Filter Vulnerabilities

Hide Unfixed Vulnerabilities

By default, Trivy also detects unpatched/unfixed vulnerabilities. This means you can’t fix these vulnerabilities even if you update all packages. If you would like to ignore them, use the --ignore-unfixed option.

  1. $ trivy image --ignore-unfixed ruby:2.4.0

Result

  1. 2019-05-16T12:49:52.656+0900    INFO    Updating vulnerability database...
  2. 2019-05-16T12:50:14.786+0900    INFO    Detecting Debian vulnerabilities...
  4. ruby:2.4.0 (debian 8.7)
  5. =======================
  6. Total: 4730 (UNKNOWN: 1, LOW: 145, MEDIUM: 3487, HIGH: 1014, CRITICAL: 83)
  8. +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
  9. |           LIBRARY            | VULNERABILITY ID | SEVERITY |     INSTALLED VERSION      |          FIXED VERSION           |                        TITLE                        |
  10. +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
  11. | apt                          | CVE-2019-3462    | CRITICAL | 1.0.9.8.3                  | 1.0.9.8.5                        | Incorrect sanitation of the                         |
  12. |                              |                  |          |                            |                                  | 302 redirect field in HTTP                          |
  13. |                              |                  |          |                            |                                  | transport method of...                              |
  14. +                              +------------------+----------+                            +----------------------------------+-----------------------------------------------------+
  15. |                              | CVE-2016-1252    | MEDIUM   |                            | 1.0.9.8.4                        | The apt package in Debian                           |
  16. |                              |                  |          |                            |                                  | jessie before 1.0.9.8.4, in                         |
  17. |                              |                  |          |                            |                                  | Debian unstable before...                           |
  18. +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
  19. | bash                         | CVE-2019-9924    | HIGH     | 4.3-11                     | 4.3-11+deb8u2                    | bash: BASH_CMD is writable in                       |
  20. |                              |                  |          |                            |                                  | restricted bash shells                              |
  21. +                              +------------------+          +                            +----------------------------------+-----------------------------------------------------+
  22. |                              | CVE-2016-7543    |          |                            | 4.3-11+deb8u1                    | bash: Specially crafted                             |
  23. |                              |                  |          |                            |                                  | SHELLOPTS+PS4 variables allows                      |
  24. |                              |                  |          |                            |                                  | command substitution                                |
  25. +                              +------------------+----------+                            +                                  +-----------------------------------------------------+
  26. |                              | CVE-2016-0634    | MEDIUM   |                            |                                  | bash: Arbitrary code execution                      |
  27. |                              |                  |          |                            |                                  | via malicious hostname                              |
  28. +                              +------------------+----------+                            +----------------------------------+-----------------------------------------------------+
  29. |                              | CVE-2016-9401    | LOW      |                            | 4.3-11+deb8u2                    | bash: popd controlled free                          |
  30. +------------------------------+------------------+----------+----------------------------+----------------------------------+-----------------------------------------------------+
  31. ...

By Severity

Use --severity option.

  1. $ trivy image --severity HIGH,CRITICAL ruby:2.4.0

Result

  1. 2019-05-16T01:51:46.255+0900    INFO    Updating vulnerability database...
  2. 2019-05-16T01:51:49.213+0900    INFO    Detecting Debian vulnerabilities...
  4. ruby:2.4.0 (debian 8.7)
  5. =======================
  6. Total: 1785 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1680, CRITICAL: 105)
  8. +-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+
  9. |           LIBRARY           | VULNERABILITY ID | SEVERITY |     INSTALLED VERSION     |          FIXED VERSION           |                      TITLE                      |
  10. +-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+
  11. | apt                         | CVE-2019-3462    | CRITICAL | 1.0.9.8.3                 | 1.0.9.8.5                        | Incorrect sanitation of the                     |
  12. |                             |                  |          |                           |                                  | 302 redirect field in HTTP                      |
  13. |                             |                  |          |                           |                                  | transport method of...                          |
  14. +-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+
  15. | bash                        | CVE-2019-9924    | HIGH     | 4.3-11                    | 4.3-11+deb8u2                    | bash: BASH_CMD is writable in                   |
  16. |                             |                  |          |                           |                                  | restricted bash shells                          |
  17. +                             +------------------+          +                           +----------------------------------+-------------------------------------------------+
  18. |                             | CVE-2016-7543    |          |                           | 4.3-11+deb8u1                    | bash: Specially crafted                         |
  19. |                             |                  |          |                           |                                  | SHELLOPTS+PS4 variables allows                  |
  20. |                             |                  |          |                           |                                  | command substitution                            |
  21. +-----------------------------+------------------+          +---------------------------+----------------------------------+-------------------------------------------------+
  22. | binutils                    | CVE-2017-8421    |          | 2.25-5                    |                                  | binutils: Memory exhaustion in                  |
  23. |                             |                  |          |                           |                                  | objdump via a crafted PE file                   |
  24. +                             +------------------+          +                           +----------------------------------+-------------------------------------------------+
  25. |                             | CVE-2017-14930   |          |                           |                                  | binutils: Memory leak in                        |
  26. |                             |                  |          |                           |                                  | decode_line_info                                |
  27. +                             +------------------+          +                           +----------------------------------+-------------------------------------------------+
  28. |                             | CVE-2017-7614    |          |                           |                                  | binutils: NULL                                  |
  29. |                             |                  |          |                           |                                  | pointer dereference in                          |
  30. |                             |                  |          |                           |                                  | bfd_elf_final_link function                     |
  31. +                             +------------------+          +                           +----------------------------------+-------------------------------------------------+
  32. |                             | CVE-2014-9939    |          |                           |                                  | binutils: buffer overflow in                    |
  33. |                             |                  |          |                           |                                  | ihex.c                                          |
  34. +                             +------------------+          +                           +----------------------------------+-------------------------------------------------+
  35. |                             | CVE-2017-13716   |          |                           |                                  | binutils: Memory leak with the                  |
  36. |                             |                  |          |                           |                                  | C++ symbol demangler routine                    |
  37. |                             |                  |          |                           |                                  | in libiberty                                    |
  38. +                             +------------------+          +                           +----------------------------------+-------------------------------------------------+
  39. |                             | CVE-2018-12699   |          |                           |                                  | binutils: heap-based buffer                     |
  40. |                             |                  |          |                           |                                  | overflow in finish_stab in                      |
  41. |                             |                  |          |                           |                                  | stabs.c                                         |
  42. +-----------------------------+------------------+          +---------------------------+----------------------------------+-------------------------------------------------+
  43. | bsdutils                    | CVE-2015-5224    |          | 2.25.2-6                  |                                  | util-linux: File name                           |
  44. |                             |                  |          |                           |                                  | collision due to incorrect                      |
  45. |                             |                  |          |                           |                                  | mkstemp use                                     |
  46. +                             +------------------+          +                           +----------------------------------+-------------------------------------------------+
  47. |                             | CVE-2016-2779    |          |                           |                                  | util-linux: runuser tty hijack                  |
  48. |                             |                  |          |                           |                                  | via TIOCSTI ioctl                               |
  49. +-----------------------------+------------------+----------+---------------------------+----------------------------------+-------------------------------------------------+

By Vulnerability IDs

Use .trivyignore.

  1. $ cat .trivyignore
  2. # Accept the risk
  3. CVE-2018-14618
  5. # No impact in our settings
  6. CVE-2019-1543
  8. $ trivy image python:3.4-alpine3.9

Result

  1. 2019-05-16T12:53:10.076+0900    INFO    Updating vulnerability database...
  2. 2019-05-16T12:53:28.134+0900    INFO    Detecting Alpine vulnerabilities...
  4. python:3.4-alpine3.9 (alpine 3.9.2)
  5. ===================================
  6. Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

By Type

Use --vuln-type option.

