-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feat]: Expose PkgPath
value in CVE results
#2175
Comments
Hi @vrajashkr, please go ahead, thank you. |
Please let us know if you have any questions. On server side you need to:
Right now the cli side doesn't show package information for CVEs, but maybe we should start doing that.
This last part needs a discussion about how the output should look like, as right now we show a CVE per line, but a single CVE may be found in multiple packages. |
Thanks for the detailed information @andaaron ! It's very helpful. I'll get back with any questions as I work through the changes. |
I've made a set of changes. The code successfully compiles and the cve command seems to execute without panicking. Yay! I'll raise a PR with my changes for some early feedback after writing a few Unit tests. We can probably discuss how we'd like to show it in the output once we see some examples with actual images. |
While testing, these were some of the package paths I saw for the test image I used (https://hub.docker.com/r/fl73/spring4shell-vulnerable-app):
One thought I had was to use the listing CLI to show a count of the vulnerable packages and have a new CLI to show more details (including the package paths and versions).
New CLI that accepts a CVE as an argument for more details
This could output:
Would love to get your thoughts on this @andaaron. By the way, let me know if we would like to take up the "Display CVE package information in ZLI" as a separate issue and PR first before we add the package path to it. |
From my point of view it could be a separate PR. Either your suggestion of having a separate command, of we do something similar to what we did for showing layer digests in image command output (have a verbose command line parameter to show extra information).
@rchincha, what do you think? |
#2241 brings in backend support for fetching @andaaron, since the ZLI approach to display this in CLI output is still in discussion, shall I take a look at the ZUI changes to display this information? I see that ZUI already supports listing the packages for a vulnerability. |
Yes, I think we can add an extra column in the packages table. |
I had a go at adding Package Path to the existing table and there were some challenges. It doesn't seem to be fitting too well even on larger screens when the vulnerability package name and/or the path are long. Here's a sample with a short path (our spring-web image):On DesktopOn MobileHere's a sample with a longer path (fl73/spring4shell-vulnerable-app):On DesktopSeeing that we have quite a bit of data to present now, I tried out making some changes to the display to make it vertical instead of horizontally stacked. Here's what it looks like after some trial changes:On DesktopOn MobileI'm open to feedback and suggestions on how we could present this information. |
This information is actually quite useful. Comments as follows:
|
@vrajashkr The final UI changes look better and lgtm. |
@vrajashkr let us know when you have PRs ready for these. |
Thanks for the comments @rchincha. Will raise PRs once the changes are ready. |
Hi @andaaron, @rchincha, I tried out the ZLI changes for the package details. One thing I observed is that vulnerable paths in an image may be quite long so the user may not get much information from the listing as they don't see the full path to the artifact. This approach worked fine for the digest layers example as layer hashes are still valid as references when shortened. On the flip side, if the allowed width is set too high, the screen becomes challenging to work with as we may see wrapping/truncation depending on the terminal config. Do you happen to have any thoughts on how we could approach the output width for this? |
Maybe we should try your initial suggestion in #2175 (comment) |
I gave it a go, but I did make one change. In the above comment, I had earlier suggested the use of a table for the package list, but as that faces the same trouble of knowing the right length to truncate, I decided to do something similar to what was done in zui - a vertical presentation. I'd love to get your thoughts on it. Here's a sample:
|
@vrajashkr thanks for all the work you are doing. I would suggest keeping both the summary/table view and the --verbose view. |
Sorry I'm not very familiar with what trivy provides. Can someone show me what will be the result if a container image has, let's say, an oci layout (inside the container image) containing a layer that has an initrd, which has a jar file which contains a vulnerable openssl? |
Pending PRs both for zui and zli have been merged. Closing this issue. |
Is your feature request related to a problem? Please describe.
https://github.com/aquasecurity/trivy/blob/a96f66f176e512ffb029f2d421e2d77b805eb6ee/pkg/types/vulnerability.go#L14
Show it along the package name in the ZLI and ZUI results.
Describe the solution you'd like
No response
Describe alternatives you've considered
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: