Override vulnerability findings | Trend Micro Service Central

Views:

If Trend Micro Artifact Scanner reports a vulnerability which has been determined to be a false positive or any other vulnerability finding you wish to ignore, you can instruct Trend Micro Artifact to override these findings by defining one or more rules in an override configuration file (for example, ~/tmas_vuln_overrides.yml).

You execute a scan using these rules by providing Trend Micro Artifact Scanner with a path to the override file using the --override flag.

tmas scan <artifact_to_scan> --override
                  path/to/tmas_vuln_overrides.yml

The override file is structured as a list of rules. Each rule can specify any combination of the following criteria:

vulnerability ID (for example, "CVE-2008-4318")
fix state (allowed values: "fixed", "not-fixed", "wont-fix", or "unknown")
package name (for example, "libcurl")
package version (for example, "1.5.1")
package type (for example, "npm", "go-package", "rpm", or any package type appearing in the Trend Micro Artifact Scanner JSON vulnerability report)
package location (for example, "/usr/local/lib/node_modules/**"; supports glob patterns)

Each rule must also be accompanied by a reason indicating why the rule was implemented (for example, "false positive", "mitigated", "vulnerable package function is not called", and so on).

vulnerabilities:
  # This is the full set of supported rule fields:
  - rule:
      vulnerability: CVE-0000-0000
      fixState: unknown
      package:
        name: libcurl
        version: 1.5.1
        type: npm
        location: "/usr/local/lib/node_modules/**"
    reason: A descriptor specifying why the override rule implemented

A given vulnerability finding is overridden if any of the rules specified in the override file apply to the finding. A rule is considered to apply to a finding only if all the fields in the rule match those found in the vulnerability finding.

vulnerabilities:
  # Override vulnerability findings whose CVE-ID is CVE-0000-0000
  - rule:
      vulnerability: CVE-0000-0000
    reason: Not executed
  # Override vulnerability findings detected on libcurl version 1.5.1
  - rule:
      package:
        name: libcurl
        version: 1.5.1
    reason: Dev dependency

Any vulnerability finding that matches a rule is presented in the JSON report in an "Overridden" section, rather than classified under its severity.

{
  "totalVulnCount": 1,
  "criticalCount": 0,
  "highCount": 0,
  "mediumCount": 0,
  "lowCount": 0,
  "negligibleCount": 0,
  "unknownCount": 0,
  "overriddenCount": 1,
  "findings": {
    "High": [],
    "Low": [],
    "Medium": [],
    "Negligible": [],
    "Overridden": [
      {
        "name": "libcurl",
        "type": "npm",
        "version": "1.5.1",
        "id": "CVE-0000-0000",
        "source": "https://nvd.nist.gov/vuln/detail/CVE-0000-0000",
        "severity": "Low",
        "fix": "not-fixed",
        "locations": ["/usr/local/lib/node_modules/**"],
        "cvssSummaries": [],
        "relatedVulnerabilities": []
      }
    ]
  }
}