Skip to content

Add --ignore-unlikely-affected flag to filter vulnerabilities in packages unlikely to affect the artifact #9292

Description

@knqyf263

Description

Add a new --ignore-unlikely-affected flag that filters out vulnerabilities in packages that are unlikely to affect the artifact in its operational context.

Motivation

There are packages that exist in artifacts but are unlikely to be affected by their vulnerabilities in practice. For example, in container images, the kernel is shared with the host, so vulnerabilities in kernel-related packages are unlikely to affect the container image itself.

However, we cannot say with certainty that these packages are never affected. For instance, the "linux" package includes tools like "bpftool" that could potentially be used. Therefore, always filtering these packages could lead to false negatives.

This flag allows users to filter out such vulnerabilities at their own discretion, while still being able to view the filtered vulnerabilities using the --show-suppressed flag for transparency.

Proposed Solution

Implement a --ignore-unlikely-affected flag that filters out vulnerabilities in these types of packages.

Filtering Rules

  1. Kernel packages (only in container images):

    • Packages with source name linux or linux-* (Debian/Ubuntu/Alpine)
    • Packages with source name starting with kernel (RHEL/CentOS/Fedora/SUSE/Amazon Linux)
    • Only filtered in container images, not in filesystem or VM scans
  2. Non-runtime packages: Packages that don't contribute to runtime functionality (all artifact types):

    • Documentation packages: -doc, -docs suffixes
    • Debug symbol packages: -dbg, -debug suffixes
    • License packages: -license suffix

Example Usage

# Filter unlikely affected packages
$ trivy image --ignore-unlikely-affected python:3.8.5

# See which vulnerabilities were filtered
$ trivy image --ignore-unlikely-affected --show-suppressed python:3.8.5

Example Output with --show-suppressed

...
Suppressed Vulnerabilities (Total: 2)

┌────────────────┬───────────────┬──────────┬─────────┬────────────────────────────────────┬────────────────────────────┐
│    Library     │ Vulnerability │ Severity │ Status  │             Statement              │           Source           │
├────────────────┼───────────────┼──────────┼─────────┼────────────────────────────────────┼────────────────────────────┤
│ linux-libc-dev │ CVE-2023-6270 │ HIGH     │ ignored │ Package is unlikely to be affected │ --ignore-unlikely-affected │
│                ├───────────────┤          │         │                                    │                            │
│                │ CVE-2021-3640 │          │         │                                    │                            │
└────────────────┴───────────────┴──────────┴─────────┴────────────────────────────────────┴────────────────────────────┘

Implementation Details

  • The filtering is context-aware - kernel packages are only filtered in container images
  • Filtered vulnerabilities are tracked in ModifiedFindings with the reason "Package is unlikely to be affected"
  • The flag is available for vulnerability scanning only (not misconfigurations, secrets, or licenses)
  • Can be combined with other filtering options like --severity, --ignore-unfixed, etc.

Benefits

  • Reduces noise in vulnerability scan results
  • Helps users focus on vulnerabilities that actually matter
  • Improves the signal-to-noise ratio for security teams
  • Context-aware filtering ensures accuracy (e.g., kernel packages are important in VM scans)

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.scan/vulnerabilityIssues relating to vulnerability scanning

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions