Sort the vulnerabilities by SEVERITY in the Report

[redcatsec]

just implemneting this internally when the report is generated or adding new flag --sort

[saerosV]

This issue is still very relevant, I don't think it should stay closed. Sorting the results would really help.

[64J0]

@saerosV I agree.

[64J0]

Is there some easy way to test the report generated with this template? https://github.com/aquasecurity/trivy/blob/8d5882be03d3e27eeaa48825b064d4235974a730/contrib/html.tpl

[cfculhane]

@64J0 :

I modified my template to sort by severity using the below:

{{- range $severity_level := list "CRITICAL" "HIGH" "MEDIUM" "LOW" "UNKNOWN"}}
    {{- range $vuln := $result.Vulnerabilities }}
        {{ if (eq (escapeXML $vuln.Vulnerability.Severity) $severity_level) }}
            <tr class="severity-{{ escapeXML $vuln.Vulnerability.Severity }}">
                <td class="pkg-name">{{ escapeXML $vuln.PkgName }}</td>
                <td>{{ escapeXML $vuln.VulnerabilityID }}</td>
                <td class="severity">{{ escapeXML $vuln.Vulnerability.Severity }}</td>
                <td class="pkg-version">{{ escapeXML $vuln.InstalledVersion }}</td>
                <td>{{ escapeXML $vuln.FixedVersion }}</td>
                <td>{{ escapeXML $vuln.Description }}</td>
                <td class="links" data-more-links="off">
                    {{- range $vuln.Vulnerability.References }}
                        <a href={{ escapeXML . | printf "%q" }}>{{ escapeXML . }}</a>
                    {{- end }}
                </td>
            </tr>
        {{- end }}
    {{- end}}
{{- end }}

Note that this is my first time using Go templates so it might be a bit janky, but it works for me!

The whole html template can be found in my repo here, which is a teamcity reporting plugin that exports html: https://github.com/cfculhane/trivy-plugin-teamcity-report

I've also added truncation of the links with ... , and a description column as that was more useful to me.

[huornlmj]

+1 - necessary for sanity

[n-g-work]

@64J0 :

I modified my template to sort by severity using the below:

{{- range $severity_level := list "CRITICAL" "HIGH" "MEDIUM" "LOW" "UNKNOWN"}}
    {{- range $vuln := $result.Vulnerabilities }}
        {{ if (eq (escapeXML $vuln.Vulnerability.Severity) $severity_level) }}
            <tr class="severity-{{ escapeXML $vuln.Vulnerability.Severity }}">
                <td class="pkg-name">{{ escapeXML $vuln.PkgName }}</td>
                <td>{{ escapeXML $vuln.VulnerabilityID }}</td>
                <td class="severity">{{ escapeXML $vuln.Vulnerability.Severity }}</td>
                <td class="pkg-version">{{ escapeXML $vuln.InstalledVersion }}</td>
                <td>{{ escapeXML $vuln.FixedVersion }}</td>
                <td>{{ escapeXML $vuln.Description }}</td>
                <td class="links" data-more-links="off">
                    {{- range $vuln.Vulnerability.References }}
                        <a href={{ escapeXML . | printf "%q" }}>{{ escapeXML . }}</a>
                    {{- end }}
                </td>
            </tr>
        {{- end }}
    {{- end}}
{{- end }}

Note that this is my first time using Go templates so it might be a bit janky, but it works for me!

The whole html template can be found in my repo here, which is a teamcity reporting plugin that exports html: https://github.com/cfculhane/trivy-plugin-teamcity-report

I've also added truncation of the links with ... , and a description column as that was more useful to me.

Similarly a junit.xml can be sorted like this:

<?xml version="1.0" ?>
<testsuites name="trivy">
{{- range . -}}
    {{- $failures := len .Vulnerabilities }}
    {{- $vulns := .Vulnerabilities }}
    {{- $target := .Target }}
    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{ .Target }}" errors="0" skipped="0" time="">
    {{- if not (eq .Type "") }}
        <properties><property name="type" value="{{ .Type }}"></property></properties>
    {{- end -}}
    {{- range $severity_level := list "CRITICAL" "HIGH" "MEDIUM" "LOW" "UNKNOWN" }}
        {{- range $vuln := $vulns -}}
            {{ if (eq (escapeXML $vuln.Severity) $severity_level) }}
        <testcase
            classname="{{ base $target }}: {{ $vuln.PkgName }} {{ $vuln.InstalledVersion }}"
            name="[{{ $vuln.Severity }}] {{ $vuln.VulnerabilityID }}"
            file=""
            time="">
            <failure message="{{ escapeXML $vuln.Title }}" type="description">Fixed in {{ escapeXML $vuln.FixedVersion }}
Description: {{ escapeXML $vuln.Description }}
Details: {{ escapeXML (join ", " $vuln.References) }}</failure>
        </testcase>
            {{- end }}
        {{- end }}
    {{- end }}
    </testsuite>

    {{- if .MisconfSummary }}
    <testsuite tests="{{ add .MisconfSummary.Successes .MisconfSummary.Failures }}"
        failures="{{ .MisconfSummary.Failures }}" name="{{ .Target }}" errors="0" skipped="{{ .MisconfSummary.Exceptions }}" time="">
    {{- else }}
    <testsuite tests="0" failures="0" name="{{ .Target }}" errors="0" skipped="0" time="">
    {{- end }}
    {{- if not (eq .Type "") }}
        <properties><property name="type" value="{{ .Type }}"></property></properties>
    {{- end -}}
    {{ range .Misconfigurations }}
        <testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
        {{- if (eq .Status "FAIL") }}
            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
        {{- end }}
        </testcase>
    {{- end }}
    </testsuite>
{{- end }}
</testsuites>