search

dbsystel / trivy-vulnerability-explorer

Web application that allows to load a Trivy report in json format and displays the vulnerabilities of a single target in an interactive data table.
https://dbsystel.github.io/trivy-vulnerability-explorer
Apache License 2.0
109 stars 39 forks source link

Supported versions of Trivy and report types #386

Open ghost opened 1 year ago

ghost commented 1 year ago

Description

The README has two gaps in documentation that could cause unexpected behavior or errors in the application.

  1. What are the versions of Trivy that have been tested to demonstrate compatibility? Since Trivy is still in a v0 status they do not guarantee backwards compatibility and their reports/outputs may change.
  2. What Trivy report types are supported?
    • The example report you have in the repo seems to be an image scan output
    • Is the Kubernetes report supported?

The tool seems great, but was just hoping to have a better understanding of the current scope of functionality!

Morl99 commented 1 year ago

Hello @pbaumer,

thanks for your interest in the project and your input. I can completely relate to your thoughts. This project started out as a small side-project with no professional intention, but it turned out to be really useful for us and we are using it in our daily work. So I am committed in maintaining and improving it.

I share your observation, that Trivy is evolving fast, and I am focussing on the use cases that are relevant for us as a team. We are exclusively using the image scan. I recently fooled around with the kubernetes scan and find it interesting, since the nature of the findings is similar to the image scan (because it just scans all images in a kubernetes cluster), I would be very interested in supporting it. The first step would be to design a good UI for it, since the intention of the project is to be better than what the console output of Trivy can be. If you have any ideas, I would appreciate a discussion. What would you like the trivy-vulnerability-explorer to do?

Without a question, it is a good idea to cleary state what the vulnerability explorer is currently able to support. If you want, you could create a MR for that, if not, I will keep this issue open and work on it once I find the time. As for versions, I could try to document the supported Trivy version, but my observation is, that the report format is pretty stable so far. I had to work on a breaking change once, so as far as I know, all report formats that trivy used during the past 12 months are supported. Since the documentation about the supported versions would get old really fast, I am somehow reluctant to putting it in a readme. But since Trivy specifies a Schema version, it might be helpful to document, that the explorer currently supports both SchemaVersion 1 and 2.

Let me know if you have any other questions.