: Modified: tests with respect to nil metrics registry # This is the commit message aquasecurity#13: Merge with master # This is the commit message aquasecurity#14: Merge branch 'master' into issue-aquasecurity#346 # This is the commit message aquasecurity#15: Resolved merge conflicts # This is the commit message aquasecurity#16: Resolved merge conflicts # This is the commit message aquasecurity#17: feat(vulnerability): add CWE-ID (aquasecurity#561) * chore(mod): update dependency * test(vulnerability): add CweIDs
yashvardhan-kukreja · Aug 12, 2020 · 103fde2 · 103fde2
1 parent 4b57c0d
commit 103fde2
Show file tree

Hide file tree

Showing 54 changed files with 1,728 additions and 210 deletions.
diff --git a/.circleci/codecov.yml b/.circleci/codecov.yml
@@ -0,0 +1,8 @@
+coverage:
+  status:
+    project:
+      default:
+        informational: true
+    patch:
+      default:
+        informational: true
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,4 +1,6 @@
 version: 2.1
+orbs:
+  codecov: codecov/codecov@1.1.0
 
 defaults: &defaults
   docker :
@@ -24,6 +26,9 @@ jobs:
       - run:
           name: Test
           command: make test
+      - codecov/upload:
+          file: ./coverage.txt
+
   release:
     <<: *defaults
     steps:

diff --git a/.dockerignore b/.dockerignore
@@ -1,2 +1,6 @@
+.git
+.github
+.cache
 .circleci
+integration
 imgs
diff --git a/.gitignore b/.gitignore
@@ -18,4 +18,5 @@
 thumbs.db
 
 # test fixtures
+coverage.txt
 integration/testdata/fixtures/
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,9 @@
 FROM alpine:3.12
+RUN addgroup -g 1000 -S appgroup && adduser -u 1000 -S appuser -G appgroup
 RUN apk --no-cache add ca-certificates git rpm
 COPY trivy /usr/local/bin/trivy
 COPY contrib/gitlab.tpl contrib/gitlab.tpl
+COPY contrib/junit.tpl contrib/junit.tpl
+COPY contrib/sarif.tpl contrib/sarif.tpl
+USER appuser
 ENTRYPOINT ["trivy"]
diff --git a/Makefile b/Makefile
@@ -28,7 +28,7 @@ $(GOBIN)/golangci-lint:
 
 .PHONY: test
 test:
-	go test -v -short ./...
+	go test -v -short -coverprofile=coverage.txt -covermode=atomic ./...
 
 integration/testdata/fixtures/*.tar.gz:
 	git clone https://github.com/aquasecurity/trivy-test-images.git integration/testdata/fixtures

diff --git a/README.md b/README.md
@@ -6,6 +6,7 @@
 [![Go Report Card](https://goreportcard.com/badge/github.com/aquasecurity/trivy)](https://goreportcard.com/report/github.com/aquasecurity/trivy)
 [![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/aquasecurity/trivy/blob/master/LICENSE)
 [![Docker image](https://images.microbadger.com/badges/version/aquasec/trivy.svg)](https://microbadger.com/images/aquasec/trivy "Get your own version badge on microbadger.com")
+[![codecov](https://codecov.io/gh/aquasecurity/trivy/branch/master/graph/badge.svg)](https://codecov.io/gh/aquasecurity/trivy)
 
 A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI.
 
@@ -44,6 +45,7 @@ A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifa
     + [Save the results using a template](#save-the-results-using-a-template)
     + [Filter the vulnerabilities by severities](#filter-the-vulnerabilities-by-severities)
     + [Filter the vulnerabilities by type](#filter-the-vulnerabilities-by-type)
+    + [Filter the vulnerabilities by Open Policy Agent](#filter-the-vulnerabilities-by-open-policy-agent-policy)
     + [Skip update of vulnerability DB](#skip-update-of-vulnerability-db)
     + [Only download vulnerability database](#only-download-vulnerability-database)
     + [Ignore unfixed vulnerabilities](#ignore-unfixed-vulnerabilities)
@@ -181,7 +183,7 @@ yay -Sy trivy-bin
 
 ## Homebrew
 
-You can use homebrew on macOS.
+You can use homebrew on macOS and Linux.
 
 ```
 $ brew install aquasecurity/trivy/trivy
@@ -893,6 +895,11 @@ In the following example using the template `junit.tpl` XML can be generated.
 $ trivy image --format template --template "@contrib/junit.tpl" -o junit-report.xml  golang:1.12-alpine
 ```
 
