8000 feat: add `--vuln-severity-source` flag by DmitriyLewen · Pull Request #8269 · aquasecurity/trivy · GitHub
[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add --vuln-severity-source flag #8269

Merged
merged 24 commits into from
Mar 3, 2025
Merged

feat: add --vuln-severity-source flag #8269

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
0b18682
chore(deps): use fork of trivy-db
DmitriyLewen Jan 21, 2025
8c5850a
feat(flag): add `severity-src` flag
DmitriyLewen Jan 21, 2025
b777a44
feat(option): add `severity-src` option
DmitriyLewen Jan 21, 2025
db5d038
feat(vulnerability): use `severity-src` to parse severity
DmitriyLewen Jan 21, 2025
43fdd91
Merge branch 'main' into 'feat/severity-src'
DmitriyLewen Jan 22, 2025
fd80cc3
refactor: move severitySrc flag from report to vulnerability
DmitriyLewen Jan 22, 2025
f34f174
docs: mage docs:generate
DmitriyLewen Jan 22, 2025
ab4af75
feat: add severitySrc for `rpc`
DmitriyLewen Jan 22, 2025
011dcdb
test: add unit tests for fillInfo
DmitriyLewen Jan 22, 2025
3261f41
test: add integration tests
DmitriyLewen Jan 22, 2025
74c9954
docs: add info about --severitySrc flag
DmitriyLewen Jan 22, 2025
4a0748b
fix: linter errors
DmitriyLewen Jan 22, 2025
28199b6
refactor: add vulnID in warning
DmitriyLewen Jan 22, 2025
20ccbda
test: add SeveritySrc in required tests
DmitriyLewen Jan 22, 2025
bd45e4f
chore(deps): bump github.com/aquasecurity/trivy-db
DmitriyLewen Jan 24, 2025
c8187f0
Merge branch 'main' into 'feat/severity-src'
DmitriyLewen Feb 19, 2025
fbf0c1b
test: update tests
DmitriyLewen Feb 19, 2025
0f42477
refactor: rename severity-src to vuln-severity-src
DmitriyLewen Feb 25, 2025
db27331
docs: mage docs:generate
DmitriyLewen Feb 25, 2025
2999049
refactor: use SourceID instead of string
DmitriyLewen Feb 25, 2025
413b047
refactor: reuse getSeverity function
DmitriyLewen Feb 25, 2025
8b965df
refactor: use vulnerability.severity-src for config file
DmitriyLewen Feb 27, 2025
ee721a7
Merge branch 'main' into 'feat/severity-src'
DmitriyLewen Mar 3, 2025
620bc23
refactor: rename `vulnSeveritySrc` to `vulnSeveritySources`
DmitriyLewen Mar 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
refactor: use SourceID instead of string
  • Loading branch information
@DmitriyLewen
DmitriyLewen committed Feb 25, 2025
commit 2999049145c647a5431476e78dcc7aae7823a272
4 changes: 2 additions & 2 deletions pkg/flag/vulnerability_flags.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ type VulnerabilityOptions struct {
IgnoreStatuses []dbTypes.Status
VEXSources []vex.Source
SkipVEXRepoUpdate bool
VulnSeveritySrc []string
VulnSeveritySrc []dbTypes.SourceID
}

func NewVulnerabilityFlagGroup() *VulnerabilityFlagGroup {
Expand Down Expand Up @@ -116,6 +116,6 @@ func (f *VulnerabilityFlagGroup) ToOptions() (VulnerabilityOptions, error) {
return vex.NewSource(s)
}),
SkipVEXRepoUpdate: f.SkipVEXRepoUpdate.Value(),
VulnSeveritySrc: f.VulnSeveritySrc.Value(),
VulnSeveritySrc: xstrings.ToTSlice[dbTypes.SourceID](f.VulnSeveritySrc.Value()),
}, nil
}
2 changes: 1 addition & 1 deletion pkg/rpc/client/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ func (s Scanner) Scan(ctx context.Context, target, artifactKey string, blobKeys
LicenseCategories: licenseCategories,
IncludeDevDeps: opts.IncludeDevDeps,
Distro: distro,
VulnSeveritySrc: opts.VulnSeveritySrc,
VulnSeveritySrc: xstrings.ToStringSlice(opts.VulnSeveritySrc),
},
})
return err
Expand Down
11 changes: 10 additions & 1 deletion pkg/rpc/server/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,15 @@ import (
"golang.org/x/xerrors"
"google.golang.org/protobuf/types/known/emptypb"

dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/cache"
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/rpc"
"github.com/aquasecurity/trivy/pkg/scanner"
"github.com/aquasecurity/trivy/pkg/scanner/local"
"github.com/aquasecurity/trivy/pkg/types"
xstrings "github.com/aquasecurity/trivy/pkg/x/strings"
rpcCache "github.com/aquasecurity/trivy/rpc/cache"
rpcScanner "github.com/aquasecurity/trivy/rpc/scanner"
)
Expand Down Expand Up @@ -81,14 +83,21 @@ func (s *ScanServer) ToOptions(in *rpcScanner.ScanOptions) types.ScanOptions {
distro.Name = in.Distro.Name
}

vulnSeveritySrc := xstrings.ToTSlice[dbTypes.SourceID](in.VulnSeveritySrc)
if len(vulnSeveritySrc) == 0 {
vulnSeveritySrc = []dbTypes.SourceID{
"auto", // For backward compatibility
}
}

return types.ScanOptions{
PkgTypes: in.PkgTypes,
PkgRelationships: pkgRelationships,
Scanners: scanners,
IncludeDevDeps: in.IncludeDevDeps,
LicenseCategories: licenseCategories,
Distro: distro,
VulnSeveritySrc: in.VulnSeveritySrc,
VulnSeveritySrc: vulnSeveritySrc,
}
}

