Filter Vulnerabilities

Hide Unfixed Vulnerabilities

By default, Trivy also detects unpatched/unfixed vulnerabilities. This means you can’t fix these vulnerabilities even if you update all packages. If you would like to ignore them, use the --ignore-unfixed option.

  1. $ trivy image --ignore-unfixed ruby:2.4.0

Result

  1. 2019-05-16T12:49:52.656+0900 INFO Updating vulnerability database...
  2. 2019-05-16T12:50:14.786+0900 INFO Detecting Debian vulnerabilities...
  3. ruby:2.4.0 (debian 8.7)
  4. =======================
  5. Total: 4730 (UNKNOWN: 1, LOW: 145, MEDIUM: 3487, HIGH: 1014, CRITICAL: 83)
  6. +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
  7. | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
  8. +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
  9. | apt | CVE-2019-3462 | CRITICAL | 1.0.9.8.3 | 1.0.9.8.5 | Incorrect sanitation of the |
  10. | | | | | | 302 redirect field in HTTP |
  11. | | | | | | transport method of... |
  12. + +------------------+----------+ +----------------------------------+-----------------------------------------------------+
  13. | | CVE-2016-1252 | MEDIUM | | 1.0.9.8.4 | The apt package in Debian |
  14. | | | | | | jessie before 1.0.9.8.4, in |
  15. | | | | | | Debian unstable before... |
  16. +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
  17. | bash | CVE-2019-9924 | HIGH | 4.3-11 | 4.3-11+deb8u2 | bash: BASH_CMD is writable in |
  18. | | | | | | restricted bash shells |
  19. + +------------------+ + +----------------------------------+-----------------------------------------------------+
  20. | | CVE-2016-7543 | | | 4.3-11+deb8u1 | bash: Specially crafted |
  21. | | | | | | SHELLOPTS+PS4 variables allows |
  22. | | | | | | command substitution |
  23. + +------------------+----------+ + +-----------------------------------------------------+
  24. | | CVE-2016-0634 | MEDIUM | | | bash: Arbitrary code execution |
  25. | | | | | | via malicious hostname |
  26. + +------------------+----------+ +----------------------------------+-----------------------------------------------------+
  27. | | CVE-2016-9401 | LOW | | 4.3-11+deb8u2 | bash: popd controlled free |
  28. +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
  29. ...

By Severity

Use --severity option.

  1. $ trivy image --severity HIGH,CRITICAL ruby:2.4.0

Result

  1. 2019-05-16T01:51:46.255+0900 INFO Updating vulnerability database...
  2. 2019-05-16T01:51:49.213+0900 INFO Detecting Debian vulnerabilities...
  3. ruby:2.4.0 (debian 8.7)
  4. =======================
  5. Total: 1785 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1680, CRITICAL: 105)
  6. +-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+
  7. | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
  8. +-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+
  9. | apt | CVE-2019-3462 | CRITICAL | 1.0.9.8.3 | 1.0.9.8.5 | Incorrect sanitation of the |
  10. | | | | | | 302 redirect field in HTTP |
  11. | | | | | | transport method of... |
  12. +-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+
  13. | bash | CVE-2019-9924 | HIGH | 4.3-11 | 4.3-11+deb8u2 | bash: BASH_CMD is writable in |
  14. | | | | | | restricted bash shells |
  15. + +------------------+ + +----------------------------------+-------------------------------------------------+
  16. | | CVE-2016-7543 | | | 4.3-11+deb8u1 | bash: Specially crafted |
  17. | | | | | | SHELLOPTS+PS4 variables allows |
  18. | | | | | | command substitution |
  19. +-----------------------------+------------------+ +---------------------------+----------------------------------+-------------------------------------------------+
  20. | binutils | CVE-2017-8421 | | 2.25-5 | | binutils: Memory exhaustion in |
  21. | | | | | | objdump via a crafted PE file |
  22. + +------------------+ + +----------------------------------+-------------------------------------------------+
  23. | | CVE-2017-14930 | | | | binutils: Memory leak in |
  24. | | | | | | decode_line_info |
  25. + +------------------+ + +----------------------------------+-------------------------------------------------+
  26. | | CVE-2017-7614 | | | | binutils: NULL |
  27. | | | | | | pointer dereference in |
  28. | | | | | | bfd_elf_final_link function |
  29. + +------------------+ + +----------------------------------+-------------------------------------------------+
  30. | | CVE-2014-9939 | | | | binutils: buffer overflow in |
  31. | | | | | | ihex.c |
  32. + +------------------+ + +----------------------------------+-------------------------------------------------+
  33. | | CVE-2017-13716 | | | | binutils: Memory leak with the |
  34. | | | | | | C++ symbol demangler routine |
  35. | | | | | | in libiberty |
  36. + +------------------+ + +----------------------------------+-------------------------------------------------+
  37. | | CVE-2018-12699 | | | | binutils: heap-based buffer |
  38. | | | | | | overflow in finish_stab in |
  39. | | | | | | stabs.c |
  40. +-----------------------------+------------------+ +---------------------------+----------------------------------+-------------------------------------------------+
  41. | bsdutils | CVE-2015-5224 | | 2.25.2-6 | | util-linux: File name |
  42. | | | | | | collision due to incorrect |
  43. | | | | | | mkstemp use |
  44. + +------------------+ + +----------------------------------+-------------------------------------------------+
  45. | | CVE-2016-2779 | | | | util-linux: runuser tty hijack |
  46. | | | | | | via TIOCSTI ioctl |
  47. +-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+

By Vulnerability IDs

Use .trivyignore.

  1. $ cat .trivyignore
  2. # Accept the risk
  3. CVE-2018-14618
  4. # No impact in our settings
  5. CVE-2019-1543
  6. $ trivy image python:3.4-alpine3.9

Result

  1. 2019-05-16T12:53:10.076+0900 INFO Updating vulnerability database...
  2. 2019-05-16T12:53:28.134+0900 INFO Detecting Alpine vulnerabilities...
  3. python:3.4-alpine3.9 (alpine 3.9.2)
  4. ===================================
  5. Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

By Type

Use --vuln-type option.

  1. $ trivy image --vuln-type os ruby:2.4.0

Available values: - library - os

Result

  1. 2019-05-22T19:36:50.530+0200 INFO Updating vulnerability database...
  2. 2019-05-22T19:36:51.681+0200 INFO Detecting Alpine vulnerabilities...
  3. 2019-05-22T19:36:51.685+0200 INFO Updating npm Security DB...
  4. 2019-05-22T19:36:52.389+0200 INFO Detecting npm vulnerabilities...
  5. 2019-05-22T19:36:52.390+0200 INFO Updating pipenv Security DB...
  6. 2019-05-22T19:36:53.406+0200 INFO Detecting pipenv vulnerabilities...
  7. ruby:2.4.0 (debian 8.7)
  8. Total: 4751 (UNKNOWN: 1, LOW: 150, MEDIUM: 3504, HIGH: 1013, CRITICAL: 83)
  9. +---------+------------------+----------+-------------------+---------------+----------------------------------+
  10. | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
  11. +---------+------------------+----------+-------------------+---------------+----------------------------------+
  12. | curl | CVE-2018-14618 | CRITICAL | 7.61.0-r0 | 7.61.1-r0 | curl: NTLM password overflow |
  13. | | | | | | via integer overflow |
  14. + +------------------+----------+ +---------------+----------------------------------+
  15. | | CVE-2018-16839 | HIGH | | 7.61.1-r1 | curl: Integer overflow leading |
  16. | | | | | | to heap-based buffer overflow in |
  17. | | | | | | Curl_sasl_create_plain_message() |
  18. + +------------------+ + +---------------+----------------------------------+
  19. | | CVE-2019-3822 | | | 7.61.1-r2 | curl: NTLMv2 type-3 header |
  20. | | | | | | stack buffer overflow |
  21. + +------------------+ + +---------------+----------------------------------+
  22. | | CVE-2018-16840 | | | 7.61.1-r1 | curl: Use-after-free when |
  23. | | | | | | closing "easy" handle in |
  24. | | | | | | Curl_close() |
  25. + +------------------+----------+ +---------------+----------------------------------+
  26. | | CVE-2019-3823 | MEDIUM | | 7.61.1-r2 | curl: SMTP end-of-response |
  27. | | | | | | out-of-bounds read |
  28. + +------------------+ + + +----------------------------------+
  29. | | CVE-2018-16890 | | | | curl: NTLM type-2 heap |
  30. | | | | | | out-of-bounds buffer read |
  31. + +------------------+ + +---------------+----------------------------------+
  32. | | CVE-2018-16842 | | | 7.61.1-r1 | curl: Heap-based buffer |
  33. | | | | | | over-read in the curl tool |
  34. | | | | | | warning formatting |
  35. +---------+------------------+----------+-------------------+---------------+----------------------------------+
  36. | git | CVE-2018-17456 | HIGH | 2.15.2-r0 | 2.15.3-r0 | git: arbitrary code execution |
  37. | | | | | | via .gitmodules |
  38. + +------------------+ + + +----------------------------------+
  39. | | CVE-2018-19486 | | | | git: Improper handling of |
  40. | | | | | | PATH allows for commands to be |
  41. | | | | | | executed from... |
  42. +---------+------------------+----------+-------------------+---------------+----------------------------------+
  43. | libssh2 | CVE-2019-3855 | CRITICAL | 1.8.0-r2 | 1.8.1-r0 | libssh2: Integer overflow in |
  44. | | | | | | transport read resulting in |
  45. | | | | | | out of bounds write... |
  46. + +------------------+----------+ + +----------------------------------+
  47. | | CVE-2019-3861 | MEDIUM | | | libssh2: Out-of-bounds reads |
  48. | | | | | | with specially crafted SSH |
  49. | | | | | | packets |
  50. + +------------------+ + + +----------------------------------+
  51. | | CVE-2019-3857 | | | | libssh2: Integer overflow in |
  52. | | | | | | SSH packet processing channel |
  53. | | | | | | resulting in out of... |
  54. + +------------------+ + + +----------------------------------+
  55. | | CVE-2019-3856 | | | | libssh2: Integer overflow in |
  56. | | | | | | keyboard interactive handling |
  57. | | | | | | resulting in out of bounds... |
  58. + +------------------+ + + +----------------------------------+
  59. | | CVE-2019-3863 | | | | libssh2: Integer overflow |
  60. | | | | | | in user authenticate |
  61. | | | | | | keyboard interactive allows |
  62. | | | | | | out-of-bounds writes |
  63. + +------------------+ + + +----------------------------------+
  64. | | CVE-2019-3862 | | | | libssh2: Out-of-bounds memory |
  65. | | | | | | comparison with specially |
  66. | | | | | | crafted message channel |
  67. | | | | | | request |
  68. + +------------------+ + + +----------------------------------+
  69. | | CVE-2019-3860 | | | | libssh2: Out-of-bounds reads |
  70. | | | | | | with specially crafted SFTP |
  71. | | | | | | packets |
  72. + +------------------+ + + +----------------------------------+
  73. | | CVE-2019-3858 | | | | libssh2: Zero-byte allocation |
  74. | | | | | | with a specially crafted SFTP |
  75. | | | | | | packed leading to an... |
  76. + +------------------+ + + +----------------------------------+
  77. | | CVE-2019-3859 | | | | libssh2: Unchecked use of |
  78. | | | | | | _libssh2_packet_require and |
  79. | | | | | | _libssh2_packet_requirev |
  80. | | | | | | resulting in out-of-bounds |
  81. | | | | | | read |
  82. +---------+------------------+ +-------------------+---------------+----------------------------------+
  83. | libxml2 | CVE-2018-14404 | | 2.9.7-r0 | 2.9.8-r1 | libxml2: NULL pointer |
  84. | | | | | | dereference in |
  85. | | | | | | xpath.c:xmlXPathCompOpEval() |
  86. | | | | | | can allow attackers to cause |
  87. | | | | | | a... |
  88. + +------------------+ + + +----------------------------------+
  89. | | CVE-2018-14567 | | | | libxml2: Infinite loop when |
  90. | | | | | | --with-lzma is used allows for |
  91. | | | | | | denial of service... |
  92. + +------------------+----------+ + +----------------------------------+
  93. | | CVE-2018-9251 | LOW | | | libxml2: infinite loop in |
  94. | | | | | | xz_decomp function in xzlib.c |
  95. +---------+------------------+----------+-------------------+---------------+----------------------------------+
  96. | openssh | CVE-2019-6109 | MEDIUM | 7.5_p1-r9 | 7.5_p1-r10 | openssh: Missing character |
  97. | | | | | | encoding in progress display |
  98. | | | | | | allows for spoofing of scp... |
  99. + +------------------+ + + +----------------------------------+
  100. | | CVE-2019-6111 | | | | openssh: Improper validation |
  101. | | | | | | of object names allows |
  102. | | | | | | malicious server to overwrite |
  103. | | | | | | files... |
  104. + +------------------+----------+ + +----------------------------------+
  105. | | CVE-2018-20685 | LOW | | | openssh: scp client improper |
  106. | | | | | | directory name validation |
  107. +---------+------------------+----------+-------------------+---------------+----------------------------------+
  108. | sqlite | CVE-2018-20346 | MEDIUM | 3.21.0-r1 | 3.25.3-r0 | CVE-2018-20505 CVE-2018-20506 |
  109. | | | | | | sqlite: Multiple flaws in |
  110. | | | | | | sqlite which can be triggered |
  111. | | | | | | via... |
  112. +---------+------------------+----------+-------------------+---------------+----------------------------------+
  113. | tar | CVE-2018-20482 | LOW | 1.29-r1 | 1.31-r0 | tar: Infinite read loop in |
  114. | | | | | | sparse_dump_region function in |
  115. | | | | | | sparse.c |
  116. +---------+------------------+----------+-------------------+---------------+----------------------------------+

By Open Policy Agent

[EXPERIMENTAL] This feature might change without preserving backwards compatibility.

Trivy supports Open Policy Agent (OPA) to filter vulnerabilities. You can specify a Rego file with --ignore-policy option.

The Rego package name must be trivy and it must include a rule called ignore which determines if each individual vulnerability should be excluded (ignore=true) or not (ignore=false). In the policy, each vulnerability will be available for inspection as the input variable. The structure of each vulnerability input is the same as for the Trivy JSON output.
There is a built-in Rego library with helper functions that you can import into your policy using: import data.lib.trivy. For more info about the helper functions, look at the library here

To get started, see the example policy.

  1. $ trivy image --ignore-policy contrib/example_filter/basic.rego centos:7

Result

  1. centos:7 (centos 7.8.2003)
  2. ==========================
  3. Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
  4. +---------+------------------+----------+-------------------+---------------+--------------------------------+
  5. | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
  6. +---------+------------------+----------+-------------------+---------------+--------------------------------+
  7. | glib2 | CVE-2016-3191 | HIGH | 2.56.1-5.el7 | | pcre: workspace overflow |
  8. | | | | | | for (*ACCEPT) with deeply |
  9. | | | | | | nested parentheses (8.39/13, |
  10. | | | | | | 10.22/12) |
  11. +---------+------------------+----------+-------------------+---------------+--------------------------------+