Merge pull request #24 from AkihiroSuda/dev

Follow-up to `An initial support of Trivy plugin mode`
AkihiroSuda · Oct 23, 2024 · 358404e · 358404e
2 parents 0714827 + 6c678aa
commit 358404e
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -8,15 +8,25 @@ The following output formats are supported:
 - [OpenVEX](https://github.com/openvex)
 
 ## Installation
+Option 1: As a standalone program:
 ```bash
 go install github.com/AkihiroSuda/vexllm/cmd/vexllm@latest
 ```
 
+Option 2: As a Trivy [plugin](https://aquasecurity.github.io/trivy/latest/docs/plugin/):
+```bash
+trivy plugin install github.com/AkihiroSuda/vexllm
+alias vexllm="trivy vexllm"
+```
+
 ## Example
 ```bash
 # Set OpenAI API key
 export OPENAI_API_KEY=...
 
+# Specify OpenAI model
+export OPENAI_MODEL=gpt-4o-mini
+
 # Generate a report using Trivy
 trivy image python:3.12.4 --format=json --severity HIGH,CRITICAL >python.json
 
@@ -77,12 +87,12 @@ Other properties are duplicated from the original input.
 
 ## Configuration
 ### LLM backends
-VexLLM is tested with OpenAI GPT-3.5 Turbo and Anthropic Claude 3.5 Sonnet.
+VexLLM is tested with OpenAI GPT-4o mini and Anthropic Claude 3.5 Sonnet.
 
 The following env vars are recognized:
 - OpenAI
   - `OPENAI_API_KEY` (necessary)
-  - `OPENAI_MODEL`
+  - `OPENAI_MODEL`, e.g., `gpt-3.5-turbo` (default), `gpt-4o-mini` (recommended)
   - `OPENAI_BASE_URL`
   - `OPENAI_API_BASE`
   - `OPENAI_ORGANIZATION`
@@ -103,6 +113,7 @@ Usage:
 Examples:
   # Basic usage
   export OPENAI_API_KEY=...
+  export OPENAI_MODEL=gpt-4o-mini
 
   trivy image python:3.12.4 --format=json --severity HIGH,CRITICAL >python.json
 

diff --git a/cmd/vexllm/commands/generate/generate.go b/cmd/vexllm/commands/generate/generate.go
@@ -11,30 +11,38 @@ import (
 	"github.com/AkihiroSuda/vexllm/pkg/llm"
 	"github.com/AkihiroSuda/vexllm/pkg/llm/llmfactory" // FIXME: dependency monster
 	"github.com/AkihiroSuda/vexllm/pkg/outputhandler"
+	"github.com/AkihiroSuda/vexllm/pkg/trivypluginutil"
 	"github.com/AkihiroSuda/vexllm/pkg/trivytypes"
 	"github.com/spf13/cobra"
 )
 
-const Example = `  # Basic usage
+func Example() string {
+	exe := "vexllm"
+	if trivypluginutil.IsTrivyPluginMode() {
+		exe = "trivy " + exe
+	}
+	return fmt.Sprintf(`  # Basic usage
   export OPENAI_API_KEY=...
+  export OPENAI_MODEL=gpt-4o-mini
 
   trivy image python:3.12.4 --format=json --severity HIGH,CRITICAL >python.json
 
-  vexllm generate python.json .trivyignore \
+  %s generate python.json .trivyignore \
     --hint-not-server \
     --hint-compromise-on-availability \
     --hint-used-commands=python3 \
     --hint-unused-commands=git,wget,curl,apt,apt-get
 
   trivy convert --format=table python.json
-`
+`, exe)
+}
 
 func New() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:                   "generate INPUT OUTPUT",
 		Short:                 "Generate VEX using LLM",
 		Long:                  "Generate Vulnerability-Exploitability eXchange (VEX) information using LLM, so as to silence negligible CVE alerts that are produced by Trivy.",
-		Example:               Example,
+		Example:               Example(),
 		Args:                  cobra.ExactArgs(2),
 		RunE:                  action,
 		DisableFlagsInUseLine: true,

diff --git a/cmd/vexllm/main.go b/cmd/vexllm/main.go
@@ -25,7 +25,7 @@ func newRootCommand() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:           "vexllm",
 		Short:         "Silence negligible CVE alerts",
-		Example:       generate.Example,
+		Example:       generate.Example(),
 		Version:       version.GetVersion(),
 		Args:          cobra.NoArgs,
 		SilenceUsage:  true,

diff --git a/pkg/trivypluginutil/trivypluginutil.go b/pkg/trivypluginutil/trivypluginutil.go
@@ -0,0 +1,18 @@
+package trivypluginutil
+
+import (
+	"log/slog"
+	"os"
+	"strings"
+)
+
+// IsTrivyPluginMode returns whether the binary is being executed as a trivy plugin mode.
+// Not robust.
+func IsTrivyPluginMode() bool {
+	exe, err := os.Executable()
+	if err != nil {
+		slog.Error("failed to call os.Executable()", "error", err)
+		return false
+	}
+	return strings.Contains(exe, "/.trivy/plugins/vexllm")
+}
diff --git a/plugin.yaml b/plugin.yaml
@@ -1,6 +1,6 @@
 # Trivy plugin manifest <https://aquasecurity.github.io/trivy/v0.56/docs/plugin/developer-guide/>
 name: "vexllm"
-version: "0.1.0-beta.0"
+version: "0.1.0"
 repository: github.com/AkihiroSuda/vexllm
 maintainer: AkihiroSuda
 # TODO: support output mode
@@ -11,20 +11,20 @@ platforms:
   - selector:
       os: darwin
       arch: amd64
-    uri: https://github.com/AkihiroSuda/vexllm/releases/download/v0.1.0-beta.0/vexllm-v0.1.0-beta.0.darwin-amd64.tar.gz
+    uri: https://github.com/AkihiroSuda/vexllm/releases/download/v0.1.0/vexllm-v0.1.0.darwin-amd64.tar.gz
     bin: ./vexllm
   - selector:
       os: darwin
       arch: arm64
-    uri: https://github.com/AkihiroSuda/vexllm/releases/download/v0.1.0-beta.0/vexllm-v0.1.0-beta.0.darwin-arm64.tar.gz
+    uri: https://github.com/AkihiroSuda/vexllm/releases/download/v0.1.0/vexllm-v0.1.0.darwin-arm64.tar.gz
     bin: ./vexllm
   - selector:
       os: linux
       arch: amd64
-    uri: https://github.com/AkihiroSuda/vexllm/releases/download/v0.1.0-beta.0/vexllm-v0.1.0-beta.0.linux-amd64.tar.gz
+    uri: https://github.com/AkihiroSuda/vexllm/releases/download/v0.1.0/vexllm-v0.1.0.linux-amd64.tar.gz
     bin: ./vexllm
   - selector:
       os: linux
       arch: arm64
-    uri: https://github.com/AkihiroSuda/vexllm/releases/download/v0.1.0-beta.0/vexllm-v0.1.0-beta.0.linux-arm64.tar.gz
+    uri: https://github.com/AkihiroSuda/vexllm/releases/download/v0.1.0/vexllm-v0.1.0.linux-arm64.tar.gz
     bin: ./vexllm