Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(vuln): Add --detection-priority flag for accuracy tuning #7288

Merged
merged 16 commits into from
Aug 2, 2024
Merged

feat(vuln): Add --detection-priority flag for accuracy tuning #7288

merged 16 commits into from
Aug 2, 2024

Conversation

knqyf263
Copy link
Collaborator

@knqyf263 knqyf263 commented Aug 1, 2024
edited
Loading

Description

This PR introduces a new --detection-priority flag to Trivy, allowing users to control the balance between false positives and false negatives in vulnerability detection. This feature enhances Trivy's flexibility in different use cases and risk tolerance levels.

Red Hat UBI 8

--detection-priority precise

$ trivy image registry.access.redhat.com/ubi8/ubi --detection-priority precise --scanners vuln
Result 
2024-08-01T11:16:55+04:00       INFO    [vuln] Vulnerability scanning is enabled
2024-08-01T11:17:02+04:00       INFO    Detected OS     family="redhat" version="8.10"
2024-08-01T11:17:02+04:00       INFO    [redhat] Detecting RHEL/CentOS vulnerabilities...       os_version="8" pkg_num=183
2024-08-01T11:17:02+04:00       INFO    Number of language-specific files       num=0

registry.access.redhat.com/ubi8/ubi (redhat 8.10)
=================================================
Total: 180 (UNKNOWN: 0, LOW: 160, MEDIUM: 20, HIGH: 0, CRITICAL: 0)

--detection-priority comprehensive

$ trivy image registry.access.redhat.com/ubi8/ubi --detection-priority comprehensive --scanners vuln
Result 
2024-08-01T11:18:16+04:00       INFO    [vuln] Vulnerability scanning is enabled
2024-08-01T11:18:23+04:00       INFO    Detected OS     family="redhat" version="8.10"
2024-08-01T11:18:23+04:00       INFO    [redhat] Detecting RHEL/CentOS vulnerabilities...       os_version="8" pkg_num=183
2024-08-01T11:18:23+04:00       INFO    Number of language-specific files       num=1
2024-08-01T11:18:23+04:00       INFO    [python-pkg] Detecting vulnerabilities...

registry.access.redhat.com/ubi8/ubi (redhat 8.10)
=================================================
Total: 180 (UNKNOWN: 0, LOW: 160, MEDIUM: 20, HIGH: 0, CRITICAL: 0)

...

2024-08-01T11:18:23+04:00       INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Python (python-pkg)
===================
Total: 10 (UNKNOWN: 0, LOW: 0, MEDIUM: 8, HIGH: 2, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ idna (PKG-INFO)       │ CVE-2024-3651  │ MEDIUM   │ fixed  │ 2.5               │ 3.7            │ python-idna: potential DoS via resource consumption via     │
│                       │                │          │        │                   │                │ specially crafted inputs to idna.encode()...                │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-3651                   │
├───────────────────────┼────────────────┤          │        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ requests (PKG-INFO)   │ CVE-2023-32681 │          │        │ 2.20.0            │ 2.31.0         │ python-requests: Unintended leak of Proxy-Authorization     │
│                       │                │          │        │                   │                │ header                                                      │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-32681                  │
│                       ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2024-35195 │          │        │                   │ 2.32.0         │ requests: subsequent requests to the same host ignore cert  │
│                       │                │          │        │                   │                │ verification                                                │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-35195                  │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ setuptools (METADATA) │ CVE-2022-40897 │ HIGH     │        │ 39.2.0            │ 65.5.1         │ pypa-setuptools: Regular Expression Denial of Service       │
│                       │                │          │        │                   │                │ (ReDoS) in package_index.py                                 │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2022-40897                  │
│                       ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2024-6345  │          │        │                   │ 70.0.0         │ pypa/setuptools: Remote code execution via download         │
│                       │                │          │        │                   │                │ functions in the package_index module in...                 │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-6345                   │
├───────────────────────┼────────────────┼──────────┤        ├───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ urllib3 (PKG-INFO)    │ CVE-2019-11236 │ MEDIUM   │        │ 1.24.2            │ 1.24.3         │ python-urllib3: CRLF injection due to not encoding the      │
│                       │                │          │        │                   │                │ '\r\n' sequence leading to...                               │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2019-11236                  │
│                       ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2020-26137 │          │        │                   │ 1.25.9         │ python-urllib3: CRLF injection via HTTP request method      │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2020-26137                  │
│                       ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-43804 │          │        │                   │ 2.0.6, 1.26.17 │ python-urllib3: Cookie request header isn't stripped during │
│                       │                │          │        │                   │                │ cross-origin redirects                                      │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-43804                  │
│                       ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2023-45803 │          │        │                   │ 2.0.7, 1.26.18 │ urllib3: Request body not stripped after redirect from 303  │
│                       │                │          │        │                   │                │ status changes request...                                   │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45803                  │
│                       ├────────────────┤          │        │                   ├────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2024-37891 │          │        │                   │ 1.26.19, 2.2.2 │ urllib3: proxy-authorization request header is not stripped │
│                       │                │          │        │                   │                │ during cross-origin redirects                               │
│                       │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-37891                  │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

cgr.dev/chainguard/argocd

--detection-priority precise

$ trivy image cgr.dev/chainguard/argocd --detection-priority precise --scanners vuln
Result 
2024-08-01T11:27:12+04:00       INFO    [vuln] Vulnerability scanning is enabled
2024-08-01T11:27:12+04:00       INFO    Detected OS     family="wolfi" version="20230201"
2024-08-01T11:27:12+04:00       INFO    [wolfi] Detecting vulnerabilities...    pkg_num=10
2024-08-01T11:27:12+04:00       INFO    Number of language-specific files       num=0
2024-08-01T11:27:12+04:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/dev/docs/scanner/vulnerability#severity-selection for details.

cgr.dev/chainguard/argocd (wolfi 20230201)
==========================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                        │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ argo-cd-2.11        │ CVE-2024-40634 │ HIGH     │ fixed  │ 2.11.5-r0         │ 2.11.6-r0     │ argocd: Unauthenticated Denial of Service (DoS)    │
│                     │                │          │        │                   │               │ Vulnerability via /api/webhook Endpoint in Argo... │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-40634         │
├─────────────────────┤                │          │        │                   │               │                                                    │
│ argo-cd-2.11-compat │                │          │        │                   │               │                                                    │
│                     │                │          │        │                   │               │                                                    │
│                     │                │          │        │                   │               │                                                    │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘

--detection-priority comprehensive

$ trivy image cgr.dev/chainguard/argocd --detection-priority comprehensive --scanners vuln
Result 
2024-08-01T11:27:54+04:00       INFO    [vuln] Vulnerability scanning is enabled
2024-08-01T11:27:54+04:00       INFO    Detected OS     family="wolfi" version="20230201"
2024-08-01T11:27:54+04:00       INFO    [wolfi] Detecting vulnerabilities...    pkg_num=10
2024-08-01T11:27:54+04:00       INFO    Number of language-specific files       num=2
2024-08-01T11:27:54+04:00       INFO    [gobinary] Detecting vulnerabilities...
2024-08-01T11:27:54+04:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/dev/docs/scanner/vulnerability#severity-selection for details.

cgr.dev/chainguard/argocd (wolfi 20230201)
==========================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                        │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ argo-cd-2.11        │ CVE-2024-40634 │ HIGH     │ fixed  │ 2.11.5-r0         │ 2.11.6-r0     │ argocd: Unauthenticated Denial of Service (DoS)    │
│                     │                │          │        │                   │               │ Vulnerability via /api/webhook Endpoint in Argo... │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-40634         │
├─────────────────────┤                │          │        │                   │               │                                                    │
│ argo-cd-2.11-compat │                │          │        │                   │               │                                                    │
│                     │                │          │        │                   │               │                                                    │
│                     │                │          │        │                   │               │                                                    │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘

usr/bin/argocd (gobinary)
=========================
Total: 4 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌──────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────────────┐
│                     Library                      │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                           Title                           │
├──────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/Azure/azure-sdk-for-go/sdk/azidentity │ CVE-2024-35255 │ MEDIUM   │ fixed  │ v1.1.0            │ 1.6.0                            │ azure-identity: Azure Identity Libraries Elevation of     │
│                                                  │                │          │        │                   │                                  │ Privilege Vulnerability in                                │
│                                                  │                │          │        │                   │                                  │ github.com/Azure/azure-sdk-for-go/sdk/azidentity          │
│                                                  │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-35255                │
├──────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/argoproj/argo-cd/v2                   │ CVE-2024-40634 │ HIGH     │        │ 2.11.5            │ 2.9.20, 2.10.15, 2.11.6          │ argocd: Unauthenticated Denial of Service (DoS)           │
│                                                  │                │          │        │                   │                                  │ Vulnerability via /api/webhook Endpoint in Argo...        │
│                                                  │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-40634                │
├──────────────────────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes                                │ CVE-2024-5321  │ MEDIUM   │        │ v1.26.11          │ 1.27.16, 1.28.12, 1.29.7, 1.30.3 │ kubelet: Incorrect permissions on Windows containers logs │
│                                                  │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-5321                 │
│                                                  ├────────────────┼──────────┤        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                                                  │ CVE-2024-3177  │ LOW      │        │                   │ 1.27.13, 1.29.4, 1.28.9          │ kubernetes: kube-apiserver: bypassing mountable secrets   │
│                                                  │                │          │        │                   │                                  │ policy imposed by the ServiceAccount admission plugin...  │
│                                                  │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2024-3177                 │
└──────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────────────┘

...

