Filter Vulnerabilities

    Result

    1. 2019-05-16T12:49:52.656+0900    INFO    Updating vulnerability database...
    2. 2019-05-16T12:50:14.786+0900    INFO    Detecting Debian vulnerabilities...
    4. ruby:2.4.0 (debian 8.7)
    5. =======================
    6. Total: 4730 (UNKNOWN: 1, LOW: 145, MEDIUM: 3487, HIGH: 1014, CRITICAL: 83)
    8. +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
    9. |           LIBRARY            | VULNERABILITY ID | SEVERITY |     INSTALLED VERSION      |          FIXED VERSION           |                        TITLE                        |
    10. +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
    11. | apt                          | CVE-2019-3462    | CRITICAL | 1.0.9.8.3                  | 1.0.9.8.5                        | Incorrect sanitation of the                         |
    12. |                              |                  |          |                            |                                  | 302 redirect field in HTTP                          |
    13. |                              |                  |          |                            |                                  | transport method of...                              |
    14. +                              +------------------+----------+                            +----------------------------------+-----------------------------------------------------+
    15. |                              | CVE-2016-1252    | MEDIUM   |                            | 1.0.9.8.4                        | The apt package in Debian                           |
    16. |                              |                  |          |                            |                                  | jessie before 1.0.9.8.4, in                         |
    17. |                              |                  |          |                            |                                  | Debian unstable before...                           |
    18. +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
    19. | bash                         | CVE-2019-9924    | HIGH     | 4.3-11                     | 4.3-11+deb8u2                    | bash: BASH_CMD is writable in                       |
    20. |                              |                  |          |                            |                                  | restricted bash shells                              |
    21. +                              +------------------+          +                            +----------------------------------+-----------------------------------------------------+
    22. |                              | CVE-2016-7543    |          |                            | 4.3-11+deb8u1                    | bash: Specially crafted                             |
    23. |                              |                  |          |                            |                                  | SHELLOPTS+PS4 variables allows                      |
    24. |                              |                  |          |                            |                                  | command substitution                                |
    25. +                              +------------------+----------+                            +                                  +-----------------------------------------------------+
    26. |                              | CVE-2016-0634    | MEDIUM   |                            |                                  | bash: Arbitrary code execution                      |
    27. |                              |                  |          |                            |                                  | via malicious hostname                              |
    28. +                              +------------------+----------+                            +----------------------------------+-----------------------------------------------------+
    29. |                              | CVE-2016-9401    | LOW      |                            | 4.3-11+deb8u2                    | bash: popd controlled free                          |
    30. +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
    31. ...

    Use --severity option.

    1. $ trivy image --severity HIGH,CRITICAL ruby:2.4.0

    Result

    1. $ cat .trivyignore
    2. # Accept the risk
    3. CVE-2018-14618
    5. # No impact in our settings
    6. CVE-2019-1543
    8. $ trivy image python:3.4-alpine3.9

    Result

    1. 2019-05-16T12:53:10.076+0900    INFO    Updating vulnerability database...
    2. 2019-05-16T12:53:28.134+0900    INFO    Detecting Alpine vulnerabilities...
    4. python:3.4-alpine3.9 (alpine 3.9.2)
    5. ===================================
    6. Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

    Use --vuln-type option.

    Available values: - library - os

    1. 2019-05-22T19:36:50.530+0200    INFO    Updating vulnerability database...
    2. 2019-05-22T19:36:51.681+0200    INFO    Detecting Alpine vulnerabilities...
    3. 2019-05-22T19:36:51.685+0200    INFO    Updating npm Security DB...
    4. 2019-05-22T19:36:52.389+0200    INFO    Detecting npm vulnerabilities...
    5. 2019-05-22T19:36:52.390+0200    INFO    Updating pipenv Security DB...
    8. Total: 4751 (UNKNOWN: 1, LOW: 150, MEDIUM: 3504, HIGH: 1013, CRITICAL: 83)
    10. +---------+------------------+----------+-------------------+---------------+----------------------------------+
    11. | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |              TITLE               |
    12. +---------+------------------+----------+-------------------+---------------+----------------------------------+
    13. | curl    | CVE-2018-14618   | CRITICAL | 7.61.0-r0         | 7.61.1-r0     | curl: NTLM password overflow     |
    14. |         |                  |          |                   |               | via integer overflow             |
    15. +         +------------------+----------+                   +---------------+----------------------------------+
    16. |         | CVE-2018-16839   | HIGH     |                   | 7.61.1-r1     | curl: Integer overflow leading   |
    17. |         |                  |          |                   |               | to heap-based buffer overflow in |
    18. |         |                  |          |                   |               | Curl_sasl_create_plain_message() |
    19. +         +------------------+          +                   +---------------+----------------------------------+
    20. |         | CVE-2019-3822    |          |                   | 7.61.1-r2     | curl: NTLMv2 type-3 header       |
    21. |         |                  |          |                   |               | stack buffer overflow            |
    22. +         +------------------+          +                   +---------------+----------------------------------+
    23. |         | CVE-2018-16840   |          |                   | 7.61.1-r1     | curl: Use-after-free when        |
    24. |         |                  |          |                   |               | closing "easy" handle in         |
    25. |         |                  |          |                   |               | Curl_close()                     |
    26. +         +------------------+----------+                   +---------------+----------------------------------+
    27. |         | CVE-2019-3823    | MEDIUM   |                   | 7.61.1-r2     | curl: SMTP end-of-response       |
    28. |         |                  |          |                   |               | out-of-bounds read               |
    29. +         +------------------+          +                   +               +----------------------------------+
    30. |         | CVE-2018-16890   |          |                   |               | curl: NTLM type-2 heap           |
    31. |         |                  |          |                   |               | out-of-bounds buffer read        |
    32. +         +------------------+          +                   +---------------+----------------------------------+
    33. |         | CVE-2018-16842   |          |                   | 7.61.1-r1     | curl: Heap-based buffer          |
    34. |         |                  |          |                   |               | over-read in the curl tool       |
    35. |         |                  |          |                   |               | warning formatting               |
    36. +---------+------------------+----------+-------------------+---------------+----------------------------------+
    37. | git     | CVE-2018-17456   | HIGH     | 2.15.2-r0         | 2.15.3-r0     | git: arbitrary code execution    |
    38. |         |                  |          |                   |               | via .gitmodules                  |
    39. +         +------------------+          +                   +               +----------------------------------+
    40. |         | CVE-2018-19486   |          |                   |               | git: Improper handling of        |
    41. |         |                  |          |                   |               | PATH allows for commands to be   |
    42. |         |                  |          |                   |               | executed from...                 |
    43. +---------+------------------+----------+-------------------+---------------+----------------------------------+
    44. | libssh2 | CVE-2019-3855    | CRITICAL | 1.8.0-r2          | 1.8.1-r0      | libssh2: Integer overflow in     |
    45. |         |                  |          |                   |               | transport read resulting in      |
    46. |         |                  |          |                   |               | out of bounds write...           |
    47. +         +------------------+----------+                   +               +----------------------------------+
    48. |         | CVE-2019-3861    | MEDIUM   |                   |               | libssh2: Out-of-bounds reads     |
    49. |         |                  |          |                   |               | with specially crafted SSH       |
    50. |         |                  |          |                   |               | packets                          |
    51. +         +------------------+          +                   +               +----------------------------------+
    52. |         | CVE-2019-3857    |          |                   |               | libssh2: Integer overflow in     |
    53. |         |                  |          |                   |               | SSH packet processing channel    |
    54. |         |                  |          |                   |               | resulting in out of...           |
    55. +         +------------------+          +                   +               +----------------------------------+
    56. |         | CVE-2019-3856    |          |                   |               | libssh2: Integer overflow in     |
    57. |         |                  |          |                   |               | keyboard interactive handling    |
    58. |         |                  |          |                   |               | resulting in out of bounds...    |
    59. +         +------------------+          +                   +               +----------------------------------+
    60. |         | CVE-2019-3863    |          |                   |               | libssh2: Integer overflow        |
    61. |         |                  |          |                   |               | in user authenticate             |
    62. |         |                  |          |                   |               | out-of-bounds writes             |
    63. +         +------------------+          +                   +               +----------------------------------+
    65. |         |                  |          |                   |               | comparison with specially        |
    66. |         |                  |          |                   |               | crafted message channel          |
    67. |         |                  |          |                   |               | request                          |
    68. +         +------------------+          +                   +               +----------------------------------+
    69. |         | CVE-2019-3860    |          |                   |               | libssh2: Out-of-bounds reads     |
    70. |         |                  |          |                   |               | with specially crafted SFTP      |
    71. |         |                  |          |                   |               | packets                          |
    72. +         +------------------+          +                   +               +----------------------------------+
    73. |         | CVE-2019-3858    |          |                   |               | libssh2: Zero-byte allocation    |
    74. |         |                  |          |                   |               | with a specially crafted SFTP    |
    75. |         |                  |          |                   |               | packed leading to an...          |
    76. +         +------------------+          +                   +               +----------------------------------+
    77. |         | CVE-2019-3859    |          |                   |               | libssh2: Unchecked use of        |
    78. |         |                  |          |                   |               | _libssh2_packet_require and      |
    79. |         |                  |          |                   |               | _libssh2_packet_requirev         |
    80. |         |                  |          |                   |               | resulting in out-of-bounds       |
    81. |         |                  |          |                   |               | read                             |
    82. +---------+------------------+          +-------------------+---------------+----------------------------------+
    83. | libxml2 | CVE-2018-14404   |          | 2.9.7-r0          | 2.9.8-r1      | libxml2: NULL pointer            |
    84. |         |                  |          |                   |               | dereference in                   |
    85. |         |                  |          |                   |               | xpath.c:xmlXPathCompOpEval()     |
    86. |         |                  |          |                   |               | can allow attackers to cause     |
    87. |         |                  |          |                   |               | a...                             |
    88. +         +------------------+          +                   +               +----------------------------------+
    89. |         | CVE-2018-14567   |          |                   |               | libxml2: Infinite loop when      |
    90. |         |                  |          |                   |               | --with-lzma is used allows for   |
    91. |         |                  |          |                   |               | denial of service...             |
    92. +         +------------------+----------+                   +               +----------------------------------+
    93. |         | CVE-2018-9251    | LOW      |                   |               | libxml2: infinite loop in        |
    94. |         |                  |          |                   |               | xz_decomp function in xzlib.c    |
    95. +---------+------------------+----------+-------------------+---------------+----------------------------------+
    96. | openssh | CVE-2019-6109    | MEDIUM   | 7.5_p1-r9         | 7.5_p1-r10    | openssh: Missing character       |
    97. |         |                  |          |                   |               | encoding in progress display     |
    98. |         |                  |          |                   |               | allows for spoofing of scp...    |
    99. +         +------------------+          +                   +               +----------------------------------+
    100. |         | CVE-2019-6111    |          |                   |               | openssh: Improper validation     |
    101. |         |                  |          |                   |               | of object names allows           |
    102. |         |                  |          |                   |               | malicious server to overwrite    |
    103. |         |                  |          |                   |               | files...                         |
    104. +         +------------------+----------+                   +               +----------------------------------+
    105. |         | CVE-2018-20685   | LOW      |                   |               | openssh: scp client improper     |
    106. |         |                  |          |                   |               | directory name validation        |
    107. +---------+------------------+----------+-------------------+---------------+----------------------------------+
    108. | sqlite  | CVE-2018-20346   | MEDIUM   | 3.21.0-r1         | 3.25.3-r0     | CVE-2018-20505 CVE-2018-20506    |
    109. |         |                  |          |                   |               | sqlite: Multiple flaws in        |
    110. |         |                  |          |                   |               | sqlite which can be triggered    |
    111. |         |                  |          |                   |               | via...                           |
    112. +---------+------------------+----------+-------------------+---------------+----------------------------------+
    113. | tar     | CVE-2018-20482   | LOW      | 1.29-r1           | 1.31-r0       | tar: Infinite read loop in       |
    114. |         |                  |          |                   |               | sparse_dump_region function in   |
    115. |         |                  |          |                   |               | sparse.c                         |
    116. +---------+------------------+----------+-------------------+---------------+----------------------------------+

    [EXPERIMENTAL] This feature might change without preserving backwards compatibility.

    Trivy supports Open Policy Agent (OPA) to filter vulnerabilities. You can specify a Rego file with --ignore-policy option.

    The Rego package name must be trivy and it must include a rule called ignore which determines if each individual vulnerability should be excluded (ignore=true) or not (ignore=false). In the policy, each vulnerability will be available for inspection as the input variable. The structure of each vulnerability input is the same as for the Trivy JSON output.
    There is a built-in Rego library with helper functions that you can import into your policy using: import data.lib.trivy. For more info about the helper functions, look at the library here

    Result