This topic tells you how to use the Tanzu Insight CLI tanzu insight triage update
command to create or update a vulnerability analysis.
Create or update a vulnerability impact analysis. For impact analysis, you must target a specific OS and application package, vulnerability, and image or source belonging to a specific Artifact Group. This tool follows CycloneDX’s VEX specification for impact analysis, that includes flag options for each of the CycloneDX’s VEX fields, and support for only their predefined values. Here is a description of the fields and their supported options:
Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.
The rationale of why the impact analysis state was asserted is described here:
Note
--justification
is required when--state
is set tonot_affected
A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable
Note
--response
is highly encouraged when--state
is set toexploitable
; however, CycloneDX specification does not require this.
Syntax:
tanzu insight triage update --cveid CVE-ID --pkg-name PKG-NAME --pkg-version PKG-VERSION --img-digest DIGEST --artifact-group-uid UID [--state STATE] [--justification JUSTIFICATION] [--response RESPONSE1, RESPONSE2] [--comment COMMENT] [flags]
The following section shows more examples:
insight triage update --cveid CVE-2022-5089 --pkg-name google.golang.org/protobuf --pkg-version 1.23.2 --img-digest sha256:192369123812 --artifact-group-uid AG-00001 --state false_positive
insight triage update --cveid CVE-2022-5089 --pkg-name google.golang.org/protobuf --pkg-version 1.23.2 --img-digest sha256:192369123812 --img-registry internal-hub.docker.io --artifact-group-uid AG-00001 --state not_affected --justification code_not_reachable --comment "The code can't be reached by external users"
insight triage update --cveid CVE-2020-1034 --pkg-name libssl --pkg-version 1.3.0-dev.35 --src-commit 5025112c8b1 --artifact-group-uid AG-00002
insight triage update --cveid CVE-2020-1034 --pkg-name libssl --pkg-version 1.3.0-dev.35 --src-commit 5025112c8b1 --artifact-group-uid AG-00002 --state exploitable --response will_not_fix,update
For more information, see the NIST website.
The following section shows options:
-a, --artifact-group-uid string Artifact group uid
-t, --comment string Analysis comment
-v, --cveid string CVE id
-h, --help help for update
-d, --img-digest string Image digest
--img-registry string Image registry
-j, --justification string Analysis justification
-n, --pkg-name string Package name
-p, --pkg-version string Package version
-r, --response strings Analysis response
-c, --src-commit string Source commit
--src-org string Source organization
--src-repo string Source repository
-s, --state string Analysis state (default "in_triage")
-y, --yes Force update
The following section shows options inherited from parent commands:
--output-format string specify the response's format, options=[text, api-json] (default "text")