+In the following example using the template `sarif.tpl` [Sarif](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/managing-results-from-code-scanning) can be generated.
+```
+$ trivy image --format template --template "@contrib/sarif.tpl" -o report.sarif  golang:1.12-alpine
+```
+
 ### Filter the vulnerabilities by severities
 
 ```
@@ -1093,6 +1100,41 @@ Total: 4751 (UNKNOWN: 1, LOW: 150, MEDIUM: 3504, HIGH: 1013, CRITICAL: 83)
 
 </details>
 
+### Filter the vulnerabilities by Open Policy Agent policy
+[EXPERIMENTAL] This feature might change without preserving backwards compatibility.
+
+Trivy supports Open Policy Agent (OPA) to filter vulnerabilities. You can specify a Rego file with `--ignore-policy` option.
+
+The Rego package name must be `trivy` and it must include a rule called `ignore` which determines if each individual vulnerability should be excluded (ignore=true) or not (ignore=false). In the policy, each vulnerability will be available for inspection as the `input` variable. The structure of each vulnerability input is the same as for the Trivy JSON output.  
+There is a built-in Rego library with helper functions that you can import into your policy using: `import data.lib.trivy`. For more info about the helper functions, look at the library [here](pkg/vulnerability/module.go)
+
+To get started, see the [example policy](./contrib/example_policy).
+
+```
+$ trivy image --policy contrib/example_filter/basic.rego centos:7
+```
+
+<details>
+<summary>Result</summary>
+
+```
+centos:7 (centos 7.8.2003)
+==========================
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+
++---------+------------------+----------+-------------------+---------------+--------------------------------+
+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
++---------+------------------+----------+-------------------+---------------+--------------------------------+
+| glib2   | CVE-2016-3191    | HIGH     | 2.56.1-5.el7      |               | pcre: workspace overflow       |
+|         |                  |          |                   |               | for (*ACCEPT) with deeply      |
+|         |                  |          |                   |               | nested parentheses (8.39/13,   |
+|         |                  |          |                   |               | 10.22/12)                      |
++---------+------------------+----------+-------------------+---------------+--------------------------------+
+```
+
+</details>
+
+
 ### Skip update of vulnerability DB
 
 `Trivy` always updates its vulnerability database when it starts operating. This is usually fast, as it is a difference update. But if you want to skip even that, use the `--skip-update` option.
@@ -1690,6 +1732,7 @@ OPTIONS:
    --ignorefile value  specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
    --timeout value     docker timeout (default: 2m0s) [$TRIVY_TIMEOUT]
    --light             light mode: it's faster, but vulnerability descriptions and references are not displayed (default: false) [$TRIVY_LIGHT]
+   --list-all-pkgs     enabling the option will output all packages regardless of vulnerability [$TRIVY_LIST_ALL_PKGS]
    --help, -h          show help (default: false)
 ```
 

diff --git a/contrib/example_policy/advanced.rego b/contrib/example_policy/advanced.rego
@@ -0,0 +1,94 @@
+package trivy
+
+import data.lib.trivy
+
+default ignore = false
+
+nvd_v3_vector = v {
+	v := input.CVSS.nvd.v3
+}
+
+# Ignore a vulnerability which requires high privilege
+ignore {
+	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	cvss_vector.PrivilegesRequired == "High"
+}
+
+# Ignore a vulnerability which requires user interaction
+ignore {
+	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	cvss_vector.UserInteraction == "Required"
+}
+
+ignore {
+	input.PkgName == "openssl"
+
+	# Split CVSSv3 vector
+	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+
+	# Evaluate Attack Vector
+	ignore_attack_vectors := {"Physical", "Local"}
+	cvss_vector.AttackVector == ignore_attack_vectors[_]
+}
+
+ignore {
+	input.PkgName == "openssl"
+
+	# Evaluate severity
+	input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
+
+	# Evaluate CWE-ID
+	deny_cwe_ids := {
+		"CWE-119", # Improper Restriction of Operations within the Bounds of a Memory Buffer
+		"CWE-200", # Exposure of Sensitive Information to an Unauthorized Actor
+	}
+
+	count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
+}
+
+ignore {
+	input.PkgName == "bash"
+
+	# Split CVSSv3 vector
+	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+
+	# Evaluate Attack Vector
+	ignore_attack_vectors := {"Physical", "Local", "Adjacent"}
+	cvss_vector.AttackVector == ignore_attack_vectors[_]
+
+	# Evaluate severity
+	input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
+}
+
+ignore {
+	input.PkgName == "django"
+
+	# Split CVSSv3 vector
+	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+
+	# Evaluate Attack Vector
+	ignore_attack_vectors := {"Physical", "Local"}
+	cvss_vector.AttackVector == ignore_attack_vectors[_]
+
+	# Evaluate severity
+	input.Severity == {"LOW", "MEDIUM"}[_]
+
+	# Evaluate CWE-ID
+	deny_cwe_ids := {
+		"CWE-89", # SQL Injection
+		"CWE-78", # OS Command Injection
+	}
+
+	count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
+}
+
+ignore {
+	input.PkgName == "jquery"
+
+	# Split CVSSv3 vector
+	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+
+	# Evaluate CWE-ID
+	deny_cwe_ids := {"CWE-79"} # XSS
+	count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
+}
diff --git a/contrib/example_policy/basic.rego b/contrib/example_policy/basic.rego
@@ -0,0 +1,45 @@
+package trivy
+
+import data.lib.trivy
+
+default ignore = false
+
+ignore_pkgs := {"bash", "bind-license", "rpm", "vim", "vim-minimal"}
+
+ignore_severities := {"LOW", "MEDIUM"}
+
+nvd_v3_vector = v {
+	v := input.CVSS.nvd.v3
+}
+
+ignore {
+	input.PkgName == ignore_pkgs[_]
+}
+
+ignore {
+	input.Severity == ignore_severities[_]
+}
+
+# Ignore a vulnerability which is not remotely exploitable
+ignore {
+	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	cvss_vector.AttackVector != "Network"
+}
+
+# Ignore a vulnerability which requires high privilege
+ignore {
+	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	cvss_vector.PrivilegesRequired == "High"
+}
+
+# Ignore a vulnerability which requires user interaction
+ignore {
+	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	cvss_vector.UserInteraction == "Required"
+}
+
+# Ignore CSRF
+ignore {
+	# https://cwe.mitre.org/data/definitions/352.html
+	input.CweIDs[_] == "CWE-352"
+}
diff --git a/contrib/sarif.tpl b/contrib/sarif.tpl
@@ -0,0 +1,81 @@
+{
+  "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.4.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "Trivy",
+          "fullName": "Trivy Vulnerability Scanner",
+          "rules": [
+        {{- $t_first := true }}
+        {{- range . }}
+            {{- range .Vulnerabilities -}}
+              {{- if $t_first -}}
+                {{- $t_first = false -}}
+              {{ else -}}
+                ,
+              {{- end }}
+            {
+              "id": "[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}",
+              "name": "dockerfile_scan",
+              "shortDescription": {
+                "text": "{{ .VulnerabilityID }} Package: {{ .PkgName }}"
+              },
+              "fullDescription": {
+                "text": "{{ endWithPeriod .Title }}"
+              },
+              "help": {
+                "text": "Vulnerability {{ .VulnerabilityID }}\nSeverity: {{ .Vulnerability.Severity }}\nPackage: {{ .PkgName }}\nInstalled Version: {{ .InstalledVersion }}\nFixed Version: {{ .FixedVersion }}\nLink: [{{ .VulnerabilityID }}](https://nvd.nist.gov/vuln/detail/{{ .VulnerabilityID | toLower }})",
+                "markdown": "**Vulnerability {{ .VulnerabilityID }}**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|{{ .Vulnerability.Severity }}|{{ .PkgName }}|{{ .InstalledVersion }}|{{ .FixedVersion }}|[{{ .VulnerabilityID }}](https://nvd.nist.gov/vuln/detail/{{ .VulnerabilityID | toLower }})|\n"
+              },
+              "properties": {
+                "tags": [
+                  "vulnerability",
+                  "{{ .Vulnerability.Severity }}",
+                  "{{ .PkgName }}"
+                ],
+                "precision": "very-high"
+              }
+            }
+            {{- end -}}
+         {{- end -}}
+          ]
+        }
+      },
+      "results": [
+    {{- $t_first := true }}
+    {{- range . }}
+        {{- range $index, $vulnerability := .Vulnerabilities -}}
+          {{- if $t_first -}}
+            {{- $t_first = false -}}
+          {{ else -}}
+            ,
+          {{- end }}
+        {
+          "ruleId": "[{{ $vulnerability.Vulnerability.Severity }}] {{ $vulnerability.VulnerabilityID }}",
+          "ruleIndex": {{ $index }},
+          "level": "error",
+          "message": {
+            "text": {{ endWithPeriod $vulnerability.Description | printf "%q" }}
+          },
+          "locations": [{
+            "physicalLocation": {
+              "artifactLocation": {
+                "uri": "Dockerfile"
+              },
+              "region": {
+                "startLine": 1,
+                "startColumn": 1,
+                "endColumn": 1
+              }
+            }
+          }]
+        }
+        {{- end -}}
+      {{- end -}}
+      ],
+      "columnKind": "utf16CodeUnits"
+    }
+  ]
+}
diff --git a/go.mod b/go.mod
@@ -3,9 +3,10 @@ module github.com/aquasecurity/trivy
 go 1.13
 
 require (
+	github.com/Masterminds/semver/v3 v3.1.0
 	github.com/aquasecurity/fanal v0.0.0-20200528202907-79693bf4a058
 	github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b
-	github.com/aquasecurity/trivy-db v0.0.0-20200616161554-cd5b3da29bc8
+	github.com/aquasecurity/trivy-db v0.0.0-20200715174849-fa5a3ca24b16
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3
@@ -18,10 +19,10 @@ require (
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
-	github.com/knqyf263/go-version v1.1.1
 	github.com/kylelemons/godebug v1.1.0
 	github.com/mattn/go-colorable v0.1.4 // indirect
 	github.com/olekukonko/tablewriter v0.0.2-0.20190607075207-195002e6e56a
+	github.com/open-policy-agent/opa v0.21.1
 	github.com/spf13/afero v1.2.2
 	github.com/stretchr/testify v1.6.1
 	github.com/testcontainers/testcontainers-go v0.3.1
@@ -33,4 +34,5 @@ require (
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
 	golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
 	k8s.io/utils v0.0.0-20191114184206-e782cd3c129f
+	github.com/prometheus/client_golang v1.0.0
 )