Skip to content

Commit

Permalink
feat(command): add rootfs command (#1271)
Browse files Browse the repository at this point in the history
  • Loading branch information
knqyf263 authored Oct 4, 2021
1 parent a463e79 commit 1c9ccb5
Show file tree
Hide file tree
Showing 21 changed files with 270 additions and 133 deletions.
4 changes: 2 additions & 2 deletions docs/advanced/container/embed-in-dockerfile.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ FROM alpine:3.7

RUN apk add curl \
&& curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
&& trivy filesystem --exit-code 1 --no-progress /
&& trivy rootfs --exit-code 1 --no-progress /

$ docker build -t vulnerable-image .
```
Expand All @@ -21,7 +21,7 @@ insecure `curl | sh`. Also the image is not changed.
# Run vulnerability scan on build image
FROM build AS vulnscan
COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
RUN trivy filesystem --exit-code 1 --no-progress /
RUN trivy rootfs --exit-code 1 --no-progress /
[...]
```

Expand Down
2 changes: 1 addition & 1 deletion docs/advanced/container/unpacked-filesystem.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ In this case, Trivy works the same way when scanning containers

```bash
$ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
$ trivy fs /tmp/rootfs
$ trivy rootfs /tmp/rootfs
```

<details>
Expand Down
2 changes: 0 additions & 2 deletions docs/getting-started/cli/fs.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,15 +10,13 @@ USAGE:
OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, template) (default: "table") [$TRIVY_FORMAT]
--input value, -i value input file path instead of image name [$TRIVY_INPUT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
--skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
--vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
--security-checks value comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
Expand Down
34 changes: 34 additions & 0 deletions docs/getting-started/cli/rootfs.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Rootfs

```bash
NAME:
trivy rootfs - scan rootfs

USAGE:
trivy rootfs [command options] dir

OPTIONS:
--template value, -t value output template [$TRIVY_TEMPLATE]
--format value, -f value format (table, json, template) (default: "table") [$TRIVY_FORMAT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--output value, -o value output file name [$TRIVY_OUTPUT]
--exit-code value Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
--skip-db-update, --skip-update skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
--skip-policy-update skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--ignore-unfixed display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
--vuln-type value comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
--security-checks value comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--cache-backend value cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--no-progress suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
--ignore-policy value specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
--list-all-pkgs enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
--skip-files value specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
--config-policy value specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]
--config-data value specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_CONFIG_DATA]
--policy-namespaces value, --namespaces value Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
--help, -h show help (default: false)
```
5 changes: 3 additions & 2 deletions docs/getting-started/overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Trivy detects two types of security issues:
Trivy can scan three different artifacts:

- [Container Images][container]
- [Filesystem][filesystem]
- [Filesystem][filesystem] and [Rootfs][rootfs]
- [Git Repositories][repo]

Trivy can be run in two different modes:
Expand Down Expand Up @@ -53,7 +53,7 @@ See [Integrations][integrations] for details.
- A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
- A tar archive stored in the `docker save` / `podman save` formatted file
- An image directory compliant with [OCI Image Format][oci]
- local filesystem
- local filesystem and rootfs
- remote git repository

Please see [LICENSE][license] for Trivy licensing information.
Expand All @@ -64,6 +64,7 @@ Please see [LICENSE][license] for Trivy licensing information.
[vuln]: ../vulnerability/scanning/index.md
[misconf]: ../misconfiguration/index.md
[container]: ../vulnerability/scanning/image.md
[rootfs]: ../vulnerability/scanning/rootfs.md
[filesystem]: ../vulnerability/scanning/filesystem.md
[repo]: ../vulnerability/scanning/git-repository.md

Expand Down
39 changes: 20 additions & 19 deletions docs/vulnerability/detection/language.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,23 +2,23 @@

`Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.

