Skip to content

fix(rootio): fix severity selection #9181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DmitriyLewen merged 15 commits into from
Jul 17, 2025
Merged

fix(rootio): fix severity selection #9181

DmitriyLewen merged 15 commits into from
Jul 17, 2025

Conversation

@DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Jul 10, 2025
edited
Loading

Description

There are 2 points:

  • Root.io feed based on BaseOS (Debian/Ubuntu/Alpine).
  • We use advisories for BaseOS, if Root.io feed doesn't have this advisory.

So we need to use severity from BaseOS (if exists) for Root.io vulnerabilities.

Base changes:

Fix example:

before (rootio doesn't have severities, so we use nvd (see auto logic)):

➜ trivy -q image rootioinc/common-elasticsearch:9.0.1-bookworm-slim_rootio -f json | jq '.Results[].Vulnerabilities[] | select(.VulnerabilityID == "CVE-2018-6829") | {VulnerabilityID, Severity, SeveritySource}'
{
  "VulnerabilityID": "CVE-2018-6829",
  "Severity": "HIGH",
  "SeveritySource": "nvd"
}

after:

➜  ./trivy -q image rootioinc/common-elasticsearch:9.0.1-bookworm-slim_rootio -f json | jq '.Results[].Vulnerabilities[] | select(.VulnerabilityID == "CVE-2018-6829") | {VulnerabilityID, Severity, SeveritySource}'
{
  "VulnerabilityID": "CVE-2018-6829",
  "Severity": "LOW",
  "SeveritySource": "debian"
}

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen
fix(rootio): use base OS to detect severity:
f87cbe6 
- use targetType to detect base OS for root.io images
- add testcases for debian (severity in Advisory)
- add testcase for alpine (severity in Vulnerability)
@DmitriyLewen
chore(deps): use fork of trivy-db
9bd6a55
@DmitriyLewen
fix(rootio): save severity from advisory
51f2425
@DmitriyLewen
docs(rootio): add info about severity
26cb227
@DmitriyLewen DmitriyLewen self-assigned this Jul 10, 2025
@knqyf263
Copy link
Collaborator

knqyf263 commented Jul 10, 2025

@DmitriyLewen Do you have a "rooted" Alpine-based image for testing?

@DmitriyLewen
Copy link
Contributor Author

DmitriyLewen commented Jul 10, 2025

No, I only wrote a test for Alpine.
@benjifin, can you share an Alpine image for our testing?

@knqyf263 knqyf263 mentioned this pull request Jul 10, 2025
Merged
@DmitriyLewen
refactor: simplify severity selection logic
33ed408 
- bump trivy-db
- cut baseOS from dataSource.ID
- update tests
@DmitriyLewen
fix: tests
9261331
@DmitriyLewen DmitriyLewen mentioned this pull request Jul 10, 2025
Merged
6 tasks
@DmitriyLewen DmitriyLewen added the autoready Automatically mark PR as ready for review when all checks pass label Jul 15, 2025
@github-actions github-actions bot marked this pull request as ready for review July 15, 2025 09:33
@github-actions github-actions bot requested a review from knqyf263 as a code owner July 15, 2025 09:33
@github-actions github-actions bot removed the autoready Automatically mark PR as ready for review when all checks pass label Jul 15, 2025
knqyf263
knqyf263 reviewed Jul 16, 2025
View reviewed changes
@DmitriyLewen DmitriyLewen mentioned this pull request Jul 16, 2025
Merged
1 task
knqyf263
knqyf263 approved these changes Jul 16, 2025
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@DmitriyLewen DmitriyLewen added this pull request to the merge queue Jul 17, 2025
Merged via the queue into aquasecurity:main with commit 6fafbeb Jul 17, 2025
19 checks passed
@DmitriyLewen DmitriyLewen deleted the fix/rootio/severity-selection branch July 17, 2025 06:38
@aqua-bot aqua-bot mentioned this pull request Jul 16, 2025
Merged
chait-slim pushed a commit to urimils/trivy that referenced this pull request Jul 23, 2025
@DmitriyLewen @chait-slim
fix(rootio): fix severity selection (aquasecurity#9181)
fad701b
alexlebens pushed a commit to alexlebens/infrastructure that referenced this pull request Jul 31, 2025
@alexlebens
Update mirror.gcr.io/aquasec/trivy Docker tag to v0.65.0 (#1073)
c7f1cde 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [mirror.gcr.io/aquasec/trivy](https://www.aquasec.com/products/trivy/) ([source](https://github.com/aquasecurity/trivy)) | minor | `0.64.1` -> `0.65.0` |

