iv-sherlock 0.1.0

This packge parses the vulnerability report(.json) generated by trivy for container images, then generate human readable report(.html or .pdf)

ImageVulnAnalyzer

This tool can parse the raw vulnerabilities report of container image generated by trivy and generate a human-readable HTML page.

Installation

pip install iv_sherlock

Use the tool

This tool comes with a default config.toml, it's designed for running in linux OS.

[report]
# directory to put raw report generated by trivy
source_path = "/tmp/iv_sherlock/data"

# direcotry 
out_path = "/tmp/iv_sherlock/report"
default_encoding = "utf-8"
export_pdf = false

[cvss]
score_mapping = '{"AV": {"N": 0.85, "A": 0.62}, "AC": {"L": 0.77, "H": 0.44}, "PR": {"N": 0.85, "L": 0.62, "H": 0.27}, "UI": {"N": 0.85, "R": 0.62}, "S": {"U": 1.0, "C": 1.08}, "C": {"H": 0.56, "L": 0.22, "N": 0.0}, "I": {"H": 0.56, "L": 0.22, "N": 0.0}, "A": {"H": 0.56, "L": 0.22, "N": 0.0}}'

You can overload the default configuration file by using the -c or --conf option.

# run the application with default conf, only works in Linux OS
iv_sherlock

# run the application with custom conf
iv_sherlock -c path/to/custom_conf.toml

To generate some raw report for image in trivy, you can use the below command

$ trivy image -f json -o redis.json redis

You can have more details of trivy from here

The image vulnerabilities

The image vulnerabilities can be divided into two categories:

• The vulnerabilities from base OS
• The vulnerabilities from the applications (or dependencies of the application)

Rendering

The application will generate one report per image and one general report (summary) It is possible to get such a report in PDF too because it prints badly in browsers from HTML

To do that, install playwright and use :

playwright install

Otherwise, you can deactivate this functionality in the config.toml by setting export_pdf to false.

The app will run without playwright then