Ability to filter vulnerability results by CVSS score and fixability #126

ekelson-bcove · 2020-06-02T15:35:06Z

for Usage: lacework vulnerability scan run <registry> <repository> <tag|digest> [flags]

It would be great to add two more flags:

The ability to filter by CVSS score (e.g. --cvss 7 returns 7+)
The ability to only return fixable vulns (e.g. --fixable)

Lastly as a possible stretch, it would be great to return a list of packages only that should be upgraded that can be via code

The text was updated successfully, but these errors were encountered:

afiune · 2020-06-09T21:43:42Z

@ekelson-bcove Thank you so much for your feedback! 💯

We are about to start working on this feature, the two flags you mentioned resonate
very well with us, though we are curious if you could elaborate a little more about the
"possible stretch" feature:

it would be great to return a list of packages only that should be upgraded that can be via code

-- 🤔 Is this extra feature related to listing the packages that could be upgraded since they have a fixed version available?

Adding the ability to display only fixable vulnerabilities by providing the new flag `--fixable`. Example: From a total of 15 vulnerabilities, display only the 5 that are fixable. ``` lacework vul report sha256:62dce44a0d2df7e3e3146817cc35681579c15a4ccd2c5d1f0bddb619fdd6dab8 --fixable CONTAINER IMAGE DETAILS | VULNERABILITIES ------------------------------------------------------------------------------------------+--------------------------------- ID sha256:1f40f2c68a11e338b7eda2264e71546ab1b5d6bc4c458bbd3785fd5efb3fc632 | SEVERITY COUNT FIXABLE Digest sha256:62dce44a0d2df7e3e3146817cc35681579c15a4ccd2c5d1f0bddb619fdd6dab8 | -----------+-------+---------- Registry index.docker.io | Critical 0 0 Repository techallylw/lacework-cli | High 0 0 Size 58.2 MB | Medium 4 1 Created At 2020-05-04T17:00:00+0000 | Low 9 4 Tags ubuntu-1804 | Info 2 0 | -----------------+----------+----------+--------------------------+--------------------------+-------------------------- CVE | SEVERITY | PACKAGE | CURRENT VERSION | FIX VERSION | INTRODUCED IN LAYER -----------------+----------+----------+--------------------------+--------------------------+-------------------------- CVE-2020-12243 | Medium | openldap | 2.4.45+dfsg-1ubuntu1.4 | 2.4.45+dfsg-1ubuntu1.5 | apt-get install curl -y -----------------+----------+----------+--------------------------+--------------------------+-------------------------- CVE-2019-1563 | Low | openssl | 1.1.1-1ubuntu2.1~18.04.5 | 1.1.1-1ubuntu2.1~18.04.6 | apt-get install curl -y -----------------+----------+----------+--------------------------+--------------------------+-------------------------- CVE-2019-1547 | Low | openssl | 1.1.1-1ubuntu2.1~18.04.5 | 1.1.1-1ubuntu2.1~18.04.6 | apt-get install curl -y -----------------+----------+----------+--------------------------+--------------------------+-------------------------- CVE-2019-1551 | Low | openssl | 1.1.1-1ubuntu2.1~18.04.5 | 1.1.1-1ubuntu2.1~18.04.6 | apt-get install curl -y -----------------+----------+----------+--------------------------+--------------------------+-------------------------- CVE-2019-1549 | Low | openssl | 1.1.1-1ubuntu2.1~18.04.5 | 1.1.1-1ubuntu2.1~18.04.6 | apt-get install curl -y -----------------+----------+----------+--------------------------+--------------------------+-------------------------- ``` GH: #126 Signed-off-by: Salim Afiune Maya <afiune@lacework.net>

afiune · 2020-07-07T22:51:44Z

@ekelson-bcove Hi there! We are still working on some of your feedback.

We recently released a new feature #149 that adds a --packages flag to vulnerability commands, maybe this is something that you can use internally that can help with the stretch feature you mentioned in this issue. As usual, we welcome any feedback! Thank you and we will keep you posted with more updates.

ekelson-bcove · 2020-07-07T23:56:30Z

Thanks and sorry I never replied. I wrote a response but it never got sent. I’ll try it out tomorrow!

On Tue, Jul 7, 2020 at 6:51 PM Salim Afiune ***@***.***> wrote: @ekelson-bcove <https://github.com/ekelson-bcove> Hi there! We are still working on some of your feedback. We recently released a new feature #149 <#149> that adds a --packages flag to vulnerability commands, maybe this is something that you can use internally that can help with the stretch feature you mentioned in this issue. As usual, we welcome any feedback! Thank you and we will keep you posted with more updates. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#126 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AE6E622YNM2447RGG4TOYQTR2ORI5ANCNFSM4NQ2ZYLA> .

-- Eric Kelson Information Security Brightcove

afiune added the feat New feature or request label Jun 2, 2020

afiune self-assigned this Jun 9, 2020

afiune mentioned this issue Jun 11, 2020

feat(cli): add --fixable flag to vulnerability cmd #148

Merged

afiune added the cli Something related to the Lacework CLI label Jul 7, 2020

afiune removed their assignment May 21, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ability to filter vulnerability results by CVSS score and fixability #126

Ability to filter vulnerability results by CVSS score and fixability #126

ekelson-bcove commented Jun 2, 2020

afiune commented Jun 9, 2020 •

edited

Loading

afiune commented Jul 7, 2020

ekelson-bcove commented Jul 7, 2020 via email

Ability to filter vulnerability results by CVSS score and fixability #126

Ability to filter vulnerability results by CVSS score and fixability #126

Comments

ekelson-bcove commented Jun 2, 2020

afiune commented Jun 9, 2020 • edited Loading

afiune commented Jul 7, 2020

ekelson-bcove commented Jul 7, 2020 via email

afiune commented Jun 9, 2020 •

edited

Loading