Trivy plugin

Trivy is an open-source vulnerability scanner designed specifically for containerized applications. It scans container images' software packages and dependencies for vulnerabilities in a variety of formats, including Docker and containerd. Trivy obtains vulnerability data from multiple reliable sources to provide current security insights.

Getting started

1. Download and Install Trivy:

   • Follow the installation instructions.

2. Get Trivy Response on Test Image:

   • Run Trivy on a test image to ensure it works with the default database:

     trivy image python:3.4-alpine -f json
     

3. Install Vulners Plugin:

   • Use the following Trivy plugin command to install the Vulners plugin:

     trivy plugin install github.com/vulnersCom/trivy-plugin-vulners-db
     

4. Download Enriched Trivy Database:

   • Obtain the enriched Trivy database from Vulners using your API key:

     trivy vulners-db --api-key <vulners-api-key>
     

5. Get Trivy Response on Test Image with Vulners enrichment:

   Example:

   Command:

   trivy image python:3.4-alpine -f json
   

   Full enriched output

   {
      "SchemaVersion": 2,
      "ArtifactName": "python:3.4-alpine",
      "ArtifactType": "container_image",
      "Results": [
        {
          "VulnerabilityID": "CVE-2022-40897",
          "PkgName": "setuptools",
          "PkgPath": "usr/local/lib/python3.4/site-packages/setuptools-40.8.0.dist-info/METADATA",
          "InstalledVersion": "40.8.0",
          "FixedVersion": "65.5.1",
          "Status": "fixed",
          "Layer": {
            "Digest": "sha256:e1977129b756c4b8dbc6e4d094384c2743576ccd39b059903dfe1154edd33489",
            "DiffID": "sha256:62de8bcc470aef81ddbec19b7f5aeed24d7b7ec1bff09422f7e0da3a4842d346"
          },
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-40897",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory pip",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
          },
          "Title": "pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py",
          "Description": {
            "Href": "https://vulners.com/cve/CVE-2022-40897",
            "Epss": [
              {
                "Cve": "CVE-2022-40897",
                "Epss": 0.00217,
                "Modified": "2023-05-02",
                "Percentile": 0.58228
              }
            ],
            "Cvss2": { "Score": 2.6, "ExploitabilityScore": 4.9 },
            "Cvss3": { "Score": 5.9, "ExploitabilityScore": 0 },
            "VulnersScore": { "Value": 5.8, "Vector": "NONE" },
            "WildExploited": false,
            "Description": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.",
            "Title": "CVE-2022-40897",
            "ExploitsCount": 0,
            "AiDescription": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py",
            "AiTags": [
              "cve-2022-40897",
              "pypa",
              "setuptools",
              "denial of service",
              "html",
              "redos"
            ],
            "Reposts": 0,
            "References": 8
          },
          "Severity": "HIGH",
          "CweIDs": ["CWE-1333"],
          "CVSS": {},
          "References": [],
          "PublishedDate": "2022-12-23T00:15:00Z",
          "LastModifiedDate": "2023-11-07T03:52:00Z"
        }
      ]
    }
   

Feedback

If you have any problems or have any comments, please let us know.