Comments (6)
mattlorimor
commented on May 18, 2024
3
I'm not sure if this is the correct place to make this request or whether it should be a separate issue, but it looks like it's pretty closely related and could be added or discussed while this is worked on.
It would be nice if the JSON output contained the vendor score, the CVSSv3 score/vector (if available), and the CVSSv2 score/vector (if available).
I'm bringing this up simply to make some downstream processes for some users more streamlined. Compliance frameworks such as FedRAMP strictly define how programs should rate CVEs in their environments:
Common Vulnerability Scoring System (CVSS) Risk Scoring: For any vulnerability with a CVSSv3
base score assigned in the latest version of the NVD, the CVSSv3 base score must be used as the
original risk rating. If no CVSSv3 score is available, a CVSSv2 base score is acceptable where
available. If no CVSS score is available, the native scanner base risk score can be used.
Technically this would probably fall under:
If no CVSS score is available, the native scanner base risk score can be used.
However, the unmodified CVSSv3 score is what programs like FedRAMP want for an original risk rating. It wouldn't, where possible, want the original risk rating overridden by the vendor. Including the raw CVSS data that is available in the JSON output would allow programs using Trivy to more easily follow the steps in the rubric quoted above.
For example, seeing something like this:
[
{
"Target": "alpine:3.7 (alpine 3.7.3)",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-14697",
"PkgName": "musl",
"InstalledVersion": "1.1.18-r3",
"FixedVersion": "1.1.18-r4",
"Layer": {
"Digest": "sha256:5d20c808ce198565ff70b3ed23a991dd49afac45dece63474b27ce6ed036adc6",
"DiffID": "sha256:3fc64803ca2de7279269048fe2b8b3c73d4536448c87c32375b2639ac168a48b"
},
"Severity": "HIGH"
}
]
}
]instead output as:
[
{
"Target": "alpine:3.7 (alpine 3.7.3)",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2019-14697",
"PkgName": "musl",
"InstalledVersion": "1.1.18-r3",
"FixedVersion": "1.1.18-r4",
"Layer": {
"Digest": "sha256:5d20c808ce198565ff70b3ed23a991dd49afac45dece63474b27ce6ed036adc6",
"DiffID": "sha256:3fc64803ca2de7279269048fe2b8b3c73d4536448c87c32375b2639ac168a48b"
},
"Severity": "HIGH",
"CVSSv3Score": "9.8",
"CVSSv3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CVSSv2Score": "7.5",
"CVSSv2Vector": "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
}
]
}
]All that said, adding just the CVSS vector would be an improvement since the score should be able to be calculated from that.
from trivy.
jnsgruk
commented on May 18, 2024
Would also love to see this, have written a hacky workaround in the mean time which works pretty well in a CI pipeline :) https://github.com/jnsgruk/trivy-cvss-tools
from trivy.
lizrice
commented on May 18, 2024
Full database should include CVSS v2 and v3, vectors & scores, from NVD and from appropriate vendor
from trivy.
knqyf263
commented on May 18, 2024
@simar7 Would you work on it?
from trivy.
lizrice
commented on May 18, 2024
Agreed, the score should be present as well as the vector
from trivy.
knqyf263
commented on May 18, 2024
CVSS score/vector were added at v0.9.2
from trivy.
Related Issues (20)
- feat(pom.xml): parse `maven-metadata.xml` files for snapshot repositories.
- feat(pnpm): add support of Lockfile v9 HOT 3
- bug(misconf): eval_conflict_error in AVD-DS-0017 HOT 7
- fix(misconf): split docker commands by semicolon
- bug(misconf) Terraform module: "Failed to load module "improper constraint:"
- The InstalledFile of dpkg package should exclude directories HOT 1
- feat(misconf): Support symlinks inside of tar archives
- perf(misconf): High memory usage (9.5 GB) and long scan time (45 min) on some repos HOT 6
- --node-collector-namespace: Do not delete existing namespace HOT 1
- feat(conda): detect dependencies from environment.yml
- feat(conda): detect licenses for environment.yml
- Dependency tree HOT 2
- "Multiple types of OS packages in SBOM are not supported (["rpm" "deb"])" HOT 1
- node-collector: collect multi platform and multi cis-specs Node information
- bug(misconf): terraform local cache is ignored
- bug: Image scanning panics when using certain combination of options HOT 3
- feat(checks): Add support for deprecating checks HOT 1
- Trivy 0.51.0 rootfs scan throwing FATAL during vuln scan on root directory
- --image-config-scanners documentation parameter is incorrect
- feat: plugin Index HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trivy.