profile
viewpoint
Simarpreet Singh simar7 @aquasecurity Earth https://simar.dev m0v fast & f1x things –––––––––––––––––––––––––––––––– Previously @facebook, @opendns, @cisco, @intel and @blackberry.

aquasecurity/starboard 320

Kubernetes-native security tool kit

aquasecurity/trivy-vscode-extension 8

A VS Code Extension for Trivy

aquasecurity/binfinder 5

Find binary files not installed through package manager

raunaqsawhney/mips-processor 1

5 Cycle-accurate Implementation of a pipelined MIPS processor

simar7/adventures_in_opencl 1

A tutorial series for learning OpenCL

simar7/android_build 1

Reference Standpoint | CNA Build

simar7/autotest-client-tests 1

Autotest client tests

PullRequestReviewEvent

Pull request review commentaquasecurity/trivy

test: add tests for mux

 func ListenAndServe(c config.Config, fsCache cache.FSCache) error { 		}) 	} -	go func() {-		worker := initializeDBWorker(c.CacheDir, true)-		ctx := context.Background()-		for {-			time.Sleep(1 * time.Hour)-			if err := worker.update(ctx, c.AppVersion, c.CacheDir, dbUpdateWg, requestWg); err != nil {-				log.Logger.Errorf("%+v\n", err)-			}-		}-	}()- 	mux := http.NewServeMux()  	scanHandler := rpcScanner.NewScannerServer(initializeScanServer(fsCache), nil)-	mux.Handle(rpcScanner.ScannerPathPrefix, withToken(withWaitGroup(scanHandler), c.Token, c.TokenHeader))+	mux.Handle(rpcScanner.ScannerPathPrefix, withToken(withWaitGroup(scanHandler), token, tokenHeader))  	layerHandler := rpcCache.NewCacheServer(NewCacheServer(fsCache), nil)-	mux.Handle(rpcCache.CachePathPrefix, withToken(withWaitGroup(layerHandler), c.Token, c.TokenHeader))+	mux.Handle(rpcCache.CachePathPrefix, withToken(withWaitGroup(layerHandler), token, tokenHeader))  	// osHandler is for backward compatibility 	osHandler := rpcDetector.NewOSDetectorServer(initializeOspkgServer(), nil)-	mux.Handle(rpcDetector.OSDetectorPathPrefix, withToken(withWaitGroup(osHandler), c.Token, c.TokenHeader))+	mux.Handle(rpcDetector.OSDetectorPathPrefix, withToken(withWaitGroup(osHandler), token, tokenHeader))  	// libHandler is for backward compatibility 	libHandler := rpcDetector.NewLibDetectorServer(initializeLibServer(), nil)-	mux.Handle(rpcDetector.LibDetectorPathPrefix, withToken(withWaitGroup(libHandler), c.Token, c.TokenHeader))+	mux.Handle(rpcDetector.LibDetectorPathPrefix, withToken(withWaitGroup(libHandler), token, tokenHeader))  	mux.HandleFunc("/healthz", func(rw http.ResponseWriter, r *http.Request) {-		rw.Write([]byte("ok"))+		if _, err := rw.Write([]byte("ok")); err != nil {+			log.Logger.Errorf("health check error: %s", err)

Oh actually I didn't know that it sets it! That's cool! In that case, disregard my comment.

knqyf263

comment created time in a day

PullRequestReviewEvent

PR opened aquasecurity/Hacktoberfest

Reviewers
Update Readme.md

Fix a typo :)

