docs/guide/supply-chain/vex/repo.md
!!! warning "EXPERIMENTAL" This feature might change without preserving backwards compatibility.
Trivy can download and utilize VEX documents from repositories that comply with the VEX Repository Specification.
While it's planned to be enabled by default in the future, currently it can be activated by explicitly specifying --vex repo.
$ trivy image ghcr.io/aquasecurity/trivy:0.52.0 --vex repo
2024-07-20T11:22:58+04:00 INFO [vex] The default repository config has been created
file_path="/Users/teppei/.trivy/vex/repository.yaml"
2024-07-20T11:23:23+04:00 INFO [vex] Updating repository... repo="default" url="https://github.com/aquasecurity/vexhub"
During scanning, Trivy generates PURLs for discovered packages and searches for matching PURLs in the VEX Repository. If a match is found, the corresponding VEX is utilized.
When --vex repo is specified for the first time, a default configuration file is created at $HOME/.trivy/vex/repository.yaml.
The home directory can be configured through environment variable $XDG_DATA_HOME.
You can also create the configuration file in advance using the trivy vex repo init command and edit it.
The default configuration file looks like this:
repositories:
- name: default
url: https://github.com/aquasecurity/vexhub
enabled: true
username: ""
password: ""
token: ""
By default, VEX Hub managed by Aqua Security is used. VEX Hub primarily trusts VEX documents published by the package maintainers.
You can see the config file path and the configured repositories with trivy vex repo list:
$ trivy vex repo list
VEX Repositories (config: /home/username/.trivy/vex/repository.yaml)
- Name: default
URL: https://github.com/aquasecurity/vexhub
Status: Enabled
If you want to trust VEX documents published by other organizations or use your own VEX repository, you can specify a custom repository that complies with the VEX Repository Specification. You can add a custom repository as below:
- name: custom
url: https://example.com/custom-repo
enabled: true
For private repositories:
username/password can be used for Basic authenticationtoken can be used for Bearer authentication- name: custom
url: https://example.com/custom-repo
enabled: true
token: "my-token"
In some cases, you might want to skip the TLS verification, per-repository:
- name: custom
url: https://example.com/custom-repo
enabled: true
insecure: true
The priority of VEX repositories is determined by their order in the configuration file. You can add repositories with higher priority than the default or even remove the default VEX Hub.
- name: repo1
url: https://example.com/repo1
- name: repo2
url: https://example.com/repo2
In this configuration, when Trivy detects a vulnerability in a package, it generates a PURL for that package and searches for matching VEX documents in the configured repositories. The search process follows this order:
repo1.repo1, Trivy then searches in repo2.If a matching VEX document is found in any repository (e.g., repo1), the search stops, and Trivy uses that VEX document.
Subsequent repositories (e.g., repo2) are not checked for that specific vulnerability and package combination.
It's important to note that the first matching VEX document found determines the final status of the vulnerability.
For example, if repo1 states that a package is "Affected" by a vulnerability, this status will be used even if repo2 states that the same package is "Not Affected" for the same vulnerability.
The "Affected" status from the higher-priority repository (repo1) takes precedence, and Trivy will consider the package as affected by the vulnerability.
VEX repositories are automatically updated during scanning. Updates are performed based on the update frequency specified by the repository.
To disable auto-update, pass --skip-vex-repo-update.
$ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex repo --skip-vex-repo-update
To download VEX repositories in advance without scanning, use trivy vex repo download.
The cache can be cleared with trivy clean --vex-repo.
To see which vulnerabilities were filtered and why, use the --show-suppressed option:
$ trivy image ghcr.io/aquasecurity/trivy:0.50.0 --vex repo --show-suppressed
...
Suppressed Vulnerabilities (Total: 4)
=====================================
┌───────────────┬────────────────┬──────────┬──────────────┬───────────────────────────────────────────────────┬──────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Statement │ Source │
├───────────────┼────────────────┼──────────┼──────────────┼───────────────────────────────────────────────────┼──────────────────────────────────────────┤
│ busybox │ CVE-2023-42364 │ MEDIUM │ not_affected │ vulnerable_code_cannot_be_controlled_by_adversary │ VEX Repository: default │
│ │ │ │ │ │ (https://github.com/aquasecurity/vexhub) │
│ ├────────────────┤ │ │ │ │
│ │ CVE-2023-42365 │ │ │ │ │
│ │ │ │ │ │ │
├───────────────┼────────────────┤ │ │ │ │
│ busybox-binsh │ CVE-2023-42364 │ │ │ │ │
│ │ │ │ │ │ │
│ ├────────────────┤ │ │ │ │
│ │ CVE-2023-42365 │ │ │ │ │
│ │ │ │ │ │ │
└───────────────┴────────────────┴──────────┴──────────────┴───────────────────────────────────────────────────┴──────────────────────────────────────────┘
As an OSS developer or maintainer, you may encounter vulnerabilities in the packages your project depends on. These vulnerabilities might be discovered through your own scans or reported by third parties using your OSS project.
While Trivy strives to minimize false positives, it doesn't perform code graph analysis, which means it can't evaluate exploitability at the code level. Consequently, Trivy may report vulnerabilities even in cases where:
If you're confident that a reported vulnerability in a dependency doesn't affect your OSS project or container image, you can publish a VEX document to reduce noise in Trivy scans. To assess exploitability, you have several options:
By publishing VEX documents in the source repository, Trivy can automatically utilize them through VEX Hub. The main steps are:
.vex/ directory in the source repository (e.g., Trivy's VEX)Step 3 is only necessary once. After that, updating the VEX file in your repository will automatically be fetched by VEX Hub and utilized by Trivy. See the VEX Hub repository for more information.
If you want to issue a VEX for an OSS project that you don't maintain, consider first proposing the VEX publication to the original repository. Many OSS maintainers are open to contributions that improve the security posture of their projects. However, if your proposal is not accepted, or if you want to issue a VEX with statements that differ from the maintainer's judgment, you may want to consider creating a custom repository.
If you're working on private software or personal projects, you have several options:
While the principle is to store VEX documents for OSS packages in the source repository, it's possible to create a custom repository if that's difficult.
There are various use cases for providing custom repositories:
In these cases, you can create a repository that complies with the VEX Repository Specification to make it available for use with Trivy.