Trivy module update without specifying CVE IDs

[mlathara]

Question

Hello,

I'm trying to write a Trivy module to work around this: #3395 My idea was to create a module that upgrades the severity of the CVE based on CVSS score.

However, using update for PostScanSpec() requires me to specify the CVE ids a priori. I was hoping for a way to just get all the vulnerabilities and have my module evaluate all of them. Would it be possible to enable this sort of behavior, or am I missing some other way to achieve this?

Thanks in advance.

Target

None

Scanner

None

Output Format

None

Mode

None

Operating System

No response

Version

No response

[DmitriyLewen]

Hello @mlathara
Unfortunately, there is no way to do this.
Trivy requires result IDs to update them in modules:
https://aquasecurity.github.io/trivy/v0.56/docs/advanced/modules/#postscanner-interface

trivy/pkg/module/module.go

Lines 495 to 496 in 1f5f348

	// Pass the relevant results to the module
	arg = append(arg, findIDs(m.postScanSpec.IDs, results)...)

[mlathara]

Right -- I saw that snippet. I wasn't quite sure why there couldn't be an option to just not filter if m.postScanSpec.IDs was empty. That is, just append all the results to arg?

[DmitriyLewen]

@knqyf263 you added this limitation.
Do you remember why we don't insert all results for update?

[knqyf263]

We used to do that, but marshaling all results and passing them to wasm was really slow, like not finished forever. TinyGo probably had a performance issue with encoding/json and large JSON. Since it was a few years ago, it might be improved. @mlathara You can try it and open a PR if the performance is better now.

[mlathara]

Got it - thanks. I ended up implementing a plugin to accomplish my goal. Might look into this later for completeness...