search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.6k stars 2.32k forks source link

Filter vulnerabilities found in old versions of the kernel #3764

Open mikhailzakhryapin opened 1 year ago

mikhailzakhryapin commented 1 year ago

Hi,

  1. Trivy detects vulnerability in kernel version 1.
  2. I run apt upgrade and upgrade kernel to version 2 that address the vulnerability found in step 1.
  3. Now host runs kernel version 2. Trivy shows vulnerability on this host because kernel version 1 is still on the disk.
  4. If I run apt autoremove, kernel version 1 is removed from the disk and Trivy shows that there is no vulnerability on this host

I would like to have command line option that will hide old version of the kernel appearing in the Trivy report.

knqyf263 commented 1 year ago

I think what we should do is detect the running kernel version. Welcome any other ideas.

itaysk commented 1 year ago

We also need to consider how this works with different targets. Scanning kernel vulnerabilities via image scanning doesn't make alot of sense given that containers are abstracted away from the kernel (and trivy is often run as container itself). Would it make sense to make this a VM target feature? then we can also detect the running kernel with more confidence or have target specific flags (like k8s api-version flag in k8s target)

knqyf263 commented 1 year ago

First, container images don't show the Linux kernel in the list of installed packages. Trivy doesn't detect kernel vulnerabilities anyway. This issue is mainly relevant to host scanning like trivy rootfs or trivy vm. @mikhailzakhryapin Please correct me if I'm wrong.

mikhailzakhryapin commented 1 year ago

@knqyf263 That's correct. It relates to scanning host. Sorry that I did not mention it in my first post. We are developing the running kernel detection feature and ready to share the code as soon as we finish it.

knqyf263 commented 1 year ago

Great! Looking forward to seeing it.

swallace-ciq commented 9 months ago

@knqyf263 That's correct. It relates to scanning host. Sorry that I did not mention it in my first post. We are developing the running kernel detection feature and ready to share the code as soon as we finish it.

Is there any update on this feature? Definitely interested in it.

omerfsen commented 6 months ago

Any update?

apdibbo commented 3 months ago

I'd also be very interested in this as a cloud provider