Expand Down
14 changes: 7 additions & 7 deletions pkg/scanner/local/scan_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ func TestScanner_Scan(t *testing.T) {
},
PkgRelationships: ftypes.Relationships,
Scanners: types.Scanners{types.VulnerabilityScanner},
VulnSeveritySrc: []string{"auto"},
VulnSeveritySrc: []dbTypes.SourceID{"auto"},
},
},
fixtures: []string{"testdata/fixtures/happy.yaml"},
Expand Down Expand Up @@ -280,7 +280,7 @@ func TestScanner_Scan(t *testing.T) {
Family: "alpine",
Name: "3.11",
},
VulnSeveritySrc: []string{"auto"},
VulnSeveritySrc: []dbTypes.SourceID{"auto"},
},
},
fixtures: []string{"testdata/fixtures/happy.yaml"},
Expand Down Expand Up @@ -458,7 +458,7 @@ func TestScanner_Scan(t *testing.T) {
},
PkgRelationships: ftypes.Relationships,
Scanners: types.Scanners{types.VulnerabilityScanner},
VulnSeveritySrc: []string{"auto"},
VulnSeveritySrc: []dbTypes.SourceID{"auto"},
},
},
fixtures: []string{"testdata/fixtures/happy.yaml"},
Expand Down Expand Up @@ -538,7 +538,7 @@ func TestScanner_Scan(t *testing.T) {
PkgTypes: []string{types.PkgTypeLibrary},
PkgRelationships: ftypes.Relationships,
Scanners: types.Scanners{types.VulnerabilityScanner},
VulnSeveritySrc: []string{"auto"},
VulnSeveritySrc: []dbTypes.SourceID{"auto"},
},
},
fixtures: []string{"testdata/fixtures/happy.yaml"},
Expand Down Expand Up @@ -648,7 +648,7 @@ func TestScanner_Scan(t *testing.T) {
},
PkgRelationships: ftypes.Relationships,
Scanners: types.Scanners{types.VulnerabilityScanner},
VulnSeveritySrc: []string{"auto"},
VulnSeveritySrc: []dbTypes.SourceID{"auto"},
},
},
fixtures: []string{"testdata/fixtures/happy.yaml"},
Expand Down Expand Up @@ -729,7 +729,7 @@ func TestScanner_Scan(t *testing.T) {
},
PkgRelationships: ftypes.Relationships,
Scanners: types.Scanners{types.VulnerabilityScanner},
VulnSeveritySrc: []string{"auto"},
VulnSeveritySrc: []dbTypes.SourceID{"auto"},
},
},
fixtures: []string{"testdata/fixtures/happy.yaml"},
Expand Down Expand Up @@ -828,7 +828,7 @@ func TestScanner_Scan(t *testing.T) {
ftypes.RelationshipIndirect,
},
Scanners: types.Scanners{types.VulnerabilityScanner},
VulnSeveritySrc: []string{"auto"},
VulnSeveritySrc: []dbTypes.SourceID{"auto"},
},
},
fixtures: []string{"testdata/fixtures/happy.yaml"},
Expand Down
2 changes: 1 addition & 1 deletion pkg/scanner/scan_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ func TestScanner_ScanArtifact(t *testing.T) {
PkgTypes: []string{"os"},
Scanners: tTypes.Scanners{tTypes.VulnerabilityScanner},
PkgRelationships: ftypes.Relationships,
VulnSeveritySrc: []string{"auto"},
VulnSeveritySrc: []dbTypes.SourceID{"auto"},
},
},
imagePath: "../fanal/test/testdata/alpine-311.tar.gz",
Expand Down
3 changes: 2 additions & 1 deletion pkg/types/scan.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package types
import (
"slices"

dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
"github.com/aquasecurity/trivy/pkg/fanal/types"
)

Expand Down Expand Up @@ -122,5 +123,5 @@ type ScanOptions struct {
FilePatterns []string
IncludeDevDeps bool
Distro types.OS // Forced OS
VulnSeveritySrc []string
VulnSeveritySrc []dbTypes.SourceID
}
13 changes: 6 additions & 7 deletions pkg/vulnerability/vulnerability.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"github.com/aquasecurity/trivy/pkg/log"
"github.com/aquasecurity/trivy/pkg/types"
"github.com/aquasecurity/trivy/pkg/version/doc"
xstrings "github.com/aquasecurity/trivy/pkg/x/strings"
)

var (
Expand Down Expand Up @@ -67,7 +68,7 @@ func NewClient(dbc db.Operation) Client {
}

