Trivy plugin¶
Trivy is an open-source vulnerability scanner designed specifically for containerized applications. It scans container images' software packages and dependencies for vulnerabilities in a variety of formats, including Docker and containerd. Trivy obtains vulnerability data from multiple reliable sources to provide current security insights.
Getting started¶
-
Download and Install Trivy:
- Follow the installation instructions.
-
Get Trivy Response on Test Image:
- Run Trivy on a test image to ensure it works with the default database:
trivy image python:3.4-alpine -f json
- Run Trivy on a test image to ensure it works with the default database:
-
Install Vulners Plugin:
- Use the following Trivy plugin command to install the Vulners plugin:
trivy plugin install github.com/vulnersCom/trivy-plugin-vulners-db
- Use the following Trivy plugin command to install the Vulners plugin:
-
Download Enriched Trivy Database:
- Obtain the enriched Trivy database from Vulners using your API key:
trivy vulners-db --api-key <vulners-api-key>
- Obtain the enriched Trivy database from Vulners using your API key:
-
Get Trivy Response on Test Image with Vulners enrichment:
Example:
Command:
trivy image python:3.4-alpine -f json
{ "SchemaVersion": 2, "ArtifactName": "python:3.4-alpine", "ArtifactType": "container_image", "Results": [ { "VulnerabilityID": "CVE-2022-40897", "PkgName": "setuptools", "PkgPath": "usr/local/lib/python3.4/site-packages/setuptools-40.8.0.dist-info/METADATA", "InstalledVersion": "40.8.0", "FixedVersion": "65.5.1", "Status": "fixed", "Layer": { "Digest": "sha256:e1977129b756c4b8dbc6e4d094384c2743576ccd39b059903dfe1154edd33489", "DiffID": "sha256:62de8bcc470aef81ddbec19b7f5aeed24d7b7ec1bff09422f7e0da3a4842d346" }, "SeveritySource": "ghsa", "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-40897", "DataSource": { "ID": "ghsa", "Name": "GitHub Security Advisory pip", "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip" }, "Title": "pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py", "Description": { "Href": "https://vulners.com/cve/CVE-2022-40897", "Epss": [ { "Cve": "CVE-2022-40897", "Epss": 0.00217, "Modified": "2023-05-02", "Percentile": 0.58228 } ], "Cvss2": { "Score": 2.6, "ExploitabilityScore": 4.9 }, "Cvss3": { "Score": 5.9, "ExploitabilityScore": 0 }, "VulnersScore": { "Value": 5.8, "Vector": "NONE" }, "WildExploited": false, "Description": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.", "Title": "CVE-2022-40897", "ExploitsCount": 0, "AiDescription": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py", "AiTags": [ "cve-2022-40897", "pypa", "setuptools", "denial of service", "html", "redos" ], "Reposts": 0, "References": 8 }, "Severity": "HIGH", "CweIDs": ["CWE-1333"], "CVSS": {}, "References": [], "PublishedDate": "2022-12-23T00:15:00Z", "LastModifiedDate": "2023-11-07T03:52:00Z" } ] }
Feedback¶
If you have any problems or have any comments, please let us know.