Reduce Noise from False Positives in your Trivy CVE report with VEX from VMware Tanzu Application Catalog

March 20, 2024 Bala Bharathy U

Jose Antonia Carmona & Juan Ariza contributed to this blog post

Trivy can now consume CSAF VEX (Common Security Advisory Framework Vulnerability Exploitability eXchange) data and filter out false positives in CVE reports based on the context of the product or platform where they are present. This enables you to maximize the value of Tanzu Application Catalog VEX documents by using them in combination with Trivy.

More than 40% of alerts from security tools are false positives, according to the 2022 Cloud Security Alert Fatigue Report. This means that teams working on vulnerability management often waste time and effort on vulnerabilities that pose no actual risk. Even worse, this slows the time to market of new software.

Vulnerability Exploitability eXchange (VEX) aims to solve this problem by asserting the exploitability of all vulnerabilities identified in a product. This, in turn, helps development and operations teams identify whether their end product or platform is actually affected by those vulnerabilities. Additionally, VEX provides information about identified remediation actions as well, enabling development and operations teams to deal with vulnerability management quickly by reviewing their options and mitigating risks.

Often, development, operations, and security teams find themselves trying to fix a vulnerability in an upstream component while completely unaware whether or not that vulnerability is exploitable in their final product or platform. VEX can reduce efforts that are spent investigating and remediating the unexploitable vulnerabilities, commonly referred to as false positives by categorizing the vulnerabilities in a given product by a specific status: Not Affected, Affected, Fixed, or Under Investigation.

The machine readability of VEX enables automation and supports integration with broader tooling and processes. Common Security Advisory Framework (CSAF) is a standard for machine-readable security advisories developed by the OASIS Open CSAF Technical Committee.

VMware Tanzu Application Catalog delivers CSAF VEX documentation, in addition to the Software Package Data Exchange Software Bill of Materials (SPDX SBoM,) for all container images based on Photon OS (our recommended base image for customers looking for minimal upstream CVEs).

CSAF VEX documentation now consumable by Trivy

Trivy is a popular open source security scanner and the latest version, v0.49.2, supports CSAF VEX documentation. Working closely with the Trivy team, the Bitnami and VMware Tanzu Application Catalog engineering team put our experience working with VEX to good use to ensure that this integration is done in a smooth, timely, and reliable manner.

This integration enables Trivy to filter the CVEs it reports based on the data present in VEX documents. Now users of VMware Tanzu Application Catalog can combine the power of VEX documentation and CVE scan reports to easily filter out the false-positive CVEs in the CVE scan reports. Let’s now look at how this is done.

Navigate to https://app-catalog.vmware.com/ from your catalog and select a Photon OS- based container image. This blog post uses Kafka as an example but there are many others to choose from.
Download the VEX document and SPDX SBoM from the Build Time Reports section.

Install Trivy, if you do not already have it installed. We recommend installing the latest version - v.0.50.0 for the best experience.
Execute the following command:

./trivy sbom path/to/spdx.json --vex path/to/vex.json
2024-03-06T10:32:06.401+0100 INFO Vulnerability scanning is enabled

2024-03-06T10:32:06.404+0100    INFO Detected SBOM format: spdx-json

2024-03-06T10:32:06.434+0100    INFO Detected OS: photon

2024-03-06T10:32:06.434+0100    INFO Detecting Photon Linux vulnerabilities...

2024-03-06T10:32:06.436+0100    INFO Number of language-specific files: 6

2024-03-06T10:32:06.436+0100    INFO Detecting bitnami vulnerabilities...

2024-03-06T10:32:06.436+0100    INFO Detecting gobinary vulnerabilities...

2024-03-06T10:32:06.436+0100    INFO Detecting jar vulnerabilities...

2024-03-06T10:32:06.442+0100    WARN Filtered out the detected vulnerability {"VEX format": "CSAF", "vulnerability-id": "CVE-2023-4807", "status": "not_affected", "relationship": "default_component_of"}

2024-03-06T10:32:06.442+0100    WARN Filtered out the detected vulnerability {"VEX format": "CSAF", "vulnerability-id": "CVE-2023-5363", "status": "not_affected", "relationship": "default_component_of"}

2024-03-06T10:32:06.442+0100    WARN Filtered out the detected vulnerability {"VEX format": "CSAF", "vulnerability-id": "CVE-2023-2650", "status": "not_affected", "relationship": "default_component_of"}

2024-03-06T10:32:06.442+0100    WARN Filtered out the detected vulnerability {"VEX format": "CSAF", "vulnerability-id": "CVE-2023-2975", "status": "not_affected", "relationship": "default_component_of"}

2024-03-06T10:32:06.442+0100    WARN Filtered out the detected vulnerability {"VEX format": "CSAF", "vulnerability-id": "CVE-2023-3446", "status": "not_affected", "relationship": "default_component_of"}

2024-03-06T10:32:06.442+0100    WARN Filtered out the detected vulnerability {"VEX format": "CSAF", "vulnerability-id": "CVE-2023-3817", "status": "not_affected", "relationship": "default_component_of"}

2024-03-06T10:32:06.442+0100    WARN Filtered out the detected vulnerability {"VEX format": "CSAF", "vulnerability-id": "CVE-2023-5678", "status": "not_affected", "relationship": "default_component_of"}

2024-03-06T10:32:06.443+0100     INFO Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

Now, Trivy scans the SPDX SBoM and VEX document you downloaded from Tanzu Application Catalog and generates a more precise CVE report that filters out all CVEs marked as not exploitable. This means that the teams working on vulnerability management can avoid wasting precious time and effort on false positive CVEs.

