Missing some data on `trivy_vulnerability_id` metric

[LERUfic]

What steps did you take and what happened:

I enabled the trivy_vulnerability_id metrics and then compared the sum metrics to trivy_image_vulnerabilities. As a result, the value of trivy_vulnerability_id differs from that of trivy_image_vulnerabilities. When there are two reports of the same vulnerability ID but with different resources, trivy_vulnerability_id will only report it once.

What did you expect to happen: I expect the count value from trivy_vulnerability_id to be the same as trivy_image_vulnerabilities. So we can get the info on how many resources in the same image have the same Vulnerability ID

Anything else you would like to add: This is the example report of external-dns image

report:
  artifact:
    repository: external-dns/external-dns
    tag: v0.12.0
  registry:
    server: k8s.gcr.io
  scanner:
    name: Trivy
    vendor: Aqua Security
    version: 0.35.0
  summary:
    criticalCount: 1
    highCount: 8
    lowCount: 1
    mediumCount: 5
    noneCount: 0
    unknownCount: 0
  updateTimestamp: "2023-03-08T08:52:29Z"
  vulnerabilities:
  - description: The function PEM_read_bio_ex() reads a PEM file from a BIO and parses
      and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
      data. If the function succeeds then the "name_out", "header" and "data" arguments
      are populated with pointers to buffers containing the relevant decoded data.
      The caller is responsible for freeing those buffers. It is possible to construct
      a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()
      will return a failure code but will populate the header argument with a pointer
      to a buffer that has already been freed. If the caller also frees this buffer
      then a double free will occur. This will most likely lead to a crash. This could
      be exploited by an attacker who has the ability to supply malicious PEM files
      for parsing to achieve a denial of service attack. The functions PEM_read_bio()
      and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these
      functions are also directly affected. These functions are also called indirectly
      by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex()
      and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal
      uses of these functions are not vulnerable because the caller does not free
      the header argument if PEM_read_bio_ex() returns a failure code. These locations
      include the PEM_read_bio_TYPE() functions as well as the decoders introduced
      in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted
      by this issue.
    fixedVersion: 1.1.1t-r0
    installedVersion: 1.1.1n-r0
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-4450
    resource: libcrypto1.1
    score: 7.5
    severity: HIGH
    target: ""
    title: 'openssl: double free after calling PEM_read_bio_ex'
    vulnerabilityID: CVE-2022-4450
  - description: The public API function BIO_new_NDEF is a helper function used for
      streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to
      support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called
      directly by end user applications. The function receives a BIO from the caller,
      prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain,
      and then returns the new head of the BIO chain to the caller. Under certain
      conditions, for example if a CMS recipient public key is invalid, the new filter
      BIO is freed and the function returns a NULL result indicating a failure. However,
      in this case, the BIO chain is not properly cleaned up and the BIO passed by
      the caller still retains internal pointers to the previously freed filter BIO.
      If the caller then goes on to call BIO_pop() on the BIO then a use-after-free
      will occur. This will most likely result in a crash. This scenario occurs directly
      in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to
      be called and will subsequently call BIO_pop() on the BIO. This internal function
      is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream,
      PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.
      Other public API functions that may be impacted by this include i2d_ASN1_bio_stream,
      BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The
      OpenSSL cms and smime command line applications are similarly affected.
    fixedVersion: 1.1.1t-r0
    installedVersion: 1.1.1n-r0
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-0215
    resource: libcrypto1.1
    score: 7.5
    severity: HIGH
    target: ""
    title: 'openssl: use-after-free following BIO_new_NDEF'
    vulnerabilityID: CVE-2023-0215
  - description: There is a type confusion vulnerability relating to X.400 address
      processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
      but the public structure definition for GENERAL_NAME incorrectly specified the
      type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted
      by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.
      When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK
      flag), this vulnerability may allow an attacker to pass arbitrary pointers to
      a memcmp call, enabling them to read memory contents or enact a denial of service.
      In most cases, the attack requires the attacker to provide both the certificate
      chain and CRL, neither of which need to have a valid signature. If the attacker
      only controls one of these inputs, the other input must already contain an X.400
      address as a CRL distribution point, which is uncommon. As such, this vulnerability
      is most likely to only affect applications which have implemented their own
      functionality for retrieving CRLs over a network.
    fixedVersion: 1.1.1t-r0
    installedVersion: 1.1.1n-r0
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-0286
    resource: libcrypto1.1
    score: 7.4
    severity: HIGH
    target: ""
    title: 'openssl: X.400 address type confusion in X.509 GeneralName'
    vulnerabilityID: CVE-2023-0286