| Language | File | Image[^6] | Filesystem[^7] | Repository[^8] |Dev dependencies |
|---------|-------------------------|:---------:|:--------------:|:---------------:|-----------------|
| Ruby | Gemfile.lock | - | || included |
| | gemspec || | - | included |
| Python | Pipfile.lock | - | || excluded |
| | poetry.lock | - | || included |
| | requirements.txt | - | || included |
| | egg package[^1] || | - | excluded |
| | wheel package[^2] || | - | excluded |
| PHP | composer.lock || || excluded |
| Node.js | package-lock.json | - | || excluded |
| | yarn.lock | - | || included |
| | package.json || | - | excluded |
| .NET | packages.lock.json || || included |
| Java | JAR/WAR/EAR[^3][^4] || || included |
| Go | Binaries built by Go[^5] || | - | excluded |
| | go.sum | - | || included |
| Language | File | Image[^6] | Rootfs[^7] | Filesysetm[^8] | Repository[^9] |Dev dependencies |
|----------|--------------------------|:---------:|:----------:|:--------------:|:---------------:|-----------------|
| Ruby | Gemfile.lock | - | - | || included |
| | gemspec ||| - | - | included |
| Python | Pipfile.lock | - | - | || excluded |
| | poetry.lock | - | - | || included |
| | requirements.txt | - | - | || included |
| | egg package[^1] ||| - | - | excluded |
| | wheel package[^2] ||| - | - | excluded |
| PHP | composer.lock ||| || excluded |
| Node.js | package-lock.json | - | - | || excluded |
| | yarn.lock | - | - | || included |
| | package.json ||| - | - | excluded |
| .NET | packages.lock.json ||| || included |
| Java | JAR/WAR/EAR[^3][^4] ||| || included |
| Go | Binaries built by Go[^5] ||| - | - | excluded |
| | go.sum | - | - | | | included |

The path of these files does not matter.

Expand All @@ -30,5 +30,6 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
[^4]: It requires the Internet access
[^5]: UPX-compressed binaries don't work
[^6]: ✅ means "enabled" and `-` means "disabled" in the image scanning
[^7]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
[^8]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
[^7]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
[^8]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
[^9]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
56 changes: 1 addition & 55 deletions docs/vulnerability/scanning/filesystem.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Filesystem

Scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).
Scan a local project including language-specific files.

```bash
$ trivy fs /path/to/project
Expand Down Expand Up @@ -47,57 +47,3 @@ Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
```

</details>

## From Inside Containers
Scan your container from inside the container.

```bash
$ docker run --rm -it alpine:3.11
/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
/ # trivy fs /
```

<details>
<summary>Result</summary>

```
2021-03-08T05:22:26.378Z INFO Need to update DB
2021-03-08T05:22:26.380Z INFO Downloading DB...
20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s
2021-03-08T05:22:30.134Z INFO Detecting Alpine vulnerabilities...
2021-03-08T05:22:30.138Z INFO Trivy skips scanning programming language libraries because no supported file was detected
313430f09696 (alpine 3.11.7)
============================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0)
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
| libcrypto1.1 | CVE-2021-23839 | HIGH | 1.1.1i-r0 | 1.1.1j-r0 | openssl: incorrect SSLv2 |
| | | | | | rollback protection |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-23840 | | | | openssl: integer |
| | | | | | overflow in CipherUpdate |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-23841 | | | | openssl: NULL pointer dereference |
| | | | | | in X509_issuer_and_serial_hash() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 |
+--------------+------------------+ + + +---------------------------------------+
| libssl1.1 | CVE-2021-23839 | | | | openssl: incorrect SSLv2 |
| | | | | | rollback protection |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-23840 | | | | openssl: integer |
| | | | | | overflow in CipherUpdate |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-23841 | | | | openssl: NULL pointer dereference |
| | | | | | in X509_issuer_and_serial_hash() |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 |
+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
```

</details>
3 changes: 2 additions & 1 deletion docs/vulnerability/scanning/index.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
# Vulnerability Scanning

Trivy scans [Container Images][image], [Filesystem][fs], and [Git Repositories][repo] to detect vulnerabilities.
Trivy scans [Container Images][image], [Rootfs][rootfs], [Filesystem][fs], and [Git Repositories][repo] to detect vulnerabilities.

![vulnerability][vuln]

[image]: image.md
[rootfs]: rootfs.md
[fs]: filesystem.md
[repo]: git-repository.md
[vuln]: ../../imgs/vulnerability.png
Loading

0 comments on commit 1c9ccb5

Please sign in to comment.