+1 -1

0 comment

1 changed file

pr created time in a day

create barnchaquasecurity/Hacktoberfest

branch : simar7-patch-1

created branch time in a day

push eventaquasecurity/binfinder

Simarpreet Singh

commit sha 8c88c1c95c19a3004fac63b3da33a58a0eb324b2

Update README.md

view details

push time in 2 days

startedinfracost/cloud-pricing-api

started time in 5 days

startedinfracost/infracost

started time in 5 days

Pull request review commentaquasecurity/trivy

test: add tests for mux

 func ListenAndServe(c config.Config, fsCache cache.FSCache) error { 		}) 	} -	go func() {-		worker := initializeDBWorker(c.CacheDir, true)-		ctx := context.Background()-		for {-			time.Sleep(1 * time.Hour)-			if err := worker.update(ctx, c.AppVersion, c.CacheDir, dbUpdateWg, requestWg); err != nil {-				log.Logger.Errorf("%+v\n", err)-			}-		}-	}()- 	mux := http.NewServeMux()  	scanHandler := rpcScanner.NewScannerServer(initializeScanServer(fsCache), nil)-	mux.Handle(rpcScanner.ScannerPathPrefix, withToken(withWaitGroup(scanHandler), c.Token, c.TokenHeader))+	mux.Handle(rpcScanner.ScannerPathPrefix, withToken(withWaitGroup(scanHandler), token, tokenHeader))  	layerHandler := rpcCache.NewCacheServer(NewCacheServer(fsCache), nil)-	mux.Handle(rpcCache.CachePathPrefix, withToken(withWaitGroup(layerHandler), c.Token, c.TokenHeader))+	mux.Handle(rpcCache.CachePathPrefix, withToken(withWaitGroup(layerHandler), token, tokenHeader))  	// osHandler is for backward compatibility 	osHandler := rpcDetector.NewOSDetectorServer(initializeOspkgServer(), nil)-	mux.Handle(rpcDetector.OSDetectorPathPrefix, withToken(withWaitGroup(osHandler), c.Token, c.TokenHeader))+	mux.Handle(rpcDetector.OSDetectorPathPrefix, withToken(withWaitGroup(osHandler), token, tokenHeader))  	// libHandler is for backward compatibility 	libHandler := rpcDetector.NewLibDetectorServer(initializeLibServer(), nil)-	mux.Handle(rpcDetector.LibDetectorPathPrefix, withToken(withWaitGroup(libHandler), c.Token, c.TokenHeader))+	mux.Handle(rpcDetector.LibDetectorPathPrefix, withToken(withWaitGroup(libHandler), token, tokenHeader))  	mux.HandleFunc("/healthz", func(rw http.ResponseWriter, r *http.Request) {-		rw.Write([]byte("ok"))+		if _, err := rw.Write([]byte("ok")); err != nil {+			log.Logger.Errorf("health check error: %s", err)

Should we also send back an http status 200?

knqyf263

comment created time in 5 days

PullRequestReviewEvent

issue commentaquasecurity/trivy

Can trivy filter false positive vulnerabilities for centos 7 (epel, remi)?

Thanks for the report @ar1em – we're taking a look and will get back to you.

ar1em

comment created time in 5 days

pull request commentaquasecurity/trivy-db

pkg: Sunset VendorVectors 🌅

It looks good. We have to announce this deprecation before merging this PR in GitHub Discussions and README. I won't approve this PR until then, just in case. https://github.com/aquasecurity/trivy/discussions

OK I started the discussion here https://github.com/aquasecurity/trivy/discussions/651

simar7

comment created time in 5 days

pull request commentknqyf263/go-cpe

use gomod

@knqyf263 could you merge this PR? Right now this project cannot be used in other projects that use go mod.

I tried to update but don't have the required permissions to push. If you could maybe you can also update this to use Go 1.15 instead.

sadayuki-matsuno

comment created time in 6 days

startedknqyf263/go-cpe

started time in 6 days

issue commentaquasecurity/trivy

Replace version matching mechanism from Mastermind/semver to hashicorp/go-version

Thanks for the detailed report @yaniv-s

So after more research, I found that hashicorp/go-version could handle all kinds of versioning I tried on it, without any preparation needed as Trivy does for semver.

Could you expand more on this? What did you try that was currently not working with the library Trivy uses presently as compared to hashicorp/go-verison?

yaniv-s

comment created time in 7 days

pull request commentaquasecurity/trivy-db

Function getSeverity will always return severity out of CvssV2

Trivy prioritizes CVSSv2 on purpose. I think CVSSv3 always scores too high. But there is room for further consideration. If many users prefer CVSSv3, we can switch it. cc: @lizrice and @simar7

My vote would be CVSSv3 as well. At the time of writing that code we still preferred to go with V2 as we didn't have enough data points of user input. But as you can see from these 100+ data points of user input on this poll by @lizrice V3 is more preferred.

GalDevel

comment created time in 7 days

PullRequestReviewEvent

Pull request review commentaquasecurity/trivy

chore: bump up Go to 1.15

 builds:       - arm64     goarm:       - 7+    ignore:

Oh I see – I thought it was 386 in general.

knqyf263

comment created time in 7 days

PullRequestReviewEvent

Pull request review commentaquasecurity/trivy

chore: bump up Go to 1.15

 builds:       - arm64     goarm:       - 7+    ignore:

And this https://github.com/aquasecurity/trivy/pull/646/files#diff-39e929907e3737ff7460d982cb6fbc60R17

Or I guess in general all occurrences of 386?

knqyf263

comment created time in 8 days

PullRequestReviewEvent

Pull request review commentaquasecurity/trivy

chore: bump up Go to 1.15

 builds:       - arm64     goarm:       - 7+    ignore:

I can't leave a comment on that line but should this be removed? https://github.com/aquasecurity/trivy/pull/646/files#diff-39e929907e3737ff7460d982cb6fbc60R41

knqyf263

comment created time in 8 days

PullRequestReviewEvent

Pull request review commentaquasecurity/trivy

refactor: DRY up client and artifact logic

 func formatVersion(epoch int, version, release string) string { 	return v  }++func CheckExitCode(exitCode int, results report.Results) {+	if exitCode != 0 {+		for _, result := range results {+			if len(result.Vulnerabilities) > 0 {+				os.Exit(exitCode)+			}+		}+	}+}++func FillAndFilterVulns(ctx context.Context, initializeVulnerabilityClient func() vulnerability.Client, results report.Results, severities []dbTypes.Severity, ignoreUnfixed bool, ignoreFile string, ignorePolicy string) error {+	vulnClient := initializeVulnerabilityClient()+	for i := range results {+		vulnClient.FillInfo(results[i].Vulnerabilities, results[i].Type)