  - description: AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
      implementation will not encrypt the entirety of the data under some circumstances.
      This could reveal sixteen bytes of data that was preexisting in the memory that
      wasn't written. In the special case of "in place" encryption, sixteen bytes
      of the plaintext would be revealed. Since OpenSSL does not support OCB based
      cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5
      (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).
    fixedVersion: 1.1.1q-r0
    installedVersion: 1.1.1n-r0
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-2097
    resource: libcrypto1.1
    score: 5.3
    severity: MEDIUM
    target: ""
    title: 'openssl: AES OCB fails to encrypt some bytes'
    vulnerabilityID: CVE-2022-2097
  - description: 'A timing based side channel exists in the OpenSSL RSA Decryption
      implementation which could be sufficient to recover a plaintext across a network
      in a Bleichenbacher style attack. To achieve a successful decryption an attacker
      would have to be able to send a very large number of trial messages for decryption.
      The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
      For example, in a TLS connection, RSA is commonly used by a client to send an
      encrypted pre-master secret to the server. An attacker that had observed a genuine
      connection between a client and a server could use this flaw to send trial messages
      to the server and record the time taken to process them. After a sufficiently
      large number of messages the attacker could recover the pre-master secret used
      for the original connection and thus be able to decrypt the application data
      sent over that connection.'
    fixedVersion: 1.1.1t-r0
    installedVersion: 1.1.1n-r0
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-4304
    resource: libcrypto1.1
    score: 5.9
    severity: MEDIUM
    target: ""
    title: 'openssl: timing attack in RSA Decryption implementation'
    vulnerabilityID: CVE-2022-4304
  - description: The function PEM_read_bio_ex() reads a PEM file from a BIO and parses
      and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
      data. If the function succeeds then the "name_out", "header" and "data" arguments
      are populated with pointers to buffers containing the relevant decoded data.
      The caller is responsible for freeing those buffers. It is possible to construct
      a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex()
      will return a failure code but will populate the header argument with a pointer
      to a buffer that has already been freed. If the caller also frees this buffer
      then a double free will occur. This will most likely lead to a crash. This could
      be exploited by an attacker who has the ability to supply malicious PEM files
      for parsing to achieve a denial of service attack. The functions PEM_read_bio()
      and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these
      functions are also directly affected. These functions are also called indirectly
      by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex()
      and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal
      uses of these functions are not vulnerable because the caller does not free
      the header argument if PEM_read_bio_ex() returns a failure code. These locations
      include the PEM_read_bio_TYPE() functions as well as the decoders introduced
      in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted
      by this issue.
    fixedVersion: 1.1.1t-r0
    installedVersion: 1.1.1n-r0
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-4450
    resource: libssl1.1
    score: 7.5
    severity: HIGH
    target: ""
    title: 'openssl: double free after calling PEM_read_bio_ex'
    vulnerabilityID: CVE-2022-4450
  - description: The public API function BIO_new_NDEF is a helper function used for
      streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to
      support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called
      directly by end user applications. The function receives a BIO from the caller,
      prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain,
      and then returns the new head of the BIO chain to the caller. Under certain
      conditions, for example if a CMS recipient public key is invalid, the new filter
      BIO is freed and the function returns a NULL result indicating a failure. However,
      in this case, the BIO chain is not properly cleaned up and the BIO passed by
      the caller still retains internal pointers to the previously freed filter BIO.
      If the caller then goes on to call BIO_pop() on the BIO then a use-after-free
      will occur. This will most likely result in a crash. This scenario occurs directly
      in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to
      be called and will subsequently call BIO_pop() on the BIO. This internal function
      is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream,
      PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.
      Other public API functions that may be impacted by this include i2d_ASN1_bio_stream,
      BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The
      OpenSSL cms and smime command line applications are similarly affected.
    fixedVersion: 1.1.1t-r0
    installedVersion: 1.1.1n-r0
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-0215
    resource: libssl1.1
    score: 7.5
    severity: HIGH
    target: ""
    title: 'openssl: use-after-free following BIO_new_NDEF'
    vulnerabilityID: CVE-2023-0215
  - description: There is a type confusion vulnerability relating to X.400 address
      processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
      but the public structure definition for GENERAL_NAME incorrectly specified the
      type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted
      by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.
      When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK
      flag), this vulnerability may allow an attacker to pass arbitrary pointers to
      a memcmp call, enabling them to read memory contents or enact a denial of service.
      In most cases, the attack requires the attacker to provide both the certificate
      chain and CRL, neither of which need to have a valid signature. If the attacker
      only controls one of these inputs, the other input must already contain an X.400
      address as a CRL distribution point, which is uncommon. As such, this vulnerability
      is most likely to only affect applications which have implemented their own
      functionality for retrieving CRLs over a network.
    fixedVersion: 1.1.1t-r0
    installedVersion: 1.1.1n-r0
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2023-0286
    resource: libssl1.1
    score: 7.4
    severity: HIGH
    target: ""
    title: 'openssl: X.400 address type confusion in X.509 GeneralName'
    vulnerabilityID: CVE-2023-0286
  - description: AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
      implementation will not encrypt the entirety of the data under some circumstances.
      This could reveal sixteen bytes of data that was preexisting in the memory that
      wasn't written. In the special case of "in place" encryption, sixteen bytes
      of the plaintext would be revealed. Since OpenSSL does not support OCB based
      cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5
      (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).
    fixedVersion: 1.1.1q-r0
    installedVersion: 1.1.1n-r0
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-2097
    resource: libssl1.1
    score: 5.3
    severity: MEDIUM
    target: ""
    title: 'openssl: AES OCB fails to encrypt some bytes'
    vulnerabilityID: CVE-2022-2097
  - description: 'A timing based side channel exists in the OpenSSL RSA Decryption
      implementation which could be sufficient to recover a plaintext across a network
      in a Bleichenbacher style attack. To achieve a successful decryption an attacker
      would have to be able to send a very large number of trial messages for decryption.
      The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
      For example, in a TLS connection, RSA is commonly used by a client to send an
      encrypted pre-master secret to the server. An attacker that had observed a genuine
      connection between a client and a server could use this flaw to send trial messages
      to the server and record the time taken to process them. After a sufficiently
      large number of messages the attacker could recover the pre-master secret used
      for the original connection and thus be able to decrypt the application data
      sent over that connection.'
    fixedVersion: 1.1.1t-r0
    installedVersion: 1.1.1n-r0
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-4304
    resource: libssl1.1
    score: 5.9
    severity: MEDIUM
    target: ""
    title: 'openssl: timing attack in RSA Decryption implementation'
    vulnerabilityID: CVE-2022-4304
  - description: 'zlib through 1.2.12 has a heap-based buffer over-read or buffer
      overflow in inflate in inflate.c via a large gzip header extra field. NOTE:
      only applications that call inflateGetHeader are affected. Some common applications
      bundle the affected zlib source code but may be unable to call inflateGetHeader
      (e.g., see the nodejs/node reference).'
    fixedVersion: 1.2.12-r2
    installedVersion: 1.2.12-r0
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-37434
    resource: zlib
    score: 7
    severity: CRITICAL
    target: ""
    title: 'zlib: heap-based buffer over-read and overflow in inflate() in inflate.c
      via a large gzip header extra field'
    vulnerabilityID: CVE-2022-37434
  - description: In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers
      can cause a denial of service because an HTTP/2 connection can hang during closing
      if shutdown were preempted by a fatal error.
    fixedVersion: 0.0.0-20220906165146-f3363e06e74c
    installedVersion: v0.0.0-20220412020605-290c469a71a5
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-27664
    resource: golang.org/x/net
    score: 7.5
    severity: HIGH
    target: ""
    title: 'golang: net/http: handle server errors after sending GOAWAY'
    vulnerabilityID: CVE-2022-27664
  - description: An attacker can cause excessive memory growth in a Go server accepting
      HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys
      sent by the client. While the total number of entries in this cache is capped,
      an attacker sending very large keys can cause the server to allocate approximately
      64 MiB per open connection.
    fixedVersion: 0.4.0
    installedVersion: v0.0.0-20220412020605-290c469a71a5
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-41717
    resource: golang.org/x/net
    score: 5.3
    severity: MEDIUM
    target: ""
    title: 'golang: net/http: An attacker can cause excessive memory growth in a Go
      server accepting HTTP/2 requests'
    vulnerabilityID: CVE-2022-41717
  - description: A maliciously crafted HTTP/2 stream could cause excessive CPU consumption
      in the HPACK decoder, sufficient to cause a denial of service from a small number
      of small requests.
    fixedVersion: 0.7.0
    installedVersion: v0.0.0-20220412020605-290c469a71a5
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-41723
    resource: golang.org/x/net
    severity: LOW
    target: ""
    title: A maliciously crafted HTTP/2 stream could cause excessive CPU consumpt
      ...
    vulnerabilityID: CVE-2022-41723
  - description: An attacker may cause a denial of service by crafting an Accept-Language
      header which ParseAcceptLanguage will take significant time to parse.
    fixedVersion: 0.3.8
    installedVersion: v0.3.7
    links: []
    primaryLink: https://avd.aquasec.com/nvd/cve-2022-32149
    resource: golang.org/x/text
    score: 7.5
    severity: HIGH
    target: ""
    title: 'golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time
      to parse complex tags'
    vulnerabilityID: CVE-2022-32149

The five vulnerabilities CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2022-2097, and CVE-2022-4304 all share the same ID but use different resources.

I discovered that there were five data gaps when comparing the data from trivy_image_vulnerabilities and trivy_vulnerability_id.

This is the outcome of the trivy_vulnerability_id metrics. We cannot see metric with resource libssl1.1, only the libcrypto1.1

Environment:

• Trivy-Operator version (use trivy-operator version): 0.12.0
• Kubernetes version (use kubectl version): v1.24.9-gke.3200
• OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): linux/amd64 (on GKE)

[chen-keinan]

@LERUfic note sure both metrics can be the same the trivy_vulnerability_id has cardinality (produce metric for each CVE in container) while trivy_image_vulnerabilities is a summary metric (one per container).

what info are you missing ?

[aguelajaib]

Like CVE-2022-4450 from the example, the metric only shown resource libcrypto1.1 but not the libssl1.1. It's good to know what resources are being affected by CVE-2022-4450 in each container.

But if it's not possible can we get atleast the sum value between trivy_vulnerability_id and trivy_image_vulnerabilities is the same for example if there's duplicate vulnerability ID the value of trivy_vulnerability_id become 2 instead of 1?

[chen-keinan]

Like CVE-2022-4450 from the example, the metric only shown resource libcrypto1.1 but not the libssl1.1. It's good to know what resources are being affected by CVE-2022-4450 in each container.

But if it's not possible can we get atleast the sum value between trivy_vulnerability_id and trivy_image_vulnerabilities is the same for example if there's duplicate vulnerability ID the value of trivy_vulnerability_id become 2 instead of 1?

trivy_vulnerability_id data can be easily extended (small dev) if additional info is needed.

[alexanderwoehler]

I have created a PR, which would create one metric per occurence of a CVE in an Image. So in this particular example there would be 2 metrics for CVE-2022-4450 and the image external-dns/external-dns:v0.12.0 -> one for libssl1.1 and one for libcrypto1.1.

trivy_vulnerability_id{class="",container_name="external-dns",fixed_version="1.1.1t-r0",image_digest="",image_registry="registry.k8s.io",image_repository="external-dns/external-dns",image_tag="v0.12.0",installed_version="1.1.1n-r0",name="replicaset-external-dns-6cb567959b-external-dns",namespace="default",package_type="",pkg_path="",resource="libcrypto1.1",resource_kind="ReplicaSet",resource_name="external-dns-6cb567959b",severity="High",vuln_id="CVE-2022-4450",vuln_score="7.5",vuln_title="double free after calling PEM_read_bio_ex"} 1
trivy_vulnerability_id{class="",container_name="external-dns",fixed_version="1.1.1t-r0",image_digest="",image_registry="registry.k8s.io",image_repository="external-dns/external-dns",image_tag="v0.12.0",installed_version="1.1.1n-r0",name="replicaset-external-dns-6cb567959b-external-dns",namespace="default",package_type="",pkg_path="",resource="libssl1.1",resource_kind="ReplicaSet",resource_name="external-dns-6cb567959b",severity="High",vuln_id="CVE-2022-4450",vuln_score="7.5",vuln_title="double free after calling PEM_read_bio_ex"} 1