Skip to content

Trivy plugin

Trivy is an open source vulnerability scanner designed to improve the security of containerized applications. With a focus on simplicity and efficiency, Trivy scans container images for potential vulnerabilities in software packages and dependencies. It supports various container image formats, including Docker and containerd, and retrieves vulnerability information from multiple sources.

Getting started

  1. Download and Install Trivy:

  2. Get Trivy Response on Test Image:

    • Run Trivy on a test image to ensure it works with the default database:
      trivy image python:3.4-alpine -f json
      
  3. Install Vulners Plugin:

    • Use the following Trivy plugin command to install the Vulners plugin:
      trivy plugin install github.com/vulnersCom/trivy-plugin-vulners-db
      
  4. Download Enriched Trivy Database:

    • Obtain the enriched Trivy database from Vulners using your API key:
      trivy vulners-db --api-key <vulners-api-key>
      
  5. Get Trivy Response on Test Image with Vulners enrichment:

    Example:

    Command:

    trivy image python:3.4-alpine -f json
    
    {
       "SchemaVersion": 2,
       "ArtifactName": "python:3.4-alpine",
       "ArtifactType": "container_image",
       "Results": [
         {
           "VulnerabilityID": "CVE-2022-40897",
           "PkgName": "setuptools",
           "PkgPath": "usr/local/lib/python3.4/site-packages/setuptools-40.8.0.dist-info/METADATA",
           "InstalledVersion": "40.8.0",
           "FixedVersion": "65.5.1",
           "Status": "fixed",
           "Layer": {
             "Digest": "sha256:e1977129b756c4b8dbc6e4d094384c2743576ccd39b059903dfe1154edd33489",
             "DiffID": "sha256:62de8bcc470aef81ddbec19b7f5aeed24d7b7ec1bff09422f7e0da3a4842d346"
           },
           "SeveritySource": "ghsa",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-40897",
           "DataSource": {
             "ID": "ghsa",
             "Name": "GitHub Security Advisory pip",
             "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
           },
           "Title": "pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py",
           "Description": {
             "Href": "https://vulners.com/cve/CVE-2022-40897",
             "Epss": [
               {
                 "Cve": "CVE-2022-40897",
                 "Epss": 0.00217,
                 "Modified": "2023-05-02",
                 "Percentile": 0.58228
               }
             ],
             "Cvss2": { "Score": 2.6, "ExploitabilityScore": 4.9 },
             "Cvss3": { "Score": 5.9, "ExploitabilityScore": 0 },
             "VulnersScore": { "Value": 5.8, "Vector": "NONE" },
             "WildExploited": false,
             "Description": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.",
             "Title": "CVE-2022-40897",
             "ExploitsCount": 0,
             "AiDescription": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py",
             "AiTags": [
               "cve-2022-40897",
               "pypa",
               "setuptools",
               "denial of service",
               "html",
               "redos"
             ],
             "Reposts": 0,
             "References": 8
           },
           "Severity": "HIGH",
           "CweIDs": ["CWE-1333"],
           "CVSS": {},
           "References": [],
           "PublishedDate": "2022-12-23T00:15:00Z",
           "LastModifiedDate": "2023-11-07T03:52:00Z"
         }
       ]
     }
    

Feedback

If you have any problems or have any comments, please let us know.

Back to top