Skip to content

Commit fd8348d

Browse files
knqyf263knqyf263
authored
feat(vuln): Add --detection-priority flag for accuracy tuning (#7288)
Signed-off-by: knqyf263 <[email protected]>
1 parent e95152f commit fd8348d

30 files changed

+675
-221
lines changed

docs/docs/coverage/language/dart.md

+10-6
Original file line numberDiff line numberDiff line change
@@ -11,9 +11,9 @@ The following scanners are supported.
1111
The following table provides an outline of the features Trivy offers.
1212

1313

14-
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
15-
|-------------------------|--------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
16-
| [Dart][dart-repository] | pubspec.lock || Included || - |
14+
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
15+
|-------------------------|--------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
16+
| [Dart][dart-repository] | pubspec.lock || Included || - ||
1717

1818
## Dart
1919
In order to detect dependencies, Trivy searches for `pubspec.lock`.
@@ -22,11 +22,13 @@ Trivy marks indirect dependencies, but `pubspec.lock` file doesn't have options
2222
So Trivy includes all dependencies in report.
2323

2424
### SDK dependencies
25-
Dart uses version `0.0.0` for SDK dependencies (e.g. Flutter). It is not possible to accurately determine the versions of these dependencies.
25+
Dart uses version `0.0.0` for SDK dependencies (e.g. Flutter).
26+
It is not possible to accurately determine the versions of these dependencies.
27+
Trivy just treats them as `0.0.0`.
2628

27-
Therefore, we use the first version of the constraint for the SDK.
29+
If [--detection-priority comprehensive][detection-priority] is passed, Trivy uses the minimum version of the constraint for the SDK.
30+
For example, in the following case, the version of `flutter` would be `3.3.0`:
2831

