forked from aquasecurity/trivy
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
# This is a combination of 17 commits.
parent 4b57c0d author Simarpreet Singh <simar@linux.com> 1594135002 -0700 committer Yashvardhan Kukreja <yash.kukreja.98@gmail.com> 1597228077 +0530 gpgsig -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEo6kc/h77LUwnQeM/dxKAODWqo7oFAl8zxC0ACgkQdxKAODWq o7pG3g//VIXCQt6z8dhORimZEAXLbwI7WuUYxkkGGKceuhCWwEs7HVJLkNBiIml1 6gDnc8sMkG7FqFGAi5RHvdez9vqWZRxaoWgJ2J39u/sTow3QEwvzIAdjG7+4LHOs 7mgg82qQp5Vb0UVudEitc3bqukoO61B0pszC3S8wacq3uWfq5IPRvVePBA0SD9+W jykmLzVp5NGeKRnOCuJw9HkRP9+lKfCJwb4K8xbTjJjuWUDj9k6oRV1XKNQcyWCi KzEEV1snKne8dsUYPf9dN6FuJFi6c+a4L7vX96dlKLKJDQD0y1qQHhdBSNwqP7Wj RHL/WuMt3Yx6sZe30dPA3I7Tj2zizodjRs+Qst1Jfyjv/5e4Ap2gqmf39pse4O8n Ct4UA+5zTsulyT/5aUa/gIYFUH+luznCqiYoQtQ7TgELtcVOcgGfJciq+kPp6NWP GS2IcBH/XSOkQ4nRQrbQ/vutItYNUcE2Oe0xLerTih3+Sx+SKufSecLoSqOTgJdG TEqU6UkZB3mV3Y5j9MYmvF2Yvq+Ll2tw5FzxLA6kg+eTa1ochn/xwi11/kDQYqf3 CkH8Z4/ZgHx5xHwLkLxMleaiQP3EbyxaEBZYgzrOzp8rnT4HU+FeSUrkqlcyBrRN HSFMQlKXq+o/yfgVVh51LyGSFlHncVm1Jv6UirsGj7NAvso+BqA= =QhX4 -----END PGP SIGNATURE----- # This is a combination of 6 commits. # This is the 1st commit message: db: Update trivy-db to include CVSS score info (aquasecurity#530) * mod: Update trivy-db to include CVSS score info Signed-off-by: Simarpreet Singh <simar@linux.com> * mod: Update go.mod Signed-off-by: Simarpreet Singh <simar@linux.com> * mod: Update trivy-db to latest Signed-off-by: Simarpreet Singh <simar@linux.com> # This is the commit message aquasecurity#2: Adding contrib/junit.tpl to docker image (aquasecurity#554) # This is the commit message aquasecurity#3: Fixing `Error retrieving template from path` when --format is not template but template is provided (aquasecurity#556) # This is the commit message aquasecurity#4: added: display last db update whenever trivy server is started in trivy client/server setup # This is the commit message aquasecurity#5: Added: entry for prometheus/client_golang package # This is the commit message aquasecurity#6: Added: prometheus metrics endpoint support for Last DB Update and Last DB Update Attempt metric # This is the commit message aquasecurity#7: Added: entry for prometheus/client_golang package # This is the commit message aquasecurity#8: Added: prometheus metrics endpoint support for Last DB Update and Last DB Update Attempt metric # This is the commit message aquasecurity#9: Refactored: Shifted the GaugeVec global var to config.go . Removed unnecessarily repeated vars. Added nil check for GaugeVec # This is the commit message aquasecurity#10: Added: Nil GaugeVec Fail check # This is the commit message aquasecurity#11: Added: nil check for metrics registry # This is the commit message aquasecurity#12: Modified: tests with respect to nil metrics registry # This is the commit message aquasecurity#13: Merge with master # This is the commit message aquasecurity#14: Merge branch 'master' into issue-aquasecurity#346 # This is the commit message aquasecurity#15: Resolved merge conflicts # This is the commit message aquasecurity#16: Resolved merge conflicts # This is the commit message aquasecurity#17: feat(vulnerability): add CWE-ID (aquasecurity#561) * chore(mod): update dependency * test(vulnerability): add CweIDs
- Loading branch information
1 parent
4b57c0d
commit 103fde2
Showing
54 changed files
with
1,728 additions
and
210 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
coverage: | ||
status: | ||