Looking forward

This is one of the first practical use cases of VEX that you can leverage today. We have plans to work with the Trivy team to make VEX documents auto-discoverable so that, in the future, you won’t need to find and feed the VEX document to Trivy. Instead, Trivy will automatically find and load the VEX document and provide accurate results out of the box.

Learn more

Are you attending KubeCon + CloudNativeCon Europe 2024? Make sure to join the session VEXintating your Container Images: The European Way on March 21, 2024 (Thursday) to learn more about why VEX data is fast becoming an indispensable part of modern-day security practices.

To learn more about VEX, SBoMs, and CVE scan reports in Tanzu Application Catalog, read this blog.

To learn more about Tanzu Application Catalog, check our product webpage and solution brief.

Get started with VMware Tanzu Application Catalog by filling out this form.

About the Author

Bala Bharathy U is part of the product marketing team of VMware Tanzu, focusing on VMware Application Catalog and VMware Image Builder. He started his product marketing career in 2020 and has since worked on products across multiple tech domains, including virtualization, security, remote access, and application modernization.
More Content by Bala Bharathy U

This Month in Spring - March 2024

Bitnami-Packaged Containers and Helm Charts on DockerHub are Now Signed by Notation

Bitnami-packaged open source software container images available in DockerHub are now signed by Notation, a...

SpringOne 2024

Learn More

Return to Home

Reduce Noise from False Positives in your Trivy CVE report with VEX from VMware Tanzu Application Catalog

CSAF VEX documentation now consumable by Trivy

Looking forward

Learn more

About the Author

Previous

Next

Reduce Noise from False Positives in your Trivy CVE report with VEX from VMware Tanzu Application Catalog

CSAF VEX documentation now consumable by Trivy

Looking forward

Learn more

About the Author

Previous

Next

Related content in this Stream

Exciting reveal: VMware Tanzu Greenplum 7.2! Elevate data analytics and AI efforts with enhanced performance, optimization, and transformative features.

FinOps X Recap: The CloudHealth team was onsite meeting customers, presenting in a breakout session, and sharing a first look at the tech preview of our new CloudHealth user experience.

Broadcom recently announced that Arrow Electronics will now be the sole go-to-market provider of VMware Tanzu CloudHealth.

For the 2024 State of Cloud Native App Platform research, it’s clear that the landscape is rapidly maturing. We invite you to join us in exploring these trends further

Introducing an enhanced Tanzu CloudHealth user experience, catered to the needs of a FinOps practitioner by giving them the solutions required to maximize the business value of their cloud usage.

Tanzu Network's functions and capabilities will transition to Broadcom’s Customer Support Portal, starting June 7th, 2024.

We're excited to announce the latest version - v3.13 of VMware Tanzu RabbitMQ. In this blog, we will introduce the highlights of this next step in our journey.

The VMware Tanzu Application Catalog software knowledge graph is a powerful capability that will continue to deliver new product features over the next year, including integrations with Tanzu Platform

Learn how you can more easily use Salt to manage images deployed from Bitnami Application Catalog alongside other workloads and devices in your IT estate, all with open-source-software (OSS).

This blog provides a summary of VMware Tanzu CloudHealth news and product updates for May, 2024.

This blog will introduce the main security outcomes you can expect when deploying your applications on Tanzu Platform along with how you can implement them in your organization.

Unlock the future of software development with our State of Spring 2024 free ebook! Dive into the latest trendsand discover how these advancements accelerate the Spring ecosystem.

In this in-depth exploration of Spring Application Advisor, we'll unravel its multifaceted approach and underscore what makes it the keystone of integration.

We explore the key features of Spring Boot 3.3.0 and its seamless integration with Tanzu Platform, designed to empower developers, software engineers, and tech enthusiasts to build applications.

You can now use Azure Spring Apps to effectively run Spring Batch applications with adaptive cost control.

Discover how Tanzu CloudHealth is meeting the increased demand for the elimination of wasted and unused resources by investing in better, more accurate, and new ways to assist FinOps practitioners.

VMware Tanzu Data Services' vision is to be the #1 choice for application developers seeking easy-to-use, on-demand data services for modern applications.

We're excited to announce the release of VMware Tanzu Platform. VMware Tanzu Platform empowers enterprises to accelerate application development, deployment, and management at scale

Following the xz supply chain attack blog, explore security and trust in open source with VMware Tanzu's secure container solutions and proactive measures.

VMware Tanzu empowers Netflix accelerates its service evolution and boosts the capabilities of its development teams. Tanzu helps to provide them with the platform to run on and scale.