Advanced CVE Analysis with Trivy

2 min read Security Testing & Tools

Advanced CVE Analysis with Trivy

Trivy provides sophisticated CVE detection capabilities that go beyond simple package matching:

#!/bin/bash
# advanced-trivy-cve-analysis.sh

IMAGE=$1
OUTPUT_DIR="./cve-analysis"
mkdir -p $OUTPUT_DIR

echo "Performing advanced CVE analysis for $IMAGE"

# 1. Full vulnerability scan with detailed output
trivy image --format json \
  --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL \
  --vuln-type os,library \
  --ignore-unfixed=false \
  $IMAGE > $OUTPUT_DIR/full-scan.json

# 2. Extract and analyze specific CVE patterns
echo "Analyzing CVE patterns..."
cat $OUTPUT_DIR/full-scan.json | jq -r '
  .Results[] | 
  .Vulnerabilities[]? | 
  select(.VulnerabilityID | startswith("CVE-")) |
  {
    cve: .VulnerabilityID,
    package: .PkgName,
    severity: .Severity,
    fixed_version: .FixedVersion,
    layer: .Layer.DiffID,
    title: .Title
  }
' > $OUTPUT_DIR/cve-list.json

# 3. Group CVEs by various criteria
echo "Grouping CVEs by severity..."
cat $OUTPUT_DIR/cve-list.json | jq -s '
  group_by(.severity) | 
  map({
    severity: .[0].severity,
    count: length,
    cves: map(.cve)
  })
' > $OUTPUT_DIR/cves-by-severity.json

echo "Grouping CVEs by package..."
cat $OUTPUT_DIR/cve-list.json | jq -s '
  group_by(.package) | 
  map({
    package: .[0].package,
    cve_count: length,
    severities: map(.severity) | unique
  }) |
  sort_by(.cve_count) |
  reverse
' > $OUTPUT_DIR/cves-by-package.json

# 4. Analyze CVE age and exploitability
echo "Analyzing CVE age and exploitability..."
python3 << EOF
import json
import requests
from datetime import datetime

with open('$OUTPUT_DIR/cve-list.json') as f:
    cves = json.load(f)

enriched_cves = []

for cve_entry in cves:
    cve_id = cve_entry['cve']
    
    # Query additional CVE data (mock implementation)
    enriched = cve_entry.copy()
    
    # Add exploit availability check
    enriched['exploit_available'] = check_exploit_db(cve_id)
    
    # Add age calculation
    enriched['age_days'] = calculate_cve_age(cve_id)
    
    # Add EPSS score if available
    enriched['epss_score'] = get_epss_score(cve_id)
    
    enriched_cves.append(enriched)

# Save enriched data
with open('$OUTPUT_DIR/enriched-cves.json', 'w') as f:
    json.dump(enriched_cves, f, indent=2)

# Generate risk matrix
risk_matrix = generate_risk_matrix(enriched_cves)
with open('$OUTPUT_DIR/risk-matrix.json', 'w') as f:
    json.dump(risk_matrix, f, indent=2)

def check_exploit_db(cve_id):
    # Check various exploit databases
    return False  # Placeholder

def calculate_cve_age(cve_id):
    # Extract year from CVE ID and calculate age
    year = int(cve_id.split('-')[1])
    return (datetime.now().year - year) * 365

def get_epss_score(cve_id):
    # Exploit Prediction Scoring System
    return 0.0  # Placeholder

def generate_risk_matrix(cves):
    matrix = {
        'critical_exploitable': [],
        'critical_no_exploit': [],
        'high_exploitable': [],
        'high_no_exploit': [],
        'other': []
    }
    
    for cve in cves:
        if cve['severity'] == 'CRITICAL' and cve['exploit_available']:
            matrix['critical_exploitable'].append(cve)
        elif cve['severity'] == 'CRITICAL':
            matrix['critical_no_exploit'].append(cve)
        elif cve['severity'] == 'HIGH' and cve['exploit_available']:
            matrix['high_exploitable'].append(cve)
        elif cve['severity'] == 'HIGH':
            matrix['high_no_exploit'].append(cve)
        else:
            matrix['other'].append(cve)
    
    return matrix
EOF

# 5. Generate remediation report
echo "Generating remediation report..."
cat << EOF > $OUTPUT_DIR/remediation-report.md
# CVE Remediation Report for $IMAGE
Generated: $(date)