Notes

  1. OS packages:

    • When OS vendors provide sufficient advisories (e.g., Red Hat), --detection-priority comprehensive may not significantly increase true positive detections. Newly detected vulnerabilities are likely to be false positives or duplicates of vulnerabilities already detected via OS vendor advisories (see the above example).
    • For cases where OS vendor advisories are insufficient or delayed compared to upstream advisories, the comprehensive mode may detect more relevant vulnerabilities.

  2. Language-specific packages:

    • In cases where exact versions cannot be determined (e.g., version ranges), --detection-priority comprehensive uses the lower bound of version ranges for vulnerability detection. This detects possible vulnerabilities, but may lead to false positives if the actual version used is not at this lower bound.

Key changes

  • Implemented the --detection-priority flag with two modes: precise and comprehensive
  • Added logic to adjust vulnerability detection based on the chosen mode
  • Updated relevant tests to cover the new functionality
  • Added documentation explaining the new flag and its usage

Implementation details

  • precise mode (default): Focuses on reducing false positives, resulting in less noisy vulnerability reports
  • comprehensive mode: Aims to detect more vulnerabilities, potentially including some false positives, for broader coverage
    • Analyze files installed by an OS package manager
    • Use a minimum version of the version ranges
  • Included brief user review considerations for each mode

Terminology

I chose comprehensive instead of coverage for the following reasons:

  1. Clarity of meaning: comprehensive better describes the broader detection approach
  2. Avoiding confusion with the existing Scanning Coverage documentation
  3. Distinction from technical terms: coverage has specific meanings in testing contexts

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263
feat: add --detection-priority
b173d30 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat(dart): use minimum version only with coverage priority
6746c17 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: not filter system files in post analysis
c0bee63 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: deregister post handler for filtering system files
e97ff02 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: consider detection priority for calculating cache key
b21a66d 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
test: delete unused arg
b985f50 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
test: rename flag
ff573bb 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
test(integration): add a case for coverage priority
6c9985c 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
docs: add --detection-priority
0fa8f52 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
feat: rename coverage to comprehensive
41a86ee 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
docs: auto-generate
aefe131 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
fix: omitempty
3e79c5c 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263
fix: use disabled handlers
1626611 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263 knqyf263 marked this pull request as ready for review August 1, 2024 09:23
DmitriyLewen
DmitriyLewen reviewed Aug 2, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
Left a couple of comments.

docs/docs/scanner/vulnerability.md Show resolved Hide resolved
pkg/cache/key_test.go Outdated Show resolved Hide resolved
DmitriyLewen
DmitriyLewen reviewed Aug 2, 2024
View reviewed changes
docs/docs/coverage/language/python.md
| Poetry | poetry.lock | ✓ | Exclude | ✓ | - |
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
|-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
| pip | requirements.txt | - | Include | - | ✓ | - |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can add table for conda environment.yml files (this file list requirements.txt)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did we forget to add environment.yaml to the doc?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I found it under OS. Do you remember why we put it here?
https://aquasecurity.github.io/trivy/v0.54/docs/coverage/os/conda/

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Conda doesn't only contain Python packages.
You can install OS packages.
Conda is thus compilation of package manager (like apt) and pip.

I thought about adding Conda to package managers, but we don't have pages for that.
So we decided to put Conda in OS first.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can install OS packages.

Is there any document about it?

Anyway, I added.
9e8cdb1

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.anaconda.com/working-with-conda/packages/install-packages/#installing-conda-packages

e.g. you can install curl - https://anaconda.org/conda-forge/curl

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have reconsidered this, but my personal definition of "OS packages" is a package distributed by an OS vendor, such as Red Hat and SUSE. Conda is simply building and distributing third-party software, which is different from an operating system. Bitnami does the same and it seems better to create a new category in addition to OS and Language. We should discuss it later.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We just didn't have a suitable category.
But in general we can separate conda + bitnami into a separate category.

docs/docs/coverage/language/java.md Show resolved Hide resolved
DmitriyLewen
DmitriyLewen approved these changes Aug 2, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@knqyf263 knqyf263 added this pull request to the merge queue Aug 2, 2024
Merged via the queue into aquasecurity:main with commit fd8348d Aug 2, 2024
17 checks passed
@knqyf263 knqyf263 deleted the feat/detection_priority branch August 2, 2024 11:02
@aqua-bot aqua-bot mentioned this pull request Aug 2, 2024
Merged
@knqyf263 knqyf263 mentioned this pull request Aug 7, 2024
Closed
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add --detection-priority
2 participants
@knqyf263 @DmitriyLewen