Saltar al contenido
Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post
Acerca de re:Post

Why Trivy Finds More CVEs Than Inspector?

0

Same image debian:bookworm (debian 12.10)

Result from Trivy: Total: 94 (UNKNOWN: 1, LOW: 63, MEDIUM: 22, HIGH: 7, CRITICAL: 1)

Result from Inspector: Critical 0 High 2 Medium 9 Low 1 Info 0

"""" debian:bookworm (debian 12.10) Total: 94 (UNKNOWN: 1, LOW: 63, MEDIUM: 22, HIGH: 7, CRITICAL: 1) """"

https://github.com/aws/containers-roadmap/issues/2648

Temas
Seguridad, identidad y cumplimiento
Etiquetas
Amazon Inspector
Idioma
English
preguntada hace 4 meses138 visualizaciones
2 Respuestas
2

The difference in vulnerability findings between Trivy and AWS Inspector for the same debian:bookworm image can be attributed to several factors:

  1. Different vulnerability databases: AWS Inspector and Trivy likely use different vulnerability databases with varying levels of coverage. Inspector calculates a highly contextualized risk score by correlating CVE information with factors such as network access and exploitability, which may result in different vulnerability classifications.

  2. Vulnerability assessment methodology: Inspector prioritizes vulnerabilities based on their actual risk in your specific AWS environment, while Trivy might report all potential vulnerabilities regardless of exploitability or context. Inspector focuses on vulnerabilities that pose actual threats in your specific deployment context.

  3. Filtering and prioritization: Inspector may be applying more aggressive filtering to reduce noise and focus on actionable vulnerabilities. It calculates risk scores that consider factors beyond just the CVE rating, such as network accessibility and exploit availability.

  4. Different scanning depths: The tools may have different approaches to scanning package dependencies and identifying vulnerabilities within them.

  5. Update frequency: The vulnerability databases used by each tool may be updated at different intervals, leading to differences in detected vulnerabilities.

This difference in findings doesn't necessarily mean one tool is more accurate than the other. Inspector is designed to help prioritize remediation efforts by focusing on the most critical vulnerabilities that pose actual risk in your AWS environment, rather than reporting every potential vulnerability regardless of exploitability.
Sources
Question About Vulnerability Results in AWS Inspector | AWS re:Post
Automated Vulnerability Management - Amazon Inspector Features - AWS
Amazon Inspector finding types - Amazon Inspector

respondido hace 4 meses
AWS
EXPERTO
revisado hace 4 meses
0

The AI-Generated answer is accurate in it's summary. Trivy and AWS Inspector is two different products, so it would naturally use different detection and classification criteria. Neither is better or worse than the other, it gives different perspectives from two different vulnerability assessment services.

Any suspected HIgh and Critical findings from a reputable vulnerability management service is worth looking into, even if it is a false positive. It is better to be sure, and secure, than at risk.

You can consider correlating the Critical, High and Medium findings reported by Inspector and Trivy to see which correspond to the same CVE and use it as confirmation that the instance is vulnerable to that particular CVE and action accordingly.

I hope that helps to answer your question :)

AWS
respondido hace 4 meses
AWS
EXPERTO
revisado hace 4 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Contenido relevante