OK I see. In that case I think it's safe to reuse it as it will be just a no-op which it is now.

simar7

comment created time in 9 days

PullRequestReviewEvent

push eventaquasecurity/trivy

Huang Huang

commit sha 7d7842f2f3884083efd66e2ed67b6aa26a3bbafc

Add --skip-update option to fs and repo subcommand (#641)

view details

push time in 12 days

issue closedaquasecurity/trivy

trivy fs has not --skip-update option

--skip-update option should be one of global options, not command option THX

closed time in 12 days

genknife
PullRequestReviewEvent
PullRequestReviewEvent

push eventchr4/trivy-action

Simarpreet Singh

commit sha 28ef387ad0f21541ff325c63b58f107f948ed9ca

Merge pull request #1 from aquasecurity/master upstream merge

view details

Simarpreet Singh

commit sha 507a96efe44121de9d99e7a905ec752657814354

Merge pull request #2 from aquasecurity/master merge upstream

view details

Simarpreet Singh

commit sha 6087d9d64edc4eacaf1821c28a668f1748afd25b

Merge branch 'master' of github.com:aquasecurity/trivy-action

view details

Simarpreet Singh

commit sha 2e51a7d82c4a1177f5f99918363a1d7b8d987ae4

README: Update example yaml Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

Simarpreet Singh

commit sha ddc1a12251d0ab2672196322f4fa53dd582daaee

workflow: Update example workflow.yml Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

Simarpreet Singh

commit sha e15ed580b1cda7f39a2f7962ade72fbf5326ae70

Merge branch 'master' into feat/vuln-type

view details

push time in 12 days

Pull request review commentaquasecurity/trivy-action

Add vuln-type parameter

 inputs:     description: 'ignore unfixed vulnerabilities'     required: false     default: false+  vuln-type:+    description: 'list of vulnerability types (os,library)'

Could you change this to say comma-separated list of vulnerability types (os,library) instead?

chr4

comment created time in 12 days

PullRequestReviewEvent

Pull request review commentaquasecurity/trivy

added: display last db update whenever trivy server is started

 func ListenAndServe(c config.Config, fsCache cache.FSCache) error { 	libHandler := rpcDetector.NewLibDetectorServer(initializeLibServer(), nil) 	mux.Handle(rpcDetector.LibDetectorPathPrefix, withToken(withWaitGroup(libHandler), c.Token, c.TokenHeader)) +	// promHandler is for dealing with update the custom prometheus metrics

remove

yashvardhan-kukreja

comment created time in 12 days

PullRequestReviewEvent

Pull request review commentaquasecurity/trivy

added: display last db update whenever trivy server is started

 func run(c config.Config) (err error) { 		return xerrors.Errorf("error in vulnerability DB initialize: %w", err) 	} -	return server.ListenAndServe(c, fsCache)+	//initializing the extendedConfig which will involve prometheus support

remove

yashvardhan-kukreja

comment created time in 12 days

PullRequestReviewEvent

pull request commentaquasecurity/trivy

added: display last db update whenever trivy server is started

Went off the grid for a while, hence, the changes took a bit of time. sorry for that pause. @knqyf263 - can u please review the changes

hi @yashvardhan-kukreja – @knqyf263 is out this week. I'll take a look at your new changes in the meantime.

yashvardhan-kukreja

comment created time in 12 days

pull request commentaquasecurity/trivy

Add contrib/ to the release chain for Docker

I'm not sure if we want to do this because there's a lot of unnecessary files in the contrib/ directory which don't need to go into the docker image. https://github.com/aquasecurity/trivy/tree/master/contrib – We just need the required templates to be present.

computeralex92

comment created time in 12 days

Pull request review commentaquasecurity/starboard

refactor: Use standard syntax for Kubernetes labels

 NAME is the name of a particular Kubernetes workload. 				return 			} +			selector := labels.Set{+				kube.LabelResourceKind:      string(workload.Kind),+				kube.LabelResourceName:      workload.Name,+				kube.LabelResourceNamespace: workload.Namespace,+			}.String()+ 			kubectlCmd := exec.Command("kubectl", 				"get", 				starboard.ConfigAuditReportCRName,-				fmt.Sprintf("-l=starboard.resource.kind=%s,starboard.resource.name=%s", workload.Kind, workload.Name),+				fmt.Sprintf("-l=%s", selector),

So functionally it returns the same info by doing a .String() on a labels.Set() call? Is there a test I could read up on?

danielpacak

comment created time in 12 days

PullRequestReviewEvent

pull request commentaquasecurity/starboard

refactor: Use standard syntax for Kubernetes labels

If you would like to run codecov on each PR but not indicate a failure in case coverage drops (or if you want to set a certain threshold of allowed drop) you can do something like this https://github.com/aquasecurity/trivy/blob/master/codecov.yml#L1-L12

I personally like to only fail on situation when something bad happens, coverage drop of a 0.20% is I feel insignificant. Just a suggestion.

danielpacak

comment created time in 12 days

Pull request review commentaquasecurity/trivy

refactor: DRY up client and artifact logic

 func formatVersion(epoch int, version, release string) string { 	return v  }++func CheckExitCode(exitCode int, results report.Results) {+	if exitCode != 0 {+		for _, result := range results {+			if len(result.Vulnerabilities) > 0 {+				os.Exit(exitCode)+			}+		}+	}+}++func FillAndFilterVulns(ctx context.Context, initializeVulnerabilityClient func() vulnerability.Client, results report.Results, severities []dbTypes.Severity, ignoreUnfixed bool, ignoreFile string, ignorePolicy string) error {+	vulnClient := initializeVulnerabilityClient()+	for i := range results {+		vulnClient.FillInfo(results[i].Vulnerabilities, results[i].Type)

@knqyf263: Note that this call was missing from client https://github.com/aquasecurity/trivy/pull/642/commits/61f128a299d5dfbfe263fc54d46885bf36d1480e

Would you know why is that? Unit and integration tests don't seem to be affected by adding it which signals either the lack of assertions or this is done elsewhere in the case of client.

simar7

comment created time in 13 days

PullRequestReviewEvent

Pull request review commentaquasecurity/trivy

refactor: DRY up client and artifact logic

 func formatVersion(epoch int, version, release string) string { 	return v  }++func CheckExitCode(exitCode int, results report.Results) {+	if exitCode != 0 {+		for _, result := range results {+			if len(result.Vulnerabilities) > 0 {+				os.Exit(exitCode)+			}+		}+	}+}++func FillAndFilterVulns(ctx context.Context, initializeVulnerabilityClient func() vulnerability.Client, results report.Results, severities []dbTypes.Severity, ignoreUnfixed bool, ignoreFile string, ignorePolicy string) error {+	vulnClient := initializeVulnerabilityClient()+	for i := range results {+		vulnClient.FillInfo(results[i].Vulnerabilities, results[i].Type)+		vulns, err := vulnClient.Filter(ctx, results[i].Vulnerabilities, severities, ignoreUnfixed, ignoreFile, ignorePolicy)

@knqyf263: Note that this call was missing from client https://github.com/aquasecurity/trivy/pull/642/commits/61f128a299d5dfbfe263fc54d46885bf36d1480e

Would you know why is that? Unit and integration tests don't seem to be affected by adding it which signals either the lack of assertions or this is done elsewhere in the case of client.

simar7

comment created time in 13 days

PullRequestReviewEvent

PR opened aquasecurity/trivy

Reviewers
refactor: DRY up client and artifact logic

Signed-off-by: Simarpreet Singh simar@linux.com

+40 -33

0 comment

3 changed files

pr created time in 13 days

create barnchaquasecurity/trivy

branch : DRY

created branch time in 13 days

push eventaquasecurity/trivy-action

Simarpreet Singh

commit sha ddc1a12251d0ab2672196322f4fa53dd582daaee

workflow: Update example workflow.yml Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

push time in 13 days

push eventaquasecurity/trivy-action

Simarpreet Singh

commit sha 28ef387ad0f21541ff325c63b58f107f948ed9ca

Merge pull request #1 from aquasecurity/master upstream merge

view details

Simarpreet Singh

commit sha 507a96efe44121de9d99e7a905ec752657814354

Merge pull request #2 from aquasecurity/master merge upstream

view details

Simarpreet Singh

commit sha 6087d9d64edc4eacaf1821c28a668f1748afd25b

Merge branch 'master' of github.com:aquasecurity/trivy-action

view details

Simarpreet Singh

commit sha 2e51a7d82c4a1177f5f99918363a1d7b8d987ae4

README: Update example yaml Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

push time in 13 days

push eventaquasecurity/trivy-sarif-demo

Simarpreet Singh

commit sha 846ad52d1d0f661b4da4b05909055393991d1843

.github: Cleanup example Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

push time in 13 days

push eventaquasecurity/trivy-sarif-demo

Simarpreet Singh

commit sha 700ea0f12010cd1103eceb0498e2b813c0c3e8d9

debug: remove go setup Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

push time in 13 days

startedaquasecurity/trivy-sarif-demo

started time in 13 days

push eventaquasecurity/trivy-sarif-demo

Simarpreet Singh

commit sha 2a870a0f72162e56b68361fc9f67d365ce114a33

cleanup cruft Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

push time in 13 days

startedsubosito/shorturl

started time in 14 days

issue commentaquasecurity/trivy

PublishedDate and LastModifiedDate fields required

hi @juan-chan – they will be once this PR is merged https://github.com/aquasecurity/trivy/pull/596

juan-chan

comment created time in 15 days

issue commentaquasecurity/trivy

Reporting kernel CVEs

Hello,

I have a few n00b-ish questions regarding reporting kernel CVEs:

  1. How does trivy identify the kernel? Is it based on the generic version of the base image? Is it based on the host where the scan takes place (since an image actually shares the host's kernel)
  2. Is there a way to optionally suppress listing kernel-related issues? I would find it useful since I may not scan an image on the same host where it's going to run.
  3. Generally, does it make sense to report kernel CVEs ?

Thanks

hi @andrei-dascalu – trivy scans by image not by kernel. So if you scan a centos:7 image, all the packages and libraries contained within would be scanned for vulnerabilities.

for the second and third question, do you have an example?

andrei-dascalu

comment created time in 15 days

issue commentaquasecurity/trivy

Missing contrib tpl files from release tarball

thanks for catching this – the next trivy release should have it. credit to @mrueg for the PR!

cc @knqyf263

apicht

comment created time in 15 days

PullRequestReviewEvent

push eventaquasecurity/trivy

Manuel Rüger

commit sha 901a3715cb1d2e96166f58787dfa7d10c97bd81c

goreleaser.yml: Add all templates to archive (#636) Fixes: https://github.com/aquasecurity/trivy/issues/631 Signed-off-by: Manuel Rüger <manuel@rueg.eu>

view details

push time in 15 days

PR merged aquasecurity/trivy

goreleaser.yml: Add all templates to archive

Fixes: https://github.com/aquasecurity/trivy/issues/631

+2 -0

1 comment

1 changed file

mrueg

pr closed time in 15 days

issue closedaquasecurity/trivy

Missing contrib tpl files from release tarball

At least for trivy_0.11.0_Linux-64bit.tar.gz, the only file included in contrib is gitlab.tpl. It would be convenient to have *.tpl included.

closed time in 15 days

apicht
PullRequestReviewEvent

pull request commentaquasecurity/starboard

chore: Publish Docker images to DockerHub on release

Is this image available now or would it be once this PR gets merged? I tried pulling:

 docker run --rm docker.io/aquasec/starboard:latest                                  
Unable to find image 'aquasec/starboard:latest' locally
docker: Error response from daemon: manifest for aquasec/starboard:latest not found: manifest unknown: manifest unknown.
See 'docker run --help'.
danielpacak

comment created time in 15 days

issue commentaquasecurity/trivy

Severity on Vulnerability object was deprecated, VendorSeverity is nilled out

Oh sorry I understand now. Yes that's a fair point. I see you've made a PR here: https://github.com/aquasecurity/trivy/pull/637

This would result in an output like this:

        "VendorSeverity": {
          "amazon": 1,
          "nvd": 3,
          "redhat": 1,
          "ubuntu": 1
        },

Does this help you or would you rather see a textual representation of the values? Like LOW,MEDIUM,HIGH?

What do you think about this @knqyf263?

yaniv-s

comment created time in 15 days

issue commentaquasecurity/trivy

Severity on Vulnerability object was deprecated, VendorSeverity is nilled out

hi @simar7 Thanks for your reply! Unfortunately, the CVSS does not help me. As far as I understand, the Severity member on the Vulnerability was deprecated (from code): Severity string `json:",omitempty"` // Deprecated: Severity is only for backwards compatibility. Use VendorSeverity instead. I was looking at the VendorSeverity member, but it is not set (nil). If Severity is deprecated, and now you say that VendorSeverity is going to be deprecated, how one would access the vulnerability severity provided by the vendor?

Thank you so much again for you attention!

Could you explain if there was something missing that you were expecting in CVSS? CVSS has everything and more that VendorVectors has. For example:

$ trivy  -q image  --format=json centos:7

[snip]
      {
        "VulnerabilityID": "CVE-2017-5953",
        "PkgName": "vim-minimal",
        "InstalledVersion": "2:7.4.629-6.el7",
        "Layer": {
          "DiffID": "sha256:613be09ab3c0860a5216936f412f09927947012f86bfa89b263dfa087a725f81"
        },
        "SeveritySource": "redhat",
        "Title": "vim: Tree length values not validated properly when handling a spell file",
        "Description": "vim before patch 8.0.0322 does not properly validate values for tree length when handling a spell file, which may result in an integer overflow at a memory allocation site and a resultant buffer overflow.",
        "Severity": "LOW",
        "CweIDs": [
          "CWE-190"
        ],
        "VendorVectors": {
          "nvd": {
            "v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
          },
          "redhat": {
            "v3": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L"
          }
        },
        "CVSS": {
          "nvd": {
            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "V2Score": 7.5,
            "V3Score": 9.8
          },
          "redhat": {
            "V3Vector": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "V3Score": 2.5
          }
        },
        "References": [
          "http://www.debian.org/security/2017/dsa-3786",
          "http://www.securityfocus.com/bid/96217",
          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5953",
          "https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d",
          "https://groups.google.com/forum/#!topic/vim_dev/t-3RSdEnrHY",
          "https://security.gentoo.org/glsa/201706-26",
          "https://usn.ubuntu.com/4016-1/",
          "https://usn.ubuntu.com/4309-1/",
          "https://usn.ubuntu.com/usn/usn-4016-1",
          "https://usn.ubuntu.com/usn/usn-4309-1"
        ],
        "PublishedDate": "2017-02-10T07:59:00Z",
        "LastModifiedDate": "2019-06-11T20:29:00Z"
      },
[snip]
yaniv-s

comment created time in 15 days

startedredsift/redbpf

started time in 16 days

issue commentaquasecurity/trivy

Severity on Vulnerability object was deprecated, VendorSeverity is nilled out

hi @yaniv-s does the CVSS struct member not give you what you're looking for? VendorSeverity has been deprecated and will be removed in the future. We will make an announcement when that happens.

yaniv-s

comment created time in 16 days

pull request commentrubysec/ruby-advisory-db

Replace titles and descriptions with vuln-list advisories

hi @reedloden – friendly ping :)

simar7

comment created time in 20 days

startedleekchan/gtf

started time in 21 days

push eventaquasecurity/binfinder

Simarpreet Singh

commit sha ac777b26345f69d9668327d17d8159c9f2f8ebe0

.github: Add a github action for goreleaser Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

push time in 21 days

push eventaquasecurity/binfinder

Simarpreet Singh

commit sha 58a9fd46056f64e6d8b93e632c1caab44fa300c6

.github: Add a github action for goreleaser Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

push time in 21 days

pull request commentaquasecurity/trivy

nvd: Add published and last modified timestamps

This is the PR to sunset VendorVectors which is needed to be merged before this one can be https://github.com/aquasecurity/trivy-db/pull/71

simar7

comment created time in 22 days

PR opened aquasecurity/trivy-db

Reviewers
pkg: Sunset VendorVectors 🌅

VendorVectors has been deprecated for a while now. We have decided to sunset the support for it with this commit.

Users are encouraged to use CVSS instead which includes all the information (and more) that VendorVectors had.

Signed-off-by: Simarpreet Singh simar@linux.com

+6 -56

0 comment

4 changed files

pr created time in 22 days

create barnchaquasecurity/trivy-db

branch : deprecate-vendor-vectors

created branch time in 22 days

push eventaquasecurity/trivy

Teppei Fukuda

commit sha ea28d3b6f3232f5908f010e3a7e0e6c5514be030

test(vulnerability): fix usages of new trivy-db refactor changes (#611) * mod: Update trivy-db Signed-off-by: Simarpreet Singh <simar@linux.com> * vulnerability_test: Fix usages of new trivy-db refactor changes Signed-off-by: Simarpreet Singh <simar@linux.com> * chore(mod): update trivy-db Co-authored-by: Simarpreet Singh <simar@linux.com>

view details

Teppei Fukuda

commit sha ed8607b7103af584d8a5dc13b855aa5e4976a168

fix(alpine): use source package (#607) * chore(mod): update fanal * fix(integration): support -update flag * fix(alpine): use source package for vulnerability detection * test(integration): update golden files * chore(mod): update fanal

view details

Teppei Fukuda

commit sha f50b0ce8af9f4f89fe6c399c783219cb2ad5f2f7

feat(library): support a custom data source (#613) * chore(mod): update trivy-db * refactor(detector/library): use programming language instead of package manager * feat(library): add general advisory * test(utils): add a util function initializing DB * test(advisory): add tests * chore: use aquasecurity/bolt-fixtures * refactor: add comments * chore(mod): revert fanal version * chore(mod): update trivy-db * refactor: update the comment

view details

Alexander Lauster

commit sha d35e8ec351c27f04ee8483a378f63d8702ac6795

Add all templates to the docker image (#619) Before this change, only a subset of templates were included in the docker image. Now all templates which are part of the git repo will be included when the docker image will be build, a future commit for every new template is not needed anymore

view details

Teppei Fukuda

commit sha d8b09628f0c62a49808ae426b13ddee2ccc5e46e

feat(rpc): add CWE-ID (#614)

view details

Chris Aumann

commit sha 165d593fdb1acb36b0112a5ff335b25ed3df28a6

Improve Gitlab CI installation step in README (#621) This improves the installation step in `.gitlab-ci.yml`. - Removes unnecessary installation and use of `curl` (replaces it with `wget`) - Removes storing the intermediate file by using a pipe to `tar`

view details

Carol Valencia

commit sha 89527796f68b4d8901dc97645be63aa09f08d69a

fix(Readme) - Results using a template (#622) Co-authored-by: Carol Valencia <krol3@users.noreply.github.com>

view details

Simarpreet Singh

commit sha b3680f00163eca7659b6e81f3f0f9e552e958c2b

logo: Add new Trivy logo (#615) Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

