Skip to content

vulnerability: Add CVSS Vectors to JSON output. #484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
May 21, 2020
Merged

vulnerability: Add CVSS Vectors to JSON output. #484

merged 6 commits into from
May 21, 2020

Conversation

@simar7
Copy link
Member

@simar7 simar7 commented May 2, 2020

Now Trivy will display the CVSS Vectors presented by various
vendors as part of the JSON output. This can be seen as follows:

      {
        "VulnerabilityID": "CVE-2019-9923",
        "PkgName": "tar",
        "InstalledVersion": "1.30+dfsg-6",
        "Layer": {
          "Digest": "sha256:90fe46dd819953eb995f9cc9c326130abe9dd0b3993a998e12c01d0218a0b831",
          "DiffID": "sha256:e40d297cf5f89a9822af4c2f63caa2f2085d5aa188137506918e603774b083cb"
        },
        "SeveritySource": "debian",
        "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c",
        "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.",
        "Severity": "LOW",
        "VendorVectors": {
          "nvd": {
            "v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "redhat": {
            "v3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"
          }
        },
        "References": [
          "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120",
          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html",
          "http://savannah.gnu.org/bugs/?55369",
          "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241"
        ]
      },

Signed-off-by: Simarpreet Singh [email protected]

@simar7
vulnerability: Add CVSS Vectors to JSON output.
fb2d78e 
Now Trivy will display the CVSS Vectors presented by various
vendors as part of the JSON output. This can be seen as follows:

```
      {
        "VulnerabilityID": "CVE-2019-9923",
        "PkgName": "tar",
        "InstalledVersion": "1.30+dfsg-6",
        "Layer": {
          "Digest": "sha256:90fe46dd819953eb995f9cc9c326130abe9dd0b3993a998e12c01d0218a0b831",
          "DiffID": "sha256:e40d297cf5f89a9822af4c2f63caa2f2085d5aa188137506918e603774b083cb"
        },
        "SeveritySource": "debian",
        "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c",
        "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.",
        "Severity": "LOW",
        "VendorVectors": {
          "nvd": {
            "v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "redhat": {
            "v3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"
          }
        },
        "References": [
          "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120",
          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html",
          "http://savannah.gnu.org/bugs/?55369",
          "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241"
        ]
      },
```

Signed-off-by: Simarpreet Singh <[email protected]>
@simar7 simar7 requested a review from knqyf263 May 2, 2020 02:27
@simar7 simar7 self-assigned this May 2, 2020
simar7
simar7 commented May 2, 2020
View reviewed changes
knqyf263
knqyf263 approved these changes May 19, 2020
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Please note that we have to update trivy-db by go get -u 😉

@knqyf263
Copy link
Collaborator

knqyf263 commented May 21, 2020

I don't look into the error deeply yet, but it looks like testcontainers is failing to run a container.

@simar7 simar7 merged commit a57c27e into master May 21, 2020
@simar7 simar7 deleted the cvss-vectors branch May 21, 2020 21:22
@mozillazg
Copy link
Contributor

mozillazg commented May 24, 2020
edited
Loading

Thanks for your work! Is there any reason why the VendorVectors doesn't include score info? And how can i get the vendor score base on vector of v2 or v3 via fast/easy way? Thanks!

@simar7
Copy link
Member Author

simar7 commented May 26, 2020

Thanks for your work! Is there any reason why the VendorVectors doesn't include score info? And how can i get the vendor score base on vector of v2 or v3 via fast/easy way? Thanks!

@mozillazg you can use it like the following

$ trivy image --format=json alpine=3.10.4
[...output snipped...]
        "VendorVectors": {
          "nvd": {
            "v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "redhat": {
            "v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          }
        },
[...output snipped...]

@mozillazg
Copy link
Contributor

mozillazg commented May 26, 2020
edited
Loading

@simar7 Sorry for my bad english 😂 ,I mean why the result of VendorVectors not include score result like this (is suggested from #92 (comment) and it's necessary so that the user don't have to calculate it by himself):

[...output snipped...]
        "VendorVectors": {
          "nvd": {
            "v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "v2Score": 7.5,   // score result
            "v3Score": 9.8    // score result
          },
        },
[...output snipped...]

or

[...output snipped...]
        "VendorVectors": {
          "nvd": {
            "v2": {
               "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
               "score": 7.5   // score result
            }
            "v3": {
               "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
               "score": 9.8  // score result
            }
          },
        },
[...output snipped...]

@simar7
Copy link
Member Author

simar7 commented May 27, 2020

@simar7 Sorry for my bad english 😂 ,I mean why the result of VendorVectors not include score result like this (is suggested from #92 (comment) and it's necessary so that the user don't have to calculate it by himself):

[...output snipped...]
        "VendorVectors": {
          "nvd": {
            "v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "v2Score": 7.5,   // score result
            "v3Score": 9.8    // score result
          },
        },
[...output snipped...]

or

[...output snipped...]
        "VendorVectors": {
          "nvd": {
            "v2": {
               "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
               "score": 7.5   // score result
            }
            "v3": {
               "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
               "score": 9.8  // score result
            }
          },
        },
[...output snipped...]

Sorry I see your point now. Yes we're adding it here aquasecurity/trivy-db#48

GuaoGuao pushed a commit to GuaoGuao/trivy that referenced this pull request Jun 24, 2020
@simar7
vulnerability: Add CVSS Vectors to JSON output. (aquasecurity#484)
fe09825 
* vulnerability: Add CVSS Vectors to JSON output.

Now Trivy will display the CVSS Vectors presented by various
vendors as part of the JSON output. This can be seen as follows:

```
      {
        "VulnerabilityID": "CVE-2019-9923",
        "PkgName": "tar",
        "InstalledVersion": "1.30+dfsg-6",
        "Layer": {
          "Digest": "sha256:90fe46dd819953eb995f9cc9c326130abe9dd0b3993a998e12c01d0218a0b831",
          "DiffID": "sha256:e40d297cf5f89a9822af4c2f63caa2f2085d5aa188137506918e603774b083cb"
        },
        "SeveritySource": "debian",
        "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c",
        "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.",
        "Severity": "LOW",
        "VendorVectors": {
          "nvd": {
            "v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "redhat": {
            "v3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"
          }
        },
        "References": [
          "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120",
          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html",
          "http://savannah.gnu.org/bugs/?55369",
          "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241"
        ]
      },
```

Signed-off-by: Simarpreet Singh <[email protected]>

* mod: Update to latest master of trivy-db

Signed-off-by: Simarpreet Singh <[email protected]>

* vulnerability_test: Fix tests for new struct type

Signed-off-by: Simarpreet Singh <[email protected]>
liamg pushed a commit that referenced this pull request Jun 7, 2022
@simar7
vulnerability: Add CVSS Vectors to JSON output. (#484)
1471fec 
* vulnerability: Add CVSS Vectors to JSON output.

Now Trivy will display the CVSS Vectors presented by various
vendors as part of the JSON output. This can be seen as follows:

```
      {
        "VulnerabilityID": "CVE-2019-9923",
        "PkgName": "tar",
        "InstalledVersion": "1.30+dfsg-6",
        "Layer": {
          "Digest": "sha256:90fe46dd819953eb995f9cc9c326130abe9dd0b3993a998e12c01d0218a0b831",
          "DiffID": "sha256:e40d297cf5f89a9822af4c2f63caa2f2085d5aa188137506918e603774b083cb"
        },
        "SeveritySource": "debian",
        "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c",
        "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.",
        "Severity": "LOW",
        "VendorVectors": {
          "nvd": {
            "v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "redhat": {
            "v3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"
          }
        },
        "References": [
          "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120",
          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html",
          "http://savannah.gnu.org/bugs/?55369",
          "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241"
        ]
      },
```

Signed-off-by: Simarpreet Singh <[email protected]>

* mod: Update to latest master of trivy-db

Signed-off-by: Simarpreet Singh <[email protected]>

* vulnerability_test: Fix tests for new struct type

Signed-off-by: Simarpreet Singh <[email protected]>
liamg pushed a commit that referenced this pull request Jun 7, 2022
@knqyf263
feat(secret): ignore the secret config file (#484)
c8ddb56
liamg pushed a commit that referenced this pull request Jun 7, 2022
@knqyf263
feat(secret): ignore the secret config file (#484)
c07dfe3
josedonizetti pushed a commit to josedonizetti/trivy that referenced this pull request Jun 24, 2022
@liamg
feat(terraform): Allow specification of a writer for stats output (aq…
515f559 
…uasecurity#484)

Signed-off-by: Liam Galvin <[email protected]>
@axidex axidex mentioned this pull request Jul 7, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@simar7 simar7

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@simar7 @knqyf263 @mozillazg