-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: add warning if severity not from vendor (or NVD or GH) is used #6726
refactor: add warning if severity not from vendor (or NVD or GH) is used #6726
Conversation
pkg/vulnerability/vulnerability.go
Outdated
@@ -130,6 +130,7 @@ func (c Client) getVendorSeverity(vulnID string, vuln *dbTypes.Vulnerability, so | |||
return dbTypes.SeverityUnknown.String(), "" | |||
} | |||
|
|||
log.Warn("Vendor and NVD don't have severity level. Severity from another vendor is used (see `VendorSeverity` in `json` format).", log.String("CVE", vulnID)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not necessarily CVE-ID.
log.Warn("Vendor and NVD don't have severity level. Severity from another vendor is used (see `VendorSeverity` in `json` format).", log.String("CVE", vulnID)) | |
log.Warn("Vendor and NVD don't have severity level. Severity from another vendor is used (see `VendorSeverity` in `json` format).", log.String("vulnerability-id", vulnID)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Vendor
is unclear. We may want to show the source (dbTypes.SourceID).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about this, but there is 1 problem with this.
We fill severity
filed in trivy-db
:
https://github.com/aquasecurity/trivy-db/blob/b8fe1376ffcdc69fe454f0a8a481ab485e47aea5/pkg/vulnsrc/vulnerability/vulnerability.go#L92-L108
Therefore, we don't have info about vendor for this severity.
We can only check vendorSeverity
and detect vendor with same severity.
But if 2 vendors use this severity, we may make mistake in our choice
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean, we should say "Debian and NVD don't have severity" when scanning a Debian image and "Ubuntu and NVD don't have severity" when scanning an Ubuntu image. We need to consider what should be displayed with language-specific packages, though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Co-authored-by: Teppei Fukuda <[email protected]>
…ndor-severity-missing-log
pkg/vulnerability/vulnerability.go
Outdated
@@ -130,6 +129,7 @@ func (c Client) getVendorSeverity(vulnID string, vuln *dbTypes.Vulnerability, so | |||
return dbTypes.SeverityUnknown.String(), "" | |||
} | |||
|
|||
log.Warn(fmt.Sprintf("%q and \"NVD\" don't have severity level. Severity from another vendor is used (see `VendorSeverity` in `json` format).", dataSource.Name), log.String("vulnerability-id", vulnID)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we need sync.Once
to prevent from showing the same messages many times?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should show each vulnerability with non-vendor (non-nvd) severity.
It will be difficult (and possibly manual) for user to detect vulnerabilities with inappropriate severity levels if we simply say that some vulnerabilities use different severity levels.
As another way, we can save all these vulnerabilities and insert this list into one warning.
wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But if there are 100 vulnerabilities, we possibly show 100 warn messages, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right. but I hope we don't get 100 vulnerabilities
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think 100 vulns are so many. I saw environments with 500 vulns or even more than 1000 vulns.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, let's use once
. We can always update this - if users require it.
Update in b23527d
pkg/vulnerability/vulnerability.go
Outdated
// Show warning if we use severity from another vendor | ||
// cf. https://github.com/aquasecurity/trivy/issues/6714 | ||
var onceWarn = sync.OnceFunc(func() { | ||
log.Warn("For some vulnerabilities, severities from other vendors were used because their data sources and NVD don't contain severities. You can view severity list from vendors in `json` format in `VendorSeverity` field.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After reading the message, I feel like it's still unclear for users. We may want to update the document and add a link in the warning message, like "For details, read https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#severity-selection." What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a couple of ideas that we can add. I will update docs and write to you.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ec412a3
wdyt?
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Description
See #6714 (comment)
Example:
![изображение](https://private-user-images.githubusercontent.com/91113035/334751325-540ffdda-6e82-4c69-a755-68de79f45c85.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkzOTEyMDIsIm5iZiI6MTcxOTM5MDkwMiwicGF0aCI6Ii85MTExMzAzNS8zMzQ3NTEzMjUtNTQwZmZkZGEtNmU4Mi00YzY5LWE3NTUtNjhkZTc5ZjQ1Yzg1LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjI2VDA4MzUwMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWQwMDVlMTYwMzkxMTk5NWYyYTFkNDZlMGRjM2MwODVlNGM0OWM1MzRjZWNmMjYyNTY2ODBmZmJmYWU0ZjI4MWQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.3ao3ZDavvqBO-K_EBgj19Ck1g30wZObKfVCcLhqVrs4)
Related issues
nvd
andsource
don't have severity for vulnerability #6714Checklist