Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issues category count differs in the UI vs. SARIF output security-severity #5246

Closed
2 tasks done
jeremy-soh-partior opened this issue Sep 26, 2023 Discussed in #5164 · 1 comment
Closed
2 tasks done

Comments

@jeremy-soh-partior
Copy link

Discussed in #5164

Originally posted by jeremy-soh-partior September 12, 2023

Description

Running trivy image against for example the splunk/fluentd-hec:1.3.3 yields differing numbers of severity categories. For example, the UI displays the following:

trivy image splunk/fluentd-hec:1.3.3 | grep Total
2023-09-12T04:28:43.182Z        INFO    Vulnerability scanning is enabled
2023-09-12T04:28:43.182Z        INFO    Secret scanning is enabled
2023-09-12T04:28:43.182Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-09-12T04:28:43.182Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-09-12T04:28:45.494Z        INFO    Detected OS: redhat
2023-09-12T04:28:45.495Z        INFO    Detecting RHEL/CentOS vulnerabilities...
2023-09-12T04:28:45.587Z        INFO    Number of language-specific files: 1
2023-09-12T04:28:45.587Z        INFO    Detecting gemspec vulnerabilities...
Total: 741 (UNKNOWN: 0, LOW: 370, MEDIUM: 356, HIGH: 15, CRITICAL: 0) 

whereas the SARIF output file on the security-severity rating field, there are more than 15 (7.0) high and above findings:

cat fluentd-hec.sarif | grep security-severity | sort -r
                "security-severity": "8.8",
                "security-severity": "8.6",
                "security-severity": "8.1",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.8",
                "security-severity": "7.5",
                "security-severity": "7.5",
                "security-severity": "7.5",
                "security-severity": "7.5",
                "security-severity": "7.5",
                "security-severity": "7.5",
                "security-severity": "7.5",
                "security-severity": "7.5",
                "security-severity": "7.4",
                "security-severity": "7.4",
                "security-severity": "7.3",
                "security-severity": "7.3",
                "security-severity": "7.3",
                "security-severity": "7.3",
                "security-severity": "7.3",
                "security-severity": "7.3",
                "security-severity": "7.3",
                "security-severity": "7.3",
                "security-severity": "7.2",
                "security-severity": "7.1",
                "security-severity": "7.1",
                "security-severity": "7.1",
                "security-severity": "7.1",
                "security-severity": "7.1",
                "security-severity": "7.1",
                "security-severity": "7.1",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "7.0",
                "security-severity": "6.8",
                "security-severity": "6.8",
                "security-severity": "6.8",
                "security-severity": "6.8",
                "security-severity": "6.7",
                ...
                ...

In addition, tags and the security-severity rating score doesn't match with the tags. In this case, the CVE-2021-45078 gives a score of 7.8 but tagged with a "MEDIUM". I am assuming security-severity means CVSS score (please correct me if I misunderstood).

             ...
             "id": "CVE-2021-45078",
              "name": "OsPackageVulnerability",
              "shortDescription": {
                "text": "out-of-bounds write in stab_xcoff_builtin_type() in stabs.c"
              },
              "fullDescription": {
                "text": "stab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other im
pact, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699."
              },
              "defaultConfiguration": {
                "level": "warning"
              },
              "helpUri": "https://avd.aquasec.com/nvd/cve-2021-45078",
              "help": {
                "text": "Vulnerability CVE-2021-45078\nSeverity: MEDIUM\nPackage: binutils-gold\nFixed Version: \nLink: [CVE-2021-45078](https://avd.aquasec.com/nvd/cve-2021-45078)\nstab_xcoff_builtin_
type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds wr
ite. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699.",
                "markdown": "**Vulnerability CVE-2021-45078**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|binutils-gold||[CVE-2021-45078](https://avd.aquasec.com/
nvd/cve-2021-45078)|\n\nstab_xcoff_builtin_type in stabs.c in GNU Binutils through 2.37 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other imp
act, as demonstrated by an out-of-bounds write. NOTE: this issue exists because of an incorrect fix for CVE-2018-12699."
              },
              "properties": {
                "precision": "very-high",
                "security-severity": "7.8",
                "tags": [
                  "vulnerability",
                  "security",
                  "MEDIUM"
                ]
              }
            },
            ...

Desired Behavior

Both UI and SARIF files should give the same number of severity count in each category (Critical, High, Low, Med, etc).
SARIF's security-severity score should match with tag. E.g. 5.3 gives MEDIUM, 7.0 gives HIGH, 9.1 gives CRITICAL.

Actual Behavior

UI Display of severity category counts differs from SARIF severity
SARIF security-severity differs from tag.

Reproduction Steps

1. Run`trivy image splunk/fluentd-hec:1.3.3 | grep Total` and note the counts in each category
2. Perform `trivy image splunk/fluentd-hec:1.3.3 -f sarif -o fluentd-hec.sarif` 
3. Then `cat fluentd-hec.sarif | grep security-severity | sort -r` and note that there are more than 15 Highs (based on the `security-severity` score). 
Please note there may be more Highs now depending when these reproduction steps are executed in the future.

Target

Container Image

Scanner

Vulnerability

Output Format

SARIF

Mode

Standalone

Debug Output

splunk/fluentd-hec:1.3.3 (redhat 9.2)
=====================================
Total: 741 (UNKNOWN: 0, LOW: 370, MEDIUM: 356, HIGH: 15, CRITICAL: 0)

... (TRUNCATED DUE TO LENGTH RESTRICTION)

Operating System

Ubuntu 20.04.6 LTS

Version

Version: 0.45.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-09-12 00:16:39.240025217 +0000 UTC
  NextUpdate: 2023-09-12 06:16:39.240024817 +0000 UTC
  DownloadedAt: 2023-09-12 03:34:32.276548792 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-09-12 00:59:11.791125684 +0000 UTC
  NextUpdate: 2023-09-15 00:59:11.791125084 +0000 UTC
  DownloadedAt: 2023-09-12 03:36:50.713162584 +0000 UTC
Policy Bundle:
  Digest: sha256:2e95a2d5d45de8ebecae53a97403230a6c608a579b082f3de170f3cf09e46243
  DownloadedAt: 2023-08-30 08:26:52.559590061 +0000 UTC

Checklist

@github-actions
Copy link

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Sep 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant