Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trivy Server Integration Reports Different Vulnerabilities Compared to Trivy Client #4164

Closed
2 tasks done
cheapshot2000 opened this issue Sep 20, 2024 · 19 comments
Closed
2 tasks done
Labels
defect Something isn't working integration/trivy Related to the Trivy integration p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/M Medium effort
Milestone

Comments

@cheapshot2000
Copy link

cheapshot2000 commented Sep 20, 2024

Current Behavior

Dependency Track, using ONLY Trivy Server integration, reports different vulnerabilities that the Trivy Client/CLI does with the same SBOM.

Ultimately, we are trying to get scans from our CICD pipelines and DT to align.  However, DT is processing / scanning differently using the Trivy Server integration resulting in vastly different vulnerability results than using the Trivy client. Even with no other analyzers, scanners, or data sources beyond the trivy server integration.

Steps to Reproduce

  1. Setup DT in an ‘offline’ style mode – this is to ensure only Trivy information is displayed in DT.
  • No NIST data,
  • No internal analyzers,
  • No ability to reach the internet.
  1. Configure Trivy Server Analyzer Integration - we are using Trivy 0.55
  2. Obtain the redhat/ubi9:latest container image.
  3. Using the Trivy CLIENT, generate an SBOM of the UBI image.
  4. Also, using Trivy CLIENT, scan the generated SBOM for vulnerabilities.
  • Note the quantity of vulnerabilities (191 in this example)
  1. Upload the SBOM to offline DT w/ Trivy Server integration.
  • Note the quantity of vulnerabilities reported from Trivy Server (265 in this example)

Files for reproducing:::

Export of the UBI from DT w/ Trivy Server Integration
ubi9_bom_exported_from_DT.json

Trivy Client output showing far fewer vulnerabilities
ubi9_vuln_scan.txt

Trivy Client SBOM w/ Vulns
ubi9_sbom_with_vulns.cdx.json

Trivy Client SBOM w/o Vulns
ubi9_sbom_without_vulns.cdx.json

Expected Behavior

When DT is ‘offline’ and with no other data sources, the vulnerabilities reported by DT w/ Trivy Server integration should match that from Trivy Client.

I understand that DT has other datasources and will decorate/assess differently. The offline aspect of this is to show that this is only coming from the trivy server integration with DT - and that differences are not coming from other data sources.

Dependency-Track Version

4.11.7

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14.12

Browser

Google Chrome

Checklist

@cheapshot2000 cheapshot2000 added defect Something isn't working in triage labels Sep 20, 2024
@nscuro nscuro added p2 Non-critical bugs, and features that help organizations to identify and reduce risk integration/trivy Related to the Trivy integration size/M Medium effort and removed in triage labels Sep 22, 2024
@cheapshot2000
Copy link
Author

Just seeing if anyone has any thoughts on what is causing this or possible workarounds?

@nscuro
Copy link
Member

nscuro commented Sep 26, 2024

It's likely that we're currently not (or wrongly) populating a Trivy server API field that helps Trivy in "narrowing down" on the actually applicable vulnerabilities.

Seeing that you're dealing with UBI images, my gut feeling is that we're not properly communicating that they are Red Hat components, so Trivy cannot take Red Hat advisories into consideration. Again, just a gut feeling, would need to verify.

@Shadow-Templar
Copy link

Is there any update to this, or has it been verified what the likely culprit could be?

@AkselAllas
Copy link

I am experiencing the same thing. My images are debian bookworm.

@AkselAllas
Copy link

AkselAllas commented Oct 10, 2024

I wasted some time here with Wireshark. (I was hoping to connect proto files and see protobuf unmarshalled, but Wireshark only supports that for UDP or HTTP/2 sadly. Would make much more sense to print unmarshaled protobuf in dev application setup)

One difference I found between sending locally using trivy cli to trivy cli server and sending to dependency track trivy integration via dependency track frontend is as follows:

In protobuf call from dependency track to Trivy integration Scanners field of ScanOptions of POST /twirp/trivy.scanner.v1.Scanner/Scan HTTP/1.1 is set as os, library, vuln

In protobuf call from trivy cli to trivy cli server Scanners field of ScanOptions of POST /twirp/trivy.scanner.v1.Scanner/Scan HTTP/1.1 is set as os, library, vuln, sbom

@AkselAllas
Copy link

AkselAllas commented Oct 10, 2024

Another potential difference 1 vs 2 scans 🤔

Trivy CLI:
Image

Dependency Track Integration
Image

I initially thought that OS is being set wrongly, but both had Debian 12.7 set.

Dependency Track case with 2 scans had:

  1. PutBlob python-pkg and
  2. PutBlob Debian 12.7

@AkselAllas
Copy link

@nscuro Perhaps this should be a P1 issue. This kind of makes the Trivy integration unusable.

I have hundreds of noisy/non-applicable Critical + High issues. Too many to manually suppress.

@nscuro
Copy link
Member

nscuro commented Oct 11, 2024

I will try to have a look this weekend. There are a few Protobuf extensions for BurpSuite, I am optimistic that will yield some insights.

@nscuro
Copy link
Member

nscuro commented Oct 11, 2024

I think I found the issue(s), they should be fixed with #4245.

@cheapshot2000 with those fixes, I'm now getting 197 vulnerabilities for the BOM you provided. I haven't done a diff of the vulns, but I suspect the additional 6 are due to them having been added since you originally reported the issue.

Once the linked PR is merged to master, you will be able to test it using the dependencytrack/apiserver:snapshot container image. You can use the dev Compose files for that purpose:

cd dev
docker compose -f docker-compose.yml -f docker-compose.trivy.yml up -d --pull always

@cheapshot2000
Copy link
Author

Great news! Thank you @nscuro . We'll give it a try early next week...

@AkselAllas
Copy link

AkselAllas commented Oct 13, 2024

@nscuro Thanks for the improvement!

But still there are differences in Trivy Client and Dependency Track integration.

I tried sbom scan of ubi9_sbom_with_vulns.cdx.json using the correct snapshot image (dependencytrack/apiserver@sha256:cf46b02fb8368823f68fa91e41ea7ad7746c738b258888035d7cb0ecd305012c)

With Trivy client there are 197 vulnerabilities (0 criticals, 2 high)
With Dependenct Track there are 197 vulnerabilities (5 criticals, 88 high)

I will also send you a bom on Slack that shows 3 criticals, 54 high in Trivy client, but 9 criticals, 83 high in Dependency Track

@nscuro
Copy link
Member

nscuro commented Oct 13, 2024

Severity and CVSS vectors are taken as-is from the Trivy response:

public Severity parseSeverity(trivy.proto.common.Severity severity) {
return switch (severity) {
case CRITICAL -> Severity.CRITICAL;
case HIGH -> Severity.HIGH;
case MEDIUM -> Severity.MEDIUM;
case LOW -> Severity.LOW;
default -> Severity.UNASSIGNED;
};
}
public Vulnerability setCvssScore(CVSS cvss, Vulnerability vulnerability) {
if (cvss != null) {
vulnerability.setCvssV2Vector(trimToNull(cvss.getV2Vector()));
vulnerability.setCvssV3Vector(trimToNull(cvss.getV3Vector()));
if (cvss.getV2Score() > 0.0) {
vulnerability.setCvssV2BaseScore(BigDecimal.valueOf(cvss.getV2Score()));
}
if (cvss.getV3Score() > 0.0) {
vulnerability.setCvssV3BaseScore(BigDecimal.valueOf(cvss.getV3Score()));
}
}
return vulnerability;
}

Do note though that if you have mirrored CVEs from the NVD (which is enabled by default), DT will not let Trivy overwrite CVE data, which includes severity. So it's very possible the difference you're seeing is caused by DT showing severities sourced from the NVD, whereas Trivy might've used a vendor-specific rating.

@AkselAllas
Copy link

AkselAllas commented Oct 13, 2024

In this case, Trivy Severity and CVSS are much more useful.

I tested by disabling NVD mirroring in the snapshot release, re-imported the BOM and got the correct (3 critical, 54 high) for my bom.

What would the downsides of disabling NVD mirroring be exactly?

  • If I disabled mirroring, would I still have the correct vulnerability entities in the DB. e.g:
    Could I still triage and suppress vulns per project?

@AkselAllas
Copy link

Also, any tips on how to disable snapshot popup on every refresh of the frontend?

Frontend code is:

    if (this.$dtrack && this.$dtrack.version.includes('SNAPSHOT')) {
      this.$root.$emit('bv::show::modal', 'snapshotModal');
    }

So I could change unzip the jar from the docker, change version and re-jar it.

But I think it would be best to do a minor release of dependency-track with this fix attached.

@AkselAllas
Copy link

Can we copy this functionality from Snyk to Trivy?
Image

@nscuro
Copy link
Member

nscuro commented Oct 15, 2024

@AkselAllas But I think it would be best to do a minor release of dependency-track with this fix attached.

If you look at the PR I referenced, it has a backport/4.12.1 label so it will be backported to the next bugfix release.

Can we copy this functionality from Snyk to Trivy?

No. The reason it works for Snyk is because Snyk has its own vulnerabilities (SNYK-xxxx). Since Trivy uses vulnerability identifiers of other public sources (CVE, GHSA), we cannot apply the same logic for it. We're planning to improve this situation (and possibly make the Trivy integration obsolete) via #4122, but it's a larger chunk of work.

@nscuro nscuro added this to the 4.12.1 milestone Oct 15, 2024
@cheapshot2000
Copy link
Author

@nscuro - Thank you for the fix; just wanted to confirm with the snapshot version mentioned above we are seeing identical vuln #'s from trivy client compared to trivy/dt integration. :)

@nscuro
Copy link
Member

nscuro commented Oct 23, 2024

Thanks @cheapshot2000! Closing this issue then. We're hoping to get the v4.12.1 release out this week.

@nscuro nscuro closed this as completed Oct 23, 2024
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
defect Something isn't working integration/trivy Related to the Trivy integration p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/M Medium effort
Projects
None yet
Development

No branches or pull requests

4 participants