// FillInfo fills extra info in vulnerability objects
func (c Client) FillInfo(vulns []types.DetectedVulnerability, vulnSeveritySrc []string) {
func (c Client) FillInfo(vulns []types.DetectedVulnerability, vulnSeveritySrc []dbTypes.SourceID) {
for i := range vulns {
// Add the vulnerability status
// Some vendors such as Red Hat have their own vulnerability status, and we use it.
Expand Down Expand Up @@ -116,21 +117,19 @@ func (c Client) FillInfo(vulns []types.DetectedVulnerability, vulnSeveritySrc []
}
}

func (c Client) getSeverity(vulnID string, vuln *dbTypes.Vulnerability, dataSource dbTypes.DataSource, vulnSeveritySrc []string) (string, dbTypes.SourceID) {
func (c Client) getSeverity(vulnID string, vuln *dbTypes.Vulnerability, dataSource dbTypes.DataSource, vulnSeveritySrc []dbTypes.SourceID) (string, dbTypes.SourceID) {
for _, source := range vulnSeveritySrc {
if source == "auto" {
return c.severityInAutoMode(vulnID, vuln, dataSource)
}

sourceID := dbTypes.SourceID(source)

if severity, ok := vuln.VendorSeverity[sourceID]; ok {
return severity.String(), sourceID
if severity, ok := vuln.VendorSeverity[source]; ok {
return severity.String(), source
}
}
if len(vulnSeveritySrc) != 1 || vulnSeveritySrc[0] != "auto" {
log.Warn("No severity found in specified sources",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know these logs may be noise, but warnings should be rare occurrences and we should draw the user's attention to each vulnerability.

But we can also show the warning once and use debug logs for each vulnerability:

2025-01-22T15:47:14+06:00       WARN    For one or more vulnerabilities, the severity level is not found in the specified sources
2025-01-22T15:47:14+06:00       DEBUG   No severity found in specified sources  vulnID="CVE-2016-2781" severity sources="alpine,alma"
2025-01-22T15:47:14+06:00       DEBUG   No severity found in specified sources  vulnID="CVE-2022-3219" severity sources="alpine,alma"
2025-01-22T15:47:14+06:00       DEBUG   No severity found in specified sources  vulnID="CVE-2016-20013" severity sources="alpine,alma"
2025-01-22T15:47:14+06:00       DEBUG   No severity found in specified sources  vulnID="CVE-2016-20013" severity sources="alpine,alma"
2025-01-22T15:47:14+06:00       DEBUG   No severity found in specified sources  vulnID="CVE-2024-41996" severity sources="alpine,alma"
2025-01-22T15:47:14+06:00       DEBUG   No severity found in specified sources  vulnID="CVE-2024-56433" severity sources="alpine,alma"
2025-01-22T15:47:14+06:00       DEBUG   No severity found in specified sources  vulnID="CVE-2024-56433" severity sources="alpine,alma"

log.String("vulnID", vulnID), log.String("severity sources", strings.Join(vulnSeveritySrc, ",")))
log.String("vulnID", vulnID), log.String("severity sources", strings.Join(xstrings.ToStringSlice(vulnSeveritySrc), ",")))
}
return dbTypes.SeverityUnknown.String(), ""
}
Expand Down
10 changes: 5 additions & 5 deletions pkg/vulnerability/vulnerability_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ import (
func TestClient_FillInfo(t *testing.T) {
tests := []struct {
name string
vulnSeveritySrc []string
vulnSeveritySrc []dbTypes.SourceID
fixtures []string
vulns []types.DetectedVulnerability
expectedVulnerabilities []types.DetectedVulnerability
Expand Down Expand Up @@ -285,7 +285,7 @@ func TestClient_FillInfo(t *testing.T) {
},
{
name: "happy path. Severity got from 'nvd' from VulnSeveritySrc",
vulnSeveritySrc: []string{
vulnSeveritySrc: []dbTypes.SourceID{
"alma",
"alpine",
"nvd",
Expand Down Expand Up @@ -315,7 +315,7 @@ func TestClient_FillInfo(t *testing.T) {
},
{
name: "happy path. Severity got from 'auto' from VulnSeveritySrc",
vulnSeveritySrc: []string{
vulnSeveritySrc: []dbTypes.SourceID{
"alma",
"alpine",
"auto",
Expand Down Expand Up @@ -345,7 +345,7 @@ func TestClient_FillInfo(t *testing.T) {
},
{
name: "happy path. Severity didn't find from VulnSeveritySrc",
vulnSeveritySrc: []string{
vulnSeveritySrc: []dbTypes.SourceID{
"alma",
"alpine",
},
Expand Down Expand Up @@ -395,7 +395,7 @@ func TestClient_FillInfo(t *testing.T) {
defer db.Close()

c := vuln.NewClient(db.Config{})
vulnSeveritySrc := []string{
vulnSeveritySrc := []dbTypes.SourceID{
"auto",
}
if len(tt.vulnSeveritySrc) > 0 {
Expand Down
0