Replies: 1 comment
-
|
Hi @maelvls 👋 This looks quite interesting, thanks! It looks like this feature is still experimental in Trivy, but as soon as it gets stable we'll definitely consider integrating it 🙂
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hey,
We have been affected by a false-positive CVE (CVE-2025-47907) for a while in cert-manager, which means it shows in red in ArtifactHub:
https://artifacthub.io/packages/helm/cert-manager/cert-manager
We are trying to figure out how to communicate false-positives to the community. We thought about GitHub Advisories (https://github.com/cert-manager/cert-manager/security/advisories) but they aren't well suited for communicating false positives due to third-party deps... we do use publish when a third party vuln does affect cert-manager, though, but it's just not well suited for OCI images. GitHub Advisories is only really useful for language packages (Go, for example) as it would show up in everybody's scanners.
I found about OpenVEX, and thought it could be a good way of publishing the false positives. It integrates well with Trivy, and I demoed it in https://hackmd.io/@maelvls/cves-in-cert-manager.
There are a few ways of distributing the OpenVEX documents: some projects store them in a GitHub repo such as Ubuntu, Flux Operator, and Rancher do maintain OpenVEX documents.
Cilium did, but they stopped in 2024. You can use
trivy image ... --vex repoto make that work. It's also possible to attach the OpenVEX alongside the attestation document in the OCI manifest... but I haven't found any project doing that. For context, both Docker Scout and Trivy support doing that:Anyways; how does other project handle such false positives?
Thanks,
Maël
Similar:
Beta Was this translation helpful? Give feedback.
All reactions