Closed knqyf263 closed 2 weeks ago
Why is the file vex.go
in misc and not in magefiles?
Why is the file vex.go in misc and not in magefiles?
Yeah, it's better to put it in magefiles. I didn't mean to commit this file at the beginning, and I found some issues in govuncheck. After all, the script is not small anymore and I committed it. I didn't carefully think about the script. I'll move it.
Why is the file
vex.go
in misc and not in magefiles?
Moved https://github.com/aquasecurity/trivy/pull/7128/commits/527b03318e944addec4ede6fb95f4ab0edf74627
Overview
This PR introduces an OpenVEX generator for Trivy. This tool generates OpenVEX with govulnchedk to reduce false positives in vulnerability scanning by explicitly declaring "not_affected" statements for vulnerabilities that do not impact Trivy.
Key Features
I chose v0.40.0, not for any particular reason, but because it is old enough that I thought many users would be using a newer version than that.
Implementation Details
Addressing govulncheck Limitations
The current version of govulncheck (v1.1.2) has some limitations:
To overcome these issues, our script:
govulncheck -format json
) in conjunction with OpenVEX to gather additional data, such as subcomponentsThis will improve as more features are added to govulncheck.
Optimization Strategy
While it's possible for a vulnerability to be "affected" in one version and "not_affected" in another, let's say Trivy v0.50.0 uses a vulnerable function,
Solver.Solve
inmoby/buildkit
, but stop using the function in v0.51.0, I assume this is relatively rare. Therefore, for vulnerabilities that are "not_affected" and "fixed" across all versions from v0.40.0 onwards, we declare them as "not_affected" for all Trivy versions by omitting the version in the product PURL. The product ID would bepkg:golang/github.com/aquasecurity/trivy
rather than`pkg:golang/github.com/aquasecurity/trivy@0.53.0
.Please refer to the committed OpenVEX file in this PR for concrete examples of the generated output.
Next Steps
Checklist