---

### Release Notes

<details>
<summary>aquasecurity/trivy (mirror.gcr.io/aquasec/trivy)</summary>

### [`v0.65.0`](https://github.com/aquasecurity/trivy/blob/HEAD/CHANGELOG.md#0650-2025-07-30)

[Compare Source](aquasecurity/trivy@v0.64.1...v0.65.0)

##### Features

- add graceful shutdown with signal handling ([#&#8203;9242](aquasecurity/trivy#9242)) ([2c05882](aquasecurity/trivy@2c05882))
- add HTTP request/response tracing support ([#&#8203;9125](aquasecurity/trivy#9125)) ([aa5b32a](aquasecurity/trivy@aa5b32a))
- **alma:** add AlmaLinux 10 support ([#&#8203;9207](aquasecurity/trivy#9207)) ([861d51e](aquasecurity/trivy@861d51e))
- **flag:** add schema validation for `--server` flag ([#&#8203;9270](aquasecurity/trivy#9270)) ([ed4640e](aquasecurity/trivy@ed4640e))
- **image:** add Docker context resolution ([#&#8203;9166](aquasecurity/trivy#9166)) ([99cd4e7](aquasecurity/trivy@99cd4e7))
- **license:** observe pkg types option in license scanner ([#&#8203;9091](aquasecurity/trivy#9091)) ([d44af8c](aquasecurity/trivy@d44af8c))
- **misconf:** add private ip google access attribute to subnetwork ([#&#8203;9199](aquasecurity/trivy#9199)) ([263845c](aquasecurity/trivy@263845c))
- **misconf:** added logging and versioning to the gcp storage bucket ([#&#8203;9226](aquasecurity/trivy#9226)) ([110f80e](aquasecurity/trivy@110f80e))
- **repo:** add git repository metadata to reports ([#&#8203;9252](aquasecurity/trivy#9252)) ([f4b2cf1](aquasecurity/trivy@f4b2cf1))
- **report:** add CVSS vectors in sarif report ([#&#8203;9157](aquasecurity/trivy#9157)) ([60723e6](aquasecurity/trivy@60723e6))
- **sbom:** add SHA-512 hash support for CycloneDX SBOM ([#&#8203;9126](aquasecurity/trivy#9126)) ([12d6706](aquasecurity/trivy@12d6706))

##### Bug Fixes

- **alma:** parse epochs from rpmqa file ([#&#8203;9101](aquasecurity/trivy#9101)) ([82db2fc](aquasecurity/trivy@82db2fc))
- also check `filepath` when removing duplicate packages ([#&#8203;9142](aquasecurity/trivy#9142)) ([4d10a81](aquasecurity/trivy@4d10a81))
- **aws:** update amazon linux 2 EOL date ([#&#8203;9176](aquasecurity/trivy#9176)) ([0ecfed6](aquasecurity/trivy@0ecfed6))
- **cli:** Add more non-sensitive flags to telemetry ([#&#8203;9110](aquasecurity/trivy#9110)) ([7041a39](aquasecurity/trivy@7041a39))
- **cli:** ensure correct command is picked by telemetry ([#&#8203;9260](aquasecurity/trivy#9260)) ([b4ad00f](aquasecurity/trivy@b4ad00f))
- **cli:** panic: attempt to get os.Args\[1] when len(os.Args) < 2 ([#&#8203;9206](aquasecurity/trivy#9206)) ([adfa879](aquasecurity/trivy@adfa879))
- **license:** add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy mapping ([#&#8203;9116](aquasecurity/trivy#9116)) ([a692f29](aquasecurity/trivy@a692f29))
- **license:** handle WITH operator for `LaxSplitLicenses` ([#&#8203;9232](aquasecurity/trivy#9232)) ([b4193d0](aquasecurity/trivy@b4193d0))
- migrate from `*.list` to `*.md5sums` files for `dpkg` ([#&#8203;9131](aquasecurity/trivy#9131)) ([f224de3](aquasecurity/trivy@f224de3))
- **misconf:** correctly adapt azure storage account ([#&#8203;9138](aquasecurity/trivy#9138)) ([51aa022](aquasecurity/trivy@51aa022))
- **misconf:** correctly parse empty port ranges in google\_compute\_firewall ([#&#8203;9237](aquasecurity/trivy#9237)) ([77bab7b](aquasecurity/trivy@77bab7b))
- **misconf:** fix log bucket in schema ([#&#8203;9235](aquasecurity/trivy#9235)) ([7ebc129](aquasecurity/trivy@7ebc129))
- **misconf:** skip rewriting expr if attr is nil ([#&#8203;9113](aquasecurity/trivy#9113)) ([42ccd3d](aquasecurity/trivy@42ccd3d))
- **nodejs:** don't use prerelease logic for compare npm constraints  ([#&#8203;9208](aquasecurity/trivy#9208)) ([fe96436](aquasecurity/trivy@fe96436))
- prevent graceful shutdown message on normal exit ([#&#8203;9244](aquasecurity/trivy#9244)) ([6095984](aquasecurity/trivy@6095984))
- **rootio:** check full version to detect `root.io` packages ([#&#8203;9117](aquasecurity/trivy#9117)) ([c2ddd44](aquasecurity/trivy@c2ddd44))
- **rootio:** fix severity selection ([#&#8203;9181](aquasecurity/trivy#9181)) ([6fafbeb](aquasecurity/trivy@6fafbeb))
- **sbom:** merge in-graph and out-of-graph OS packages in scan results ([#&#8203;9194](aquasecurity/trivy#9194)) ([aa944cc](aquasecurity/trivy@aa944cc))
- **sbom:** use correct field for licenses in CycloneDX reports ([#&#8203;9057](aquasecurity/trivy#9057)) ([143da88](aquasecurity/trivy@143da88))
- **secret:** add UTF-8 validation in secret scanner to prevent protobuf marshalling errors ([#&#8203;9253](aquasecurity/trivy#9253)) ([54832a7](aquasecurity/trivy@54832a7))
- **secret:** fix line numbers for multiple-line secrets ([#&#8203;9104](aquasecurity/trivy#9104)) ([e579746](aquasecurity/trivy@e579746))
- **server:** add HTTP transport setup to server mode ([#&#8203;9217](aquasecurity/trivy#9217)) ([1163b04](aquasecurity/trivy@1163b04))
- supporting .egg-info/METADATA in python.Packaging analyzer ([#&#8203;9151](aquasecurity/trivy#9151)) ([e306e2d](aquasecurity/trivy@e306e2d))
- **terraform:** `for_each` on a map returns a resource for every key ([#&#8203;9156](aquasecurity/trivy#9156)) ([153318f](aquasecurity/trivy@153318f))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xLjMiLCJ1cGRhdGVkSW5WZXIiOiI0MS4xLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImltYWdlIl19-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1073
Co-authored-by: Renovate Bot <[email protected]>
Co-committed-by: Renovate Bot <[email protected]>
yutatokoi pushed a commit to yutatokoi/trivy that referenced this pull request Aug 12, 2025
@DmitriyLewen @yutatokoi
fix(rootio): fix severity selection (aquasecurity#9181)
ed95163
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees

@DmitriyLewen DmitriyLewen

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug(rootio): Trivy doesn't use severity from BaseOS for vulnerabilities

2 participants

@DmitriyLewen @knqyf263