Vulnerability Detection Capabilities

2 min read Security Testing & Tools

Vulnerability Detection Capabilities

Both tools excel at vulnerability detection but with different strengths:

# Comparative vulnerability detection analysis
import json
import subprocess
from typing import Dict, List, Set

class VulnerabilityComparison:
    def __init__(self, image_name: str):
        self.image_name = image_name
        self.trivy_results = self.run_trivy_scan()
        self.snyk_results = self.run_snyk_scan()
        
    def run_trivy_scan(self) -> Dict:
        """Run Trivy scan and parse results"""
        cmd = [
            'trivy', 'image', 
            '--format', 'json',
            '--severity', 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL',
            self.image_name
        ]
        
        result = subprocess.run(cmd, capture_output=True, text=True)
        return json.loads(result.stdout)
        
    def run_snyk_scan(self) -> Dict:
        """Run Snyk scan and parse results"""
        cmd = [
            'snyk', 'container', 'test',
            '--json',
            '--severity-threshold=low',
            self.image_name
        ]
        
        result = subprocess.run(cmd, capture_output=True, text=True)
        return json.loads(result.stdout)
        
    def compare_detection_coverage(self) -> Dict:
        """Compare vulnerability detection between tools"""
        # Extract Trivy vulnerabilities
        trivy_vulns = set()
        for result in self.trivy_results.get('Results', []):
            for vuln in result.get('Vulnerabilities', []):
                trivy_vulns.add(vuln['VulnerabilityID'])
                
        # Extract Snyk vulnerabilities
        snyk_vulns = set()
        for vuln in self.snyk_results.get('vulnerabilities', []):
            for identifier in vuln.get('identifiers', {}).get('CVE', []):
                snyk_vulns.add(identifier)
                
        return {
            'trivy_total': len(trivy_vulns),
            'snyk_total': len(snyk_vulns),
            'common': len(trivy_vulns & snyk_vulns),
            'trivy_only': len(trivy_vulns - snyk_vulns),
            'snyk_only': len(snyk_vulns - trivy_vulns),
            'trivy_unique': list(trivy_vulns - snyk_vulns)[:10],
            'snyk_unique': list(snyk_vulns - trivy_vulns)[:10]
        }
        
    def compare_severity_assessment(self) -> Dict:
        """Compare how tools assess severity"""
        severity_comparison = {}
        
        # Build CVE to severity mapping for each tool
        trivy_severities = {}
        for result in self.trivy_results.get('Results', []):
            for vuln in result.get('Vulnerabilities', []):
                trivy_severities[vuln['VulnerabilityID']] = vuln['Severity']
                
        snyk_severities = {}
        for vuln in self.snyk_results.get('vulnerabilities', []):
            for cve in vuln.get('identifiers', {}).get('CVE', []):
                snyk_severities[cve] = vuln['severity'].upper()
                
        # Compare common CVEs
        common_cves = set(trivy_severities.keys()) & set(snyk_severities.keys())
        
        for cve in common_cves:
            if trivy_severities[cve] != snyk_severities[cve]:
                severity_comparison[cve] = {
                    'trivy': trivy_severities[cve],
                    'snyk': snyk_severities[cve]
                }
                
        return severity_comparison

# Run comparison
comparison = VulnerabilityComparison("nginx:latest")
coverage = comparison.compare_detection_coverage()
print(f"Detection Coverage Comparison:")
print(f"  Trivy found: {coverage['trivy_total']} vulnerabilities")
print(f"  Snyk found: {coverage['snyk_total']} vulnerabilities")
print(f"  Common: {coverage['common']} vulnerabilities")
print(f"  Unique to Trivy: {coverage['trivy_only']}")
print(f"  Unique to Snyk: {coverage['snyk_only']}")