json output for lock files and Dockerfiles does not include line numbers #4394

tbutler-qontigo · 2023-05-15T12:40:25Z

tbutler-qontigo
May 15, 2023

Description

Cloning your example repo, https://github.com/knqyf263/trivy-ci-test.git, if I output results in JSON format then the issues do not include start/end lines but if I output the results in SARIF format then they do.

e.g. JSON

{
  "Type": "Dockerfile Security Check",
  "ID": "DS026",
  "AVDID": "