Skip to content

Commit

Permalink
BREAKING: add new classes for vulnerabilities (#2541)
Browse files Browse the repository at this point in the history
  • Loading branch information
knqyf263 authored Jul 31, 2022
1 parent 3cd88ab commit f396c67
Show file tree
Hide file tree
Showing 51 changed files with 332 additions and 214 deletions.
19 changes: 18 additions & 1 deletion docs/docs/sbom/cyclonedx.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,16 @@ Note that XML format is not supported at the moment.

You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option.

CycloneDX can represent either or both SBOM or BOV.

- [Software Bill of Materials (SBOM)][sbom]
- [Bill of Vulnerabilities (BOV)][bov]

By default, `--format cyclonedx` represents SBOM and doesn't include vulnerabilities in the CycloneDX output.

```
$ trivy image --format cyclonedx --output result.json alpine:3.15
2022-07-19T07:47:27.624Z INFO "--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
```

<details>
Expand Down Expand Up @@ -231,6 +239,12 @@ $ cat result.json | jq .

</details>

If you want to include vulnerabilities, you can enable vulnerability scanning via `--security-checks vuln`.

```
$ trivy image --security-checks vuln --format cyclonedx --output result.json alpine:3.15
```

## Scanning
Trivy can take CycloneDX as an input and scan for vulnerabilities.
To scan SBOM, you can use the `sbom` subcommand and pass the path to your CycloneDX report.
Expand Down Expand Up @@ -258,5 +272,8 @@ Total: 3 (CRITICAL: 3)

!!! note
If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components.
The report is called [BOV][bov].

[cyclonedx]: https://cyclonedx.org/
[cyclonedx]: https://cyclonedx.org/
[sbom]: https://cyclonedx.org/capabilities/sbom/
[bov]: https://cyclonedx.org/capabilities/bov/
3 changes: 2 additions & 1 deletion docs/docs/sbom/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,10 @@ Trivy can generate the following SBOM formats.
To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`.

```
$ trivy image --format cyclonedx --output result.json alpine:3.15
$ trivy image --format spdx-json --output result.json alpine:3.15
```


```
$ trivy fs --format cyclonedx --output result.json /app/myproject
```
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/almalinux-8.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/almalinux-8.tar.gz (alma 8.5)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "alma",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/alpine-310-registry.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@
"Results": [
{
"Target": "localhost:63577/alpine:3.10 (alpine 3.10.2)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/alpine-310.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/alpine-39-high-critical.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/alpine-39-ignore-cveids.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/alpine-39.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/alpine-distroless.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/alpine-distroless.tar.gz (alpine 3.16)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "alpine",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/amazon-1.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/amazon-1.tar.gz (amazon AMI release 2018.03)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "amazon",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/amazon-2.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/amazon-2.tar.gz (amazon 2 (Karoo))",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "amazon",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/busybox-with-lockfile.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
"Results": [
{
"Target": "Cargo.lock",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "cargo",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/centos-6.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/centos-6.tar.gz (centos 6.10)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "centos",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/centos-7-ignore-unfixed.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "centos",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/centos-7-medium.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "centos",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/centos-7.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "centos",
"Vulnerabilities": [
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/debian-buster.tar.gz (debian 10.1)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/debian-buster.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/debian-buster.tar.gz (debian 10.1)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
Expand Down
4 changes: 2 additions & 2 deletions integration/testdata/debian-stretch.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"OS": {
"Family": "debian",
"Name": "9.9",
"Eosl": true
"EOSL": true
},
"ImageID": "sha256:f26939cc87ef44a6fc554eedd0a976ab30b5bc2769d65d2e986b6c5f1fd4053d",
"DiffIDs": [
Expand Down Expand Up @@ -50,7 +50,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/debian-stretch.tar.gz (debian 9.9)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
Expand Down
4 changes: 2 additions & 2 deletions integration/testdata/distroless-base.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"OS": {
"Family": "debian",
"Name": "9.9",
"Eosl": true
"EOSL": true
},
"ImageID": "sha256:7f04a8d247173b1f2546d22913af637bbab4e7411e00ae6207da8d94c445750d",
"DiffIDs": [
Expand Down Expand Up @@ -48,7 +48,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/distroless-base.tar.gz (debian 9.9)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
Expand Down
4 changes: 2 additions & 2 deletions integration/testdata/distroless-python27.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"OS": {
"Family": "debian",
"Name": "9.9",
"Eosl": true
"EOSL": true
},
"ImageID": "sha256:6fcac2cc8a710f21577b5bbd534e0bfc841c0cca569b57182ba19054696cddda",
"DiffIDs": [
Expand Down Expand Up @@ -65,7 +65,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/distroless-python27.tar.gz (debian 9.9)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
Expand Down
4 changes: 2 additions & 2 deletions integration/testdata/fluentd-gems.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz (debian 10.2)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "debian",
"Vulnerabilities": [
{
Expand Down Expand Up @@ -165,7 +165,7 @@
},
{
"Target": "Ruby",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "gemspec",
"Vulnerabilities": [
{
Expand Down
6 changes: 3 additions & 3 deletions integration/testdata/gomod.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"Results": [
{
"Target": "go.mod",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "gomod",
"Vulnerabilities": [
{
Expand Down Expand Up @@ -103,7 +103,7 @@
},
{
"Target": "submod/go.mod",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "gomod",
"Vulnerabilities": [
{
Expand Down Expand Up @@ -131,7 +131,7 @@
},
{
"Target": "submod2/go.mod",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "gomod",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/mariner-1.0.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0.20220122)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "cbl-mariner",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/nodejs.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"Results": [
{
"Target": "package-lock.json",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "npm",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/opensuse-leap-151.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/opensuse-leap-151.tar.gz (opensuse.leap 15.1)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "opensuse.leap",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/oraclelinux-8.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/oraclelinux-8.tar.gz (oracle 8.0)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "oracle",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/photon-30.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/photon-30.tar.gz (photon 3.0)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "photon",
"Vulnerabilities": [
{
Expand Down
7 changes: 6 additions & 1 deletion integration/testdata/pip.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,12 @@
"Version": "2.0.0",
"Layer": {}
}
],
]
},
{
"Target": "requirements.txt",
"Class": "vuln-lang-pkgs",
"Type": "pip",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-14806",
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/pnpm.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"Results": [
{
"Target": "pnpm-lock.yaml",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "pnpm",
"Vulnerabilities": [
{
Expand Down
2 changes: 1 addition & 1 deletion integration/testdata/pom.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"Results": [
{
"Target": "pom.xml",
"Class": "lang-pkgs",
"Class": "vuln-lang-pkgs",
"Type": "pom",
"Vulnerabilities": [
{
Expand Down
7 changes: 1 addition & 6 deletions integration/testdata/rockylinux-8.json.golden
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
"Results": [
{
"Target": "testdata/fixtures/images/rockylinux-8.tar.gz (rocky 8.5)",
"Class": "os-pkgs",
"Class": "vuln-os-pkgs",
"Type": "rocky",
"Vulnerabilities": [
{
Expand Down Expand Up @@ -118,11 +118,6 @@
"LastModifiedDate": "2022-01-06T09:15:00Z"
}
]
},
{
"Target": "Python",
"Class": "lang-pkgs",
"Type": "python-pkg"
}
]
}
Loading

0 comments on commit f396c67

Please sign in to comment.