29-
For example in this case the version of `flutter` should be `3.3.0`:
3032
```yaml
3133
flutter:
3234
dependency: "direct main"
@@ -40,10 +42,12 @@ sdks:
4042
4143
### Dependency tree
4244
To build `dependency tree` Trivy parses [cache directory][cache-directory]. Currently supported default directories and `PUB_CACHE` environment (absolute path only).
45+
4346
!!! note
4447
Make sure the cache directory contains all the dependencies installed in your application. To download missing dependencies, use `dart pub get` command.
4548

4649
[dart]: https://dart.dev/
4750
[dart-repository]: https://pub.dev/
4851
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
4952
[cache-directory]: https://dart.dev/tools/pub/glossary#system-cache
53+
[detection-priority]: ../../scanner/vulnerability.md#detection-priority

docs/docs/coverage/language/golang.md

+5-4
Original file line numberDiff line numberDiff line change
@@ -16,10 +16,10 @@ The following scanners are supported.
1616

1717
The table below provides an outline of the features Trivy offers.
1818

19-
| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] | Stdlib |
20-
|----------|:-----------:|:-----------------|:------------------------------------:|:------:|
21-
| Modules || Include |[^2] | - |
22-
| Binaries || Exclude | - |[^4] |
19+
| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] | Stdlib | [Detection Priority][detection-priority] |
20+
|----------|:-----------:|:-----------------|:------------------------------------:|:------:|:----------------------------------------:|
21+
| Modules || Include |[^2] | - | - |
22+
| Binaries || Exclude | - |[^4] | Not needed |
2323

2424
!!! note
2525
Trivy scans only dependencies of the Go project.
@@ -95,3 +95,4 @@ empty if it cannot do so[^5]. For the second case, the version of such packages
9595
[^5]: See https://github.com/golang/go/issues/63432#issuecomment-1751610604
9696

9797
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
98+
[detection-priority]: ../../scanner/vulnerability.md#detection-priority

docs/docs/coverage/language/java.md

+7-6
Original file line numberDiff line numberDiff line change
@@ -12,12 +12,12 @@ Each artifact supports the following scanners:
1212

1313
The following table provides an outline of the features Trivy offers.
1414

15-
| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position |
16-
|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|
17-
| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - |
18-
| pom.xml | Maven repository [^1] | Exclude ||[^7] |
19-
| *gradle.lockfile | - | Exclude |||
20-
| *.sbt.lock | - | Exclude | - ||
15+
| Artifact | Internet access | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
16+
|------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
17+
| JAR/WAR/PAR/EAR | Trivy Java DB | Include | - | - | Not needed |
18+
| pom.xml | Maven repository [^1] | Exclude ||[^7] | - |
19+
| *gradle.lockfile | - | Exclude ||| Not needed |
20+
| *.sbt.lock | - | Exclude | - | | Not needed |
2121

2222
These may be enabled or disabled depending on the target.
2323
See [here](./index.md) for the detail.
@@ -119,3 +119,4 @@ Make sure that you have cache[^8] directory to find licenses from `*.pom` depend
119119
[maven-central]: https://repo.maven.apache.org/maven2/
120120
[maven-pom-repos]: https://maven.apache.org/settings.html#repositories
121121
[sbt-dependency-lock]: https://stringbean.github.io/sbt-dependency-lock
122+
[detection-priority]: ../../scanner/vulnerability.md#detection-priority

docs/docs/coverage/language/python.md

+6-5
Original file line numberDiff line numberDiff line change
@@ -21,11 +21,11 @@ The following scanners are supported for Python packages.
2121

2222
The following table provides an outline of the features Trivy offers.
2323

24-
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
25-
|-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
26-
| pip | requirements.txt | - | Include | - ||
27-
| Pipenv | Pipfile.lock || Include | - ||
28-
| Poetry | poetry.lock || Exclude || - |
24+
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
25+
|-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
26+
| pip | requirements.txt | - | Include | - || - |
27+
| Pipenv | Pipfile.lock || Include | - || Not needed |
28+
| Poetry | poetry.lock || Exclude || - | Not needed |
2929

3030

3131
| Packaging | Dependency graph |
@@ -130,3 +130,4 @@ Trivy looks for `.dist-info/META-DATA` to identify Python packages.
130130
[^1]: Trivy checks `python`, `python3`, `python2` and `python.exe` file names.
131131

132132
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
133+
[detection-priority]: ../../scanner/vulnerability.md#detection-priority

docs/docs/coverage/os/conda.md

+5
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ Trivy supports the following scanners for Conda packages.
88
| Vulnerability | - |
99
| License ||
1010

11+
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
12+
|-----------------|-----------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
13+
| Conda | environment.yml | - | Include | - || - |
1114

1215

1316
## `<package>.json`
@@ -41,3 +44,5 @@ To correctly define licenses, make sure your `environment.yml`[^1] contains `pre
4144
[environment.yml]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#sharing-an-environment
4245
[env-version-range]: https://docs.conda.io/projects/conda-build/en/latest/resources/package-spec.html#examples-of-package-specs
4346
[prefix]: https://conda.io/projects/conda/en/latest/user-guide/tasks/manage-environments.html#specifying-a-location-for-an-environment
47+
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
48+
[detection-priority]: ../../scanner/vulnerability.md#detection-priority

docs/docs/references/configuration/cli/trivy_filesystem.md

+4
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,10 @@ trivy filesystem [flags] PATH
3030
--custom-headers strings custom headers in client mode
3131
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
3232
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
33+
--detection-priority string specify the detection priority:
34+
- "precise": Prioritizes precise by minimizing false positives.
35+
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
36+
(precise,comprehensive) (default "precise")
3337
--download-db-only download/update vulnerability database but don't run a scan
3438
--download-java-db-only download/update Java index database but don't run a scan
3539
--enable-modules strings [EXPERIMENTAL] module names to enable

docs/docs/references/configuration/cli/trivy_image.md

+4
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,10 @@ trivy image [flags] IMAGE_NAME
4444
--custom-headers strings custom headers in client mode
4545
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
4646
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
47+
--detection-priority string specify the detection priority:
48+
- "precise": Prioritizes precise by minimizing false positives.
49+
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
50+
(precise,comprehensive) (default "precise")
4751
--docker-host string unix domain socket path to use for docker scanning
4852
--download-db-only download/update vulnerability database but don't run a scan
4953
--download-java-db-only download/update Java index database but don't run a scan

docs/docs/references/configuration/cli/trivy_kubernetes.md

+4
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,10 @@ trivy kubernetes [flags] [CONTEXT]
3939
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
4040
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
4141
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
42+
--detection-priority string specify the detection priority:
43+
- "precise": Prioritizes precise by minimizing false positives.
44+
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
45+
(precise,comprehensive) (default "precise")
4246
--disable-node-collector When the flag is activated, the node-collector job will not be executed, thus skipping misconfiguration findings on the node.
4347
--download-db-only download/update vulnerability database but don't run a scan
4448
--download-java-db-only download/update Java index database but don't run a scan

docs/docs/references/configuration/cli/trivy_repository.md

+4
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,10 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
3030
--custom-headers strings custom headers in client mode
3131
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
3232
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
33+
--detection-priority string specify the detection priority:
34+
- "precise": Prioritizes precise by minimizing false positives.
35+
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
36+
(precise,comprehensive) (default "precise")
3337
--download-db-only download/update vulnerability database but don't run a scan
3438
--download-java-db-only download/update Java index database but don't run a scan
3539
--enable-modules strings [EXPERIMENTAL] module names to enable

docs/docs/references/configuration/cli/trivy_rootfs.md

+4
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,10 @@ trivy rootfs [flags] ROOTDIR
3232
--custom-headers strings custom headers in client mode
3333
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
3434
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
35+
--detection-priority string specify the detection priority:
36+
- "precise": Prioritizes precise by minimizing false positives.
37+
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
38+
(precise,comprehensive) (default "precise")
3539
--download-db-only download/update vulnerability database but don't run a scan
3640
--download-java-db-only download/update Java index database but don't run a scan
3741
--enable-modules strings [EXPERIMENTAL] module names to enable

docs/docs/references/configuration/cli/trivy_sbom.md

+4
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,10 @@ trivy sbom [flags] SBOM_PATH
2525
--compliance string compliance report to generate
2626
--custom-headers strings custom headers in client mode
2727
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
28+
--detection-priority string specify the detection priority:
29+
- "precise": Prioritizes precise by minimizing false positives.
30+
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
31+
(precise,comprehensive) (default "precise")
2832
--download-db-only download/update vulnerability database but don't run a scan
2933
--download-java-db-only download/update Java index database but don't run a scan
3034
--exit-code int specify exit code when any security issues are found

docs/docs/references/configuration/cli/trivy_vm.md

+4
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,10 @@ trivy vm [flags] VM_IMAGE
2828
--custom-headers strings custom headers in client mode
2929
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2")
3030
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
31+
--detection-priority string specify the detection priority:
32+
- "precise": Prioritizes precise by minimizing false positives.
33+
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
34+
(precise,comprehensive) (default "precise")
3135
--download-db-only download/update vulnerability database but don't run a scan
3236
--download-java-db-only download/update Java index database but don't run a scan
3337
--enable-modules strings [EXPERIMENTAL] module names to enable

0 commit comments

Comments
 (0)