  1. $ trivy image --vuln-type os ruby:2.4.0

Available values: - library - os

Result

  1. 2019-05-22T19:36:50.530+0200    INFO    Updating vulnerability database...
  2. 2019-05-22T19:36:51.681+0200    INFO    Detecting Alpine vulnerabilities...
  3. 2019-05-22T19:36:51.685+0200    INFO    Updating npm Security DB...
  4. 2019-05-22T19:36:52.389+0200    INFO    Detecting npm vulnerabilities...
  5. 2019-05-22T19:36:52.390+0200    INFO    Updating pipenv Security DB...
  6. 2019-05-22T19:36:53.406+0200    INFO    Detecting pipenv vulnerabilities...
  8. ruby:2.4.0 (debian 8.7)
  9. Total: 4751 (UNKNOWN: 1, LOW: 150, MEDIUM: 3504, HIGH: 1013, CRITICAL: 83)
  11. +---------+------------------+----------+-------------------+---------------+----------------------------------+
  12. | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |              TITLE               |
  13. +---------+------------------+----------+-------------------+---------------+----------------------------------+
  14. | curl    | CVE-2018-14618   | CRITICAL | 7.61.0-r0         | 7.61.1-r0     | curl: NTLM password overflow     |
  15. |         |                  |          |                   |               | via integer overflow             |
  16. +         +------------------+----------+                   +---------------+----------------------------------+
  17. |         | CVE-2018-16839   | HIGH     |                   | 7.61.1-r1     | curl: Integer overflow leading   |
  18. |         |                  |          |                   |               | to heap-based buffer overflow in |
  19. |         |                  |          |                   |               | Curl_sasl_create_plain_message() |
  20. +         +------------------+          +                   +---------------+----------------------------------+
  21. |         | CVE-2019-3822    |          |                   | 7.61.1-r2     | curl: NTLMv2 type-3 header       |
  22. |         |                  |          |                   |               | stack buffer overflow            |
  23. +         +------------------+          +                   +---------------+----------------------------------+
  24. |         | CVE-2018-16840   |          |                   | 7.61.1-r1     | curl: Use-after-free when        |
  25. |         |                  |          |                   |               | closing "easy" handle in         |
  26. |         |                  |          |                   |               | Curl_close()                     |
  27. +         +------------------+----------+                   +---------------+----------------------------------+
  28. |         | CVE-2019-3823    | MEDIUM   |                   | 7.61.1-r2     | curl: SMTP end-of-response       |
  29. |         |                  |          |                   |               | out-of-bounds read               |
  30. +         +------------------+          +                   +               +----------------------------------+
  31. |         | CVE-2018-16890   |          |                   |               | curl: NTLM type-2 heap           |
  32. |         |                  |          |                   |               | out-of-bounds buffer read        |
  33. +         +------------------+          +                   +---------------+----------------------------------+
  34. |         | CVE-2018-16842   |          |                   | 7.61.1-r1     | curl: Heap-based buffer          |
  35. |         |                  |          |                   |               | over-read in the curl tool       |
  36. |         |                  |          |                   |               | warning formatting               |
  37. +---------+------------------+----------+-------------------+---------------+----------------------------------+
  38. | git     | CVE-2018-17456   | HIGH     | 2.15.2-r0         | 2.15.3-r0     | git: arbitrary code execution    |
  39. |         |                  |          |                   |               | via .gitmodules                  |
  40. +         +------------------+          +                   +               +----------------------------------+
  41. |         | CVE-2018-19486   |          |                   |               | git: Improper handling of        |
  42. |         |                  |          |                   |               | PATH allows for commands to be   |
  43. |         |                  |          |                   |               | executed from...                 |
  44. +---------+------------------+----------+-------------------+---------------+----------------------------------+
  45. | libssh2 | CVE-2019-3855    | CRITICAL | 1.8.0-r2          | 1.8.1-r0      | libssh2: Integer overflow in     |
  46. |         |                  |          |                   |               | transport read resulting in      |
  47. |         |                  |          |                   |               | out of bounds write...           |
  48. +         +------------------+----------+                   +               +----------------------------------+
  49. |         | CVE-2019-3861    | MEDIUM   |                   |               | libssh2: Out-of-bounds reads     |
  50. |         |                  |          |                   |               | with specially crafted SSH       |
  51. |         |                  |          |                   |               | packets                          |
  52. +         +------------------+          +                   +               +----------------------------------+
  53. |         | CVE-2019-3857    |          |                   |               | libssh2: Integer overflow in     |
  54. |         |                  |          |                   |               | SSH packet processing channel    |
  55. |         |                  |          |                   |               | resulting in out of...           |
  56. +         +------------------+          +                   +               +----------------------------------+
  57. |         | CVE-2019-3856    |          |                   |               | libssh2: Integer overflow in     |
  58. |         |                  |          |                   |               | keyboard interactive handling    |
  59. |         |                  |          |                   |               | resulting in out of bounds...    |
  60. +         +------------------+          +                   +               +----------------------------------+
  61. |         | CVE-2019-3863    |          |                   |               | libssh2: Integer overflow        |
  62. |         |                  |          |                   |               | in user authenticate             |
  63. |         |                  |          |                   |               | keyboard interactive allows      |
  64. |         |                  |          |                   |               | out-of-bounds writes             |
  65. +         +------------------+          +                   +               +----------------------------------+
  66. |         | CVE-2019-3862    |          |                   |               | libssh2: Out-of-bounds memory    |
  67. |         |                  |          |                   |               | comparison with specially        |
  68. |         |                  |          |                   |               | crafted message channel          |
  69. |         |                  |          |                   |               | request                          |
  70. +         +------------------+          +                   +               +----------------------------------+
  71. |         | CVE-2019-3860    |          |                   |               | libssh2: Out-of-bounds reads     |
  72. |         |                  |          |                   |               | with specially crafted SFTP      |
  73. |         |                  |          |                   |               | packets                          |
  74. +         +------------------+          +                   +               +----------------------------------+
  75. |         | CVE-2019-3858    |          |                   |               | libssh2: Zero-byte allocation    |
  76. |         |                  |          |                   |               | with a specially crafted SFTP    |
  77. |         |                  |          |                   |               | packed leading to an...          |
  78. +         +------------------+          +                   +               +----------------------------------+
  79. |         | CVE-2019-3859    |          |                   |               | libssh2: Unchecked use of        |
  80. |         |                  |          |                   |               | _libssh2_packet_require and      |
  81. |         |                  |          |                   |               | _libssh2_packet_requirev         |
  82. |         |                  |          |                   |               | resulting in out-of-bounds       |
  83. |         |                  |          |                   |               | read                             |
  84. +---------+------------------+          +-------------------+---------------+----------------------------------+
  85. | libxml2 | CVE-2018-14404   |          | 2.9.7-r0          | 2.9.8-r1      | libxml2: NULL pointer            |
  86. |         |                  |          |                   |               | dereference in                   |
  87. |         |                  |          |                   |               | xpath.c:xmlXPathCompOpEval()     |
  88. |         |                  |          |                   |               | can allow attackers to cause     |
  89. |         |                  |          |                   |               | a...                             |
  90. +         +------------------+          +                   +               +----------------------------------+
  91. |         | CVE-2018-14567   |          |                   |               | libxml2: Infinite loop when      |
  92. |         |                  |          |                   |               | --with-lzma is used allows for   |
  93. |         |                  |          |                   |               | denial of service...             |
  94. +         +------------------+----------+                   +               +----------------------------------+
  95. |         | CVE-2018-9251    | LOW      |                   |               | libxml2: infinite loop in        |
  96. |         |                  |          |                   |               | xz_decomp function in xzlib.c    |
  97. +---------+------------------+----------+-------------------+---------------+----------------------------------+
  98. | openssh | CVE-2019-6109    | MEDIUM   | 7.5_p1-r9         | 7.5_p1-r10    | openssh: Missing character       |
  99. |         |                  |          |                   |               | encoding in progress display     |
  100. |         |                  |          |                   |               | allows for spoofing of scp...    |
  101. +         +------------------+          +                   +               +----------------------------------+
  102. |         | CVE-2019-6111    |          |                   |               | openssh: Improper validation     |
  103. |         |                  |          |                   |               | of object names allows           |
  104. |         |                  |          |                   |               | malicious server to overwrite    |
  105. |         |                  |          |                   |               | files...                         |
  106. +         +------------------+----------+                   +               +----------------------------------+
  107. |         | CVE-2018-20685   | LOW      |                   |               | openssh: scp client improper     |
  108. |         |                  |          |                   |               | directory name validation        |
  109. +---------+------------------+----------+-------------------+---------------+----------------------------------+
  110. | sqlite  | CVE-2018-20346   | MEDIUM   | 3.21.0-r1         | 3.25.3-r0     | CVE-2018-20505 CVE-2018-20506    |
  111. |         |                  |          |                   |               | sqlite: Multiple flaws in        |
  112. |         |                  |          |                   |               | sqlite which can be triggered    |
  113. |         |                  |          |                   |               | via...                           |
  114. +---------+------------------+----------+-------------------+---------------+----------------------------------+
  115. | tar     | CVE-2018-20482   | LOW      | 1.29-r1           | 1.31-r0       | tar: Infinite read loop in       |
  116. |         |                  |          |                   |               | sparse_dump_region function in   |
  117. |         |                  |          |                   |               | sparse.c                         |
  118. +---------+------------------+----------+-------------------+---------------+----------------------------------+

By Open Policy Agent

EXPERIMENTAL

This feature might change without preserving backwards compatibility.

Trivy supports Open Policy Agent (OPA) to filter vulnerabilities. You can specify a Rego file with --ignore-policy option.

The Rego package name must be trivy and it must include a rule called ignore which determines if each individual vulnerability should be excluded (ignore=true) or not (ignore=false). In the policy, each vulnerability will be available for inspection as the input variable. The structure of each vulnerability input is the same as for the Trivy JSON output.
There is a built-in Rego library with helper functions that you can import into your policy using: import data.lib.trivy. For more info about the helper functions, look at the library here

To get started, see the example policy.

  1. $ trivy image --ignore-policy contrib/example_filter/basic.rego centos:7

Result

  1. centos:7 (centos 7.8.2003)
  2. ==========================
  3. Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
  5. +---------+------------------+----------+-------------------+---------------+--------------------------------+
  6. | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
  7. +---------+------------------+----------+-------------------+---------------+--------------------------------+
  8. | glib2   | CVE-2016-3191    | HIGH     | 2.56.1-5.el7      |               | pcre: workspace overflow       |
  9. |         |                  |          |                   |               | for (*ACCEPT) with deeply      |
  10. |         |                  |          |                   |               | nested parentheses (8.39/13,   |
  11. |         |                  |          |                   |               | 10.22/12)                      |
  12. +---------+------------------+----------+-------------------+---------------+--------------------------------+