For your kind review.

We have Installed Trivy on a local machine and are currently running a Trivy scan for the file system on OpenNMS develop branch and also ran the Trivy scan for the Horizon Docker image "opennms/horizon:33.0.9".In this way we can run a scan on container image, filesystem or repository.

Filtering Findings:
Trivy provides various options to filter findings directly from the command line .

• To filter results by severity like CRITICAL,HIGH ,MEDIUM and LOW we can use the --severity flag, to ignore unpatched/unfixed vulnerabilities use the --ignore-unfixed flag and to output results in different formats (e.g. table, JSON, Template) use the --format flag.

• To filter findings by type (OS, dependencies) we can use the --vuln-type option to specify "os" and "library".

Distinguish and Group findings:

• To group findings by type (OS, dependencies/library) utilizing the --vuln-type option to specify "os" and "library", storing results in a JSON file.

In this way, it is found that if the JSON file contains "Class": "lang-pkgs" under the Results section, it means that the vulnerability is related to application libraries or packages. Conversely, if "Class": "os-pkgs" is present, it indicates that the vulnerability is related to the operating system.

To further analyze the report.json file generated by Trivy, we filter the findings based on severity and package types, and then print the data in a table format using Python script.The script groups the findings by package and severity and printing in table format.

Here are the trivy scan commands, scanning a specific folder like "opennms-base-assembly" for testing purpose.

• trivy fs --severity CRITICAL,HIGH --scanners vuln --format json --output report.json --ignore-unfixed --pkg-types os,library opennms/opennms-base-assembly

• trivy fs --severity MEDIUM,LOW --scanners vuln --format json --output report.json --ignore-unfixed --pkg-types os,library opennms/opennms-base-assembly

Here are the commands to run the Trivy scan for the Horizon Docker image "opennms/horizon:33.0.9" .It 'll' display whether the vulnerability is due to an OS package or a library package, and it also displays the path.

• trivy image --severity HIGH,CRITICAL --vuln-type os,library --format json --output horizon33-report.json opennms/horizon:33.0.9

• trivy image --severity MEDIUM,LOW --vuln-type os,library --format json --output horizon33-report.json opennms/horizon:33.0.9

Note: By default, the output is displayed in table format. However, if we include the options "--format json --output report.json," it generates the output in JSON format.

Another way to Group Findings Using jq command-line tool to process JSON data

After generating the horizon33-report.json file using the above mentioned trivy commands, we can use jq to filter and group the findings.

To group OS vulnerabilities, run:

• jq '.Results[] | select(.Class == "os-pkgs") | {Target: .Target, Vulnerabilities: .Vulnerabilities}' horizon33-report.json

For dependency vulnerabilities, use:

• jq '.Results[] | select(.Class == "lang-pkgs") | {Target: .Target, Vulnerabilities: .Vulnerabilities}' horizon33-report.json