Teppei Fukuda

commit sha 2231e4068d5b6f7d0f2707d8669d6f906fc4ebaa

chore(docs): update comparison table (#623) * chore(docs): update README * use ⭐

view details

Teppei Fukuda

commit sha 5e308da81a6a3c7bfa77546e7561ae18d3817139

feat(cli): add --skip-files option (#624) * feat(cli): add --skip-files * test(integration): add --skip-files and --skip-dirs * chore(docs): update README * chore(docs): correct a grammar mistake

view details

Teppei Fukuda

commit sha 1d3f70e07f7995c6d38b97f7064bcfe4cba2405f

chore(image): push the official image to GitHub Container Registry as well (#627)

view details

Masahiro331

commit sha 095b5ce97c2029798f84f747c26502216ee4bbc8

fix(cli): show help when no argument is passed (#628) * Fix subcommands help * refactor: call ShowAppHelpAndExit * refactor: remove an unused error * test: remove exit cases Co-authored-by: knqyf263 <knqyf263@gmail.com>

view details

Simarpreet Singh

commit sha f63f0a14ce5b6eadf5a9f529c1cd48162a09dec2

nvd: Add published and last modified timestamps Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

Simarpreet Singh

commit sha 9ee830c793a23151e04940dc325254a15caa2a4c

mod: Update trivy-db Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

Simarpreet Singh

commit sha 27ed367fbe906adde9a7944e8c466ee545a37ffa

vulnerability_test: Fix usages of new trivy-db refactor changes Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

Simarpreet Singh

commit sha a425b6266e68404b0da760a8b9a36f00fef3af54

integration: Fix integration golden files Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

Simarpreet Singh

commit sha 988ea645ecf3848e17ac7454d7886d4c9fc8c5ca

vulnerability_test: Add Published and LastModified dates to unit tests. Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

Simarpreet Singh

commit sha ade157786278520fb1bd7ee56ab1b8389d421ead

integration: Add a new integration trivy db to test with. Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

Simarpreet Singh

commit sha 3aa2adbff803af92284d918c6c34f0996128f6ee

rpc: Add LastModified and Published dates for client/server. Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

Simarpreet Singh

commit sha d4eb752202fddb44d099b45641411f290e1163a3

integration: Update golden files Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

push time in 22 days

PullRequestReviewEvent

Pull request review commentaquasecurity/trivy

fix(cli): show help for subcommands

 func NewArtifactConfig(c *cli.Context) ArtifactConfig { func (c *ArtifactConfig) Init(ctx *cli.Context, logger *zap.SugaredLogger) (err error) { 	if c.Input == "" && ctx.Args().Len() == 0 { 		logger.Debug(`trivy requires at least 1 argument or --input option`)-		cli.ShowAppHelpAndExit(ctx, 0)+		_ = cli.ShowSubcommandHelp(ctx)+		os.Exit(0)

I guess it depends on the tool...

➜  ~ tar
tar: Must specify one of -c, -r, -t, -u, -x
➜  ~ echo $?
1

➜  ~ gzip
gzip: standard output is a terminal -- ignoring
➜  ~ echo $?
1

➜  ~ git
usage: git [--version] [--help] [-C <path>] [-c <name>=<value>]
           [--exec-path[=<path>]] [--html-path] [--man-path] [--info-path]
           [-p | --paginate | -P | --no-pager] [--no-replace-objects] [--bare]
           [--git-dir=<path>] [--work-tree=<path>] [--namespace=<name>]
           <command> [<args>]

These are common Git commands used in various situations:

start a working area (see also: git help tutorial)
   clone     Clone a repository into a new directory
   init      Create an empty Git repository or reinitialize an existing one

work on the current change (see also: git help everyday)
   add       Add file contents to the index
   mv        Move or rename a file, a directory, or a symlink
   restore   Restore working tree files
   rm        Remove files from the working tree and from the index

examine the history and state (see also: git help revisions)
   bisect    Use binary search to find the commit that introduced a bug
   diff      Show changes between commits, commit and working tree, etc
   grep      Print lines matching a pattern
   log       Show commit logs
   show      Show various types of objects
   status    Show the working tree status

grow, mark and tweak your common history
   branch    List, create, or delete branches
   commit    Record changes to the repository
   merge     Join two or more development histories together
   rebase    Reapply commits on top of another base tip
   reset     Reset current HEAD to the specified state
   switch    Switch branches
   tag       Create, list, delete or verify a tag object signed with GPG

collaborate (see also: git help workflows)
   fetch     Download objects and refs from another repository
   pull      Fetch from and integrate with another repository or a local branch
   push      Update remote refs along with associated objects

'git help -a' and 'git help -g' list available subcommands and some
concept guides. See 'git help <command>' or 'git help <concept>'
to read about a specific subcommand or concept.
See 'git help git' for an overview of the system.
➜  ~ echo $?
1

Either way I don't have a strong opinion, I was just curious to learn more 😄

knqyf263

comment created time in 22 days

PullRequestReviewEvent

release aquasecurity/binfinder

v0.1.0

released time in 22 days

push eventaquasecurity/binfinder

Simarpreet Singh

commit sha 1c463a96a0d713a66d3b76af82a7821d68144b8d

goreleaser: Add goreleaser.yml Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

push time in 22 days

push eventaquasecurity/binfinder

Simarpreet Singh

commit sha 3afb335c0d02cddac3b0394e73817d4048609906

LICENSE: Add Apache v2.0 License Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

Simarpreet Singh

commit sha 3c14b101bb047d3ad54be46c0da179b020b5b559

goreleaser: Add goreleaser.yml Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

push time in 22 days

delete branch aquasecurity/binfinder

delete branch : alpine-improvement

delete time in 22 days

delete branch aquasecurity/binfinder

delete branch : include-shared-objects

delete time in 22 days

delete branch aquasecurity/binfinder

delete branch : add-coverage-for-popular

delete time in 22 days

delete branch aquasecurity/binfinder

delete branch : better-help-texts

delete time in 22 days

created tagaquasecurity/binfinder

tagv0.1.0

Find binary files not installed through package manager

created time in 22 days

Pull request review commentaquasecurity/trivy

fix(cli): show help for subcommands

 func NewArtifactConfig(c *cli.Context) ArtifactConfig { func (c *ArtifactConfig) Init(ctx *cli.Context, logger *zap.SugaredLogger) (err error) { 	if c.Input == "" && ctx.Args().Len() == 0 { 		logger.Debug(`trivy requires at least 1 argument or --input option`)-		cli.ShowAppHelpAndExit(ctx, 0)+		_ = cli.ShowSubcommandHelp(ctx)+		os.Exit(0)

Hmm – should this be a non-zero exit code if the usage was not correct? I'm actually not sure what's the de-facto way (if there's one).

knqyf263

comment created time in 22 days

PullRequestReviewEvent

push eventaquasecurity/binfinder

Simarpreet Singh

commit sha 6ef0081f3aa5aee5cfc2ffaf88f5f1cb2f523646

binfinder: Add better help texts (#8) Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

push time in 22 days

PR merged aquasecurity/binfinder

binfinder: Add better help texts

Signed-off-by: Simarpreet Singh simar@linux.com

+37 -2

0 comment

1 changed file

simar7

pr closed time in 22 days

push eventaquasecurity/binfinder

Simarpreet Singh

commit sha 58b29a14ecdd0201307c85cb317a534d9c1cbee5

model/popular: Add tests for GetPopularImages (#5) * docker/popular: Add tests for GetPopularImages Signed-off-by: Simarpreet Singh <simar@linux.com> * dtr/docker: Add tests for GetPopularImages. Signed-off-by: Simarpreet Singh <simar@linux.com> * return error when tag not found * registryv2/popular: Add tests for GetPopularImages Signed-off-by: Simarpreet Singh <simar@linux.com> Co-authored-by: Rahul Yadav <rahulyadavsep92@gmail.com>

view details

push time in 22 days

PR merged aquasecurity/binfinder

model/popular: Add tests for GetPopularImages

Signed-off-by: Simarpreet Singh simar@linux.com

+287 -40

0 comment

7 changed files

simar7

pr closed time in 22 days

PR opened aquasecurity/binfinder

Reviewers
binfinder: Add better help texts

Signed-off-by: Simarpreet Singh simar@linux.com

+37 -2

0 comment

1 changed file

pr created time in 23 days

create barnchaquasecurity/binfinder

branch : better-help-texts

created branch time in 23 days

push eventaquasecurity/binfinder

Simarpreet Singh

commit sha 51f2000110e3e8d077c96b7981b9655c126e4aa1

registryv2/popular: Add tests for GetPopularImages Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

push time in 23 days

push eventaquasecurity/binfinder

Rahul Yadav

commit sha 6c9ee74288196eee0cebbfc359547fbbb6a70dca

Improved alpine speed

view details

Rahul Yadav

commit sha e5b0038606e36388c1cdbd4c7d9f862872f8eece

Fixed tests

view details

rahul2393

commit sha 25d08aaedf67585055ba48bba7137073af8efaf6

Merge pull request #6 from aquasecurity/alpine-improvement Improved alpine speed

view details

Rahul Yadav

commit sha fa60bb92a2ffd8e7938c2c49614f526f2f693b6d

Improved alpine diff

view details

rahul2393

commit sha 920f4db1b211c2bfa3abdcff786db42fce6deffa

Merge pull request #7 from aquasecurity/include-shared-objects Improved alpine diff

view details

Rahul Yadav

commit sha 54a4ef31785bf8489322d558ba07c4623c0a9d90

Fixed old diffs

view details

Rahul Yadav

commit sha 149ca6f2db895e03fd9031c1ab3063955085fbde

Ignore binaries containing aquasec in it

view details

Simarpreet Singh

commit sha 7386152ededd04a851f38784c7a8afc90464c956

docker/popular: Add tests for GetPopularImages Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

Simarpreet Singh

commit sha 7ad9dc04b038134b0e06a4b77dea32ffd035e0c2

dtr/docker: Add tests for GetPopularImages. Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

Rahul Yadav

commit sha dcc04bbe479c9d18315ab64e6bbc5b6afd0488f6

return error when tag not found

view details

push time in 23 days

CommitCommentEvent
PullRequestReviewEvent

push eventaquasecurity/binfinder

Simarpreet Singh

commit sha a12a992f6cdc52bceb1fb5c02071397833780ff4

dtr/docker: Add tests for GetPopularImages. Signed-off-by: Simarpreet Singh <simar@linux.com>

view details

push time in a month

more