Closed LERUfic closed 1 year ago
@LERUfic note sure both metrics can be the same the trivy_vulnerability_id
has cardinality (produce metric for each CVE
in container) while trivy_image_vulnerabilities
is a summary metric (one per container).
what info are you missing ?
Like CVE-2022-4450
from the example, the metric only shown resource libcrypto1.1
but not the libssl1.1
. It's good to know what resources are being affected by CVE-2022-4450
in each container.
But if it's not possible can we get atleast the sum value between trivy_vulnerability_id
and trivy_image_vulnerabilities
is the same for example if there's duplicate vulnerability ID the value of trivy_vulnerability_id
become 2 instead of 1?
Like
CVE-2022-4450
from the example, the metric only shown resourcelibcrypto1.1
but not thelibssl1.1
. It's good to know what resources are being affected byCVE-2022-4450
in each container.But if it's not possible can we get atleast the sum value between
trivy_vulnerability_id
andtrivy_image_vulnerabilities
is the same for example if there's duplicate vulnerability ID the value oftrivy_vulnerability_id
become 2 instead of 1?
trivy_vulnerability_id
data can be easily extended (small dev) if additional info is needed.
I have created a PR, which would create one metric per occurence of a CVE in an Image. So in this particular example there would be 2 metrics for CVE-2022-4450
and the image external-dns/external-dns:v0.12.0
-> one for libssl1.1
and one for libcrypto1.1
.
trivy_vulnerability_id{class="",container_name="external-dns",fixed_version="1.1.1t-r0",image_digest="",image_registry="registry.k8s.io",image_repository="external-dns/external-dns",image_tag="v0.12.0",installed_version="1.1.1n-r0",name="replicaset-external-dns-6cb567959b-external-dns",namespace="default",package_type="",pkg_path="",resource="libcrypto1.1",resource_kind="ReplicaSet",resource_name="external-dns-6cb567959b",severity="High",vuln_id="CVE-2022-4450",vuln_score="7.5",vuln_title="double free after calling PEM_read_bio_ex"} 1
trivy_vulnerability_id{class="",container_name="external-dns",fixed_version="1.1.1t-r0",image_digest="",image_registry="registry.k8s.io",image_repository="external-dns/external-dns",image_tag="v0.12.0",installed_version="1.1.1n-r0",name="replicaset-external-dns-6cb567959b-external-dns",namespace="default",package_type="",pkg_path="",resource="libssl1.1",resource_kind="ReplicaSet",resource_name="external-dns-6cb567959b",severity="High",vuln_id="CVE-2022-4450",vuln_score="7.5",vuln_title="double free after calling PEM_read_bio_ex"} 1
What steps did you take and what happened:
I enabled the
trivy_vulnerability_id
metrics and then compared the sum metrics totrivy_image_vulnerabilities
. As a result, the value oftrivy_vulnerability_id
differs from that oftrivy_image_vulnerabilities
. When there are two reports of the same vulnerability ID but with different resources,trivy_vulnerability_id
will only report it once.What did you expect to happen: I expect the count value from
trivy_vulnerability_id
to be the same astrivy_image_vulnerabilities
. So we can get the info on how many resources in the same image have the same Vulnerability IDAnything else you would like to add: This is the example report of external-dns image
The five vulnerabilities
CVE-2022-4450
,CVE-2023-0215
,CVE-2023-0286
,CVE-2022-2097
, andCVE-2022-4304
all share the same ID but use different resources.I discovered that there were five data gaps when comparing the data from
trivy_image_vulnerabilities
andtrivy_vulnerability_id
.This is the outcome of the
trivy_vulnerability_id
metrics. We cannot see metric with resourcelibssl1.1
, only thelibcrypto1.1
Environment:
trivy-operator version
): 0.12.0kubectl version
): v1.24.9-gke.3200