gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 07:40:48 -08:00
Code Issues Packages Projects Releases Wiki Activity

docs: move info about detection priority into coverage section (#9469)

Browse Source 
Co-authored-by: knqyf263 <knqyf263@gmail.com>
This commit is contained in:
DmitriyLewen
2025-09-22 17:48:39 +06:00
committed by GitHub
parent 6d562a3b48
commit 842ebdcb4a
2 changed files with 45 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
docs/docs/scanner/vulnerability.md
View File

@@ -148,28 +148,17 @@ If you have software that is not managed by a package manager, Trivy can still d
- [Rust Binaries with embedded information](../coverage/language/rust.md#binaries)
- [SBOM embedded in container images](../supply-chain/sbom.md#sbom-detection-inside-targets)
## Kubernetes
Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md).
### Data Sources
| Vendor | Source |
|------------|---------------------------------------------|
| Kubernetes | [Kubernetes Official CVE feed][k8s-cve][^1] |
[^1]: Some manual triage and correction has been made.
## Databases
The information from the above sources is collected and stored in databases that Trivy uses for vulnerability scanning. Trivy automatically fetches, maintains, and caches the relevant databases when performing a vulnerability scan
For more information about Trivy's Databases mechanism and configurations, refer to the [Databases document](../configuration/db.md).
## Detection Behavior
Trivy prioritizes precision in vulnerability detection, aiming to minimize false positives while potentially accepting some false negatives.
This approach is particularly relevant in two key areas:
- Handling Software Installed via OS Packages
- Handling Packages with Unspecified Versions
- [Handling Software Installed via OS Packages](#handling-software-installed-via-os-packages)
- [Handling Packages with Unspecified Versions](#handling-packages-with-unspecified-versions)
Trivy can also detect only specific packages:
- [Subset of Package Types](#enabling-a-subset-of-package-types)
- [Specific package Relationship](#filtering-by-package-relationships)
### Handling Software Installed via OS Packages
For files installed by OS package managers, such as `apt`, Trivy exclusively uses advisories from the OS vendor.
@@ -212,9 +201,29 @@ To detect potential vulnerabilities even with unspecified versions, use [--detec
This option makes Trivy use the minimum version in the specified range for vulnerability detection.
While this may increase false positives if the actual version used is not the minimum, it helps reduce false negatives.
## Configuration
This section describes vulnerability-specific configuration.
Other common options are documented [here](../configuration/index.md).
## Package Detection
Vulnerability detection is based on package detection.
This section describes the specifics of package detection, which also affect SBOM generation.
### Detection Priority
Trivy provides a `--detection-priority` flag to control the balance between false positives and false negatives in package/vulnerability detection.
This concept is similar to the relationship between [precision and recall][precision-recall] in machine learning evaluation.
```bash
$ trivy image --detection-priority {precise|comprehensive} alpine:3.15
```
- `precise`: This mode prioritizes reducing false positives. It results in less noisy vulnerability reports but may miss some potential vulnerabilities.
- `comprehensive`: This mode aims to detect more vulnerabilities, potentially including some that might be false positives.
It provides broader coverage but may increase the noise in the results.
The default value is `precise`. Also refer to the [detection behavior](#detection-behavior) section for more information.
Regardless of the chosen mode, user review of detected vulnerabilities is crucial:
- `precise`: Review thoroughly, considering potential missed vulnerabilities.
- `comprehensive`: Carefully investigate each reported vulnerability due to increased false positive possibility.
### Enabling a Subset of Package Types
@@ -288,7 +297,6 @@ Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
### Filtering by Package Relationships
Trivy supports filtering vulnerabilities based on the relationship of packages within a project.
This is achieved through the `--pkg-relationships` flag.
This feature allows you to focus on vulnerabilities in specific types of dependencies, such as only those in direct dependencies.
@@ -322,25 +330,25 @@ By default, all relationships are included in the scan.
!!! warning
As it may not provide a complete package list, `--pkg-relationships` cannot be used with `--dependency-tree`, `--vex` or SBOM generation.
### Detection Priority
## Kubernetes
Trivy provides a `--detection-priority` flag to control the balance between false positives and false negatives in vulnerability detection.
This concept is similar to the relationship between [precision and recall][precision-recall] in machine learning evaluation.
Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md).
```bash
$ trivy image --detection-priority {precise|comprehensive} alpine:3.15
```
### Data Sources
- `precise`: This mode prioritizes reducing false positives. It results in less noisy vulnerability reports but may miss some potential vulnerabilities.
- `comprehensive`: This mode aims to detect more vulnerabilities, potentially including some that might be false positives.
It provides broader coverage but may increase the noise in the results.
| Vendor | Source |
|------------|---------------------------------------------|
| Kubernetes | [Kubernetes Official CVE feed][k8s-cve][^1] |
The default value is `precise`. Also refer to the [detection behavior](#detection-behavior) section for more information.
[^1]: Some manual triage and correction has been made.
Regardless of the chosen mode, user review of detected vulnerabilities is crucial:
## Databases
The information from the above sources is collected and stored in databases that Trivy uses for vulnerability scanning. Trivy automatically fetches, maintains, and caches the relevant databases when performing a vulnerability scan
For more information about Trivy's Databases mechanism and configurations, refer to the [Databases document](../configuration/db.md).
- `precise`: Review thoroughly, considering potential missed vulnerabilities.
- `comprehensive`: Carefully investigate each reported vulnerability due to increased false positive possibility.
## Configuration
This section describes vulnerability-specific configuration.
Other common options are documented [here](../configuration/index.md).
### Overriding OS version
By default, Trivy automatically detects the OS during container image scanning and performs vulnerability detection based on that OS.

2
docs/docs/supply-chain/sbom.md
View File

@@ -185,6 +185,8 @@ Trivy supports the following packages.
- [OS packages][os_packages]
- [Language-specific packages][language_packages]
Trivy has a specific logic for package detection.
See the [package detection](../scanner/vulnerability.md#package-detection) section for more information.
### Formats
#### CycloneDX