project: | ||
default: | ||
informational: true | ||
patch: | ||
default: | ||
informational: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,6 @@ | ||
.git | ||
.github | ||
.cache | ||
.circleci | ||
integration | ||
imgs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,4 +18,5 @@ | |
thumbs.db | ||
|
||
# test fixtures | ||
coverage.txt | ||
integration/testdata/fixtures/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,9 @@ | ||
FROM alpine:3.12 | ||
RUN addgroup -g 1000 -S appgroup && adduser -u 1000 -S appuser -G appgroup | ||
RUN apk --no-cache add ca-certificates git rpm | ||
COPY trivy /usr/local/bin/trivy | ||
COPY contrib/gitlab.tpl contrib/gitlab.tpl | ||
COPY contrib/junit.tpl contrib/junit.tpl | ||
COPY contrib/sarif.tpl contrib/sarif.tpl | ||
USER appuser | ||
ENTRYPOINT ["trivy"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
package trivy | ||
|
||
import data.lib.trivy | ||
|
||
default ignore = false | ||
|
||
nvd_v3_vector = v { | ||
v := input.CVSS.nvd.v3 | ||
} | ||
|
||
# Ignore a vulnerability which requires high privilege | ||
ignore { | ||
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector) | ||
cvss_vector.PrivilegesRequired == "High" | ||
} | ||
|
||
# Ignore a vulnerability which requires user interaction | ||
ignore { | ||
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector) | ||
cvss_vector.UserInteraction == "Required" | ||
} | ||
|
||
ignore { | ||
input.PkgName == "openssl" | ||
|
||
# Split CVSSv3 vector | ||
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector) | ||
|
||
# Evaluate Attack Vector | ||
ignore_attack_vectors := {"Physical", "Local"} | ||
cvss_vector.AttackVector == ignore_attack_vectors[_] | ||
} | ||
|
||
ignore { | ||
input.PkgName == "openssl" | ||
|
||
# Evaluate severity | ||
input.Severity == {"LOW", "MEDIUM", "HIGH"}[_] | ||
|
||
# Evaluate CWE-ID | ||
deny_cwe_ids := { | ||
"CWE-119", # Improper Restriction of Operations within the Bounds of a Memory Buffer | ||
"CWE-200", # Exposure of Sensitive Information to an Unauthorized Actor | ||
} | ||
|
||
count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0 | ||
} | ||
|
||
ignore { | ||
input.PkgName == "bash" | ||
|
||
# Split CVSSv3 vector | ||
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector) | ||
|
||
# Evaluate Attack Vector | ||
ignore_attack_vectors := {"Physical", "Local", "Adjacent"} | ||
cvss_vector.AttackVector == ignore_attack_vectors[_] | ||
|
||
# Evaluate severity | ||
input.Severity == {"LOW", "MEDIUM", "HIGH"}[_] | ||
} | ||
|
||
ignore { | ||
input.PkgName == "django" | ||
|
||
# Split CVSSv3 vector | ||
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector) | ||
|
||
# Evaluate Attack Vector | ||
ignore_attack_vectors := {"Physical", "Local"} | ||
cvss_vector.AttackVector == ignore_attack_vectors[_] | ||
|
||
# Evaluate severity | ||
input.Severity == {"LOW", "MEDIUM"}[_] | ||
|
||
# Evaluate CWE-ID | ||
deny_cwe_ids := { | ||
"CWE-89", # SQL Injection | ||
"CWE-78", # OS Command Injection | ||
} | ||
|
||
count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0 | ||
} | ||
|
||
ignore { | ||
input.PkgName == "jquery" | ||
|
||
# Split CVSSv3 vector | ||
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector) | ||
|
||
# Evaluate CWE-ID | ||
deny_cwe_ids := {"CWE-79"} # XSS | ||
count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
package trivy | ||
|
||
import data.lib.trivy | ||
|
||
default ignore = false | ||
|
||
ignore_pkgs := {"bash", "bind-license", "rpm", "vim", "vim-minimal"} | ||
|
||
ignore_severities := {"LOW", "MEDIUM"} | ||
|
||
nvd_v3_vector = v { | ||
v := input.CVSS.nvd.v3 | ||
} | ||
|
||
ignore { | ||
input.PkgName == ignore_pkgs[_] | ||
} | ||
|
||
ignore { | ||
input.Severity == ignore_severities[_] | ||
} | ||
|
||
# Ignore a vulnerability which is not remotely exploitable | ||
ignore { | ||
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector) | ||
cvss_vector.AttackVector != "Network" | ||
} | ||
|
||
# Ignore a vulnerability which requires high privilege | ||
ignore { | ||
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector) | ||
cvss_vector.PrivilegesRequired == "High" | ||
} | ||
|
||
# Ignore a vulnerability which requires user interaction | ||
ignore { | ||
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector) | ||
cvss_vector.UserInteraction == "Required" | ||
} | ||
|
||
# Ignore CSRF | ||
ignore { | ||
# https://cwe.mitre.org/data/definitions/352.html | ||
input.CweIDs[_] == "CWE-352" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
{ | ||
"$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.4.json", | ||
"version": "2.1.0", | ||
"runs": [ | ||
{ | ||
"tool": { | ||
"driver": { | ||
"name": "Trivy", | ||
"fullName": "Trivy Vulnerability Scanner", | ||
"rules": [ | ||
{{- $t_first := true }} | ||
{{- range . }} | ||
{{- range .Vulnerabilities -}} | ||
{{- if $t_first -}} | ||
{{- $t_first = false -}} | ||
{{ else -}} | ||
, | ||
{{- end }} | ||
{ | ||
"id": "[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}", | ||
"name": "dockerfile_scan", | ||
"shortDescription": { | ||
"text": "{{ .VulnerabilityID }} Package: {{ .PkgName }}" | ||
}, | ||
"fullDescription": { | ||
"text": "{{ endWithPeriod .Title }}" | ||
}, | ||
"help": { | ||
"text": "Vulnerability {{ .VulnerabilityID }}\nSeverity: {{ .Vulnerability.Severity }}\nPackage: {{ .PkgName }}\nInstalled Version: {{ .InstalledVersion }}\nFixed Version: {{ .FixedVersion }}\nLink: [{{ .VulnerabilityID }}](https://nvd.nist.gov/vuln/detail/{{ .VulnerabilityID | toLower }})", | ||
"markdown": "**Vulnerability {{ .VulnerabilityID }}**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|{{ .Vulnerability.Severity }}|{{ .PkgName }}|{{ .InstalledVersion }}|{{ .FixedVersion }}|[{{ .VulnerabilityID }}](https://nvd.nist.gov/vuln/detail/{{ .VulnerabilityID | toLower }})|\n" | ||
}, | ||
"properties": { | ||
"tags": [ | ||
"vulnerability", | ||
"{{ .Vulnerability.Severity }}", | ||
"{{ .PkgName }}" | ||
], | ||
"precision": "very-high" | ||
} | ||
} | ||
{{- end -}} | ||
{{- end -}} | ||
] | ||
} | ||
}, | ||
"results": [ | ||
{{- $t_first := true }} | ||
{{- range . }} | ||
{{- range $index, $vulnerability := .Vulnerabilities -}} | ||
{{- if $t_first -}} | ||
{{- $t_first = false -}} | ||
{{ else -}} | ||
, | ||
{{- end }} | ||
{ | ||
"ruleId": "[{{ $vulnerability.Vulnerability.Severity }}] {{ $vulnerability.VulnerabilityID }}", | ||
"ruleIndex": {{ $index }}, | ||
"level": "error", | ||
"message": { | ||
"text": {{ endWithPeriod $vulnerability.Description | printf "%q" }} | ||
}, | ||
"locations": [{ | ||
"physicalLocation": { | ||
"artifactLocation": { | ||
"uri": "Dockerfile" | ||
}, | ||
"region": { | ||
"startLine": 1, | ||
"startColumn": 1, | ||
"endColumn": 1 | ||
} | ||
} | ||
}] | ||
} | ||
{{- end -}} | ||
{{- end -}} | ||
], | ||
"columnKind": "utf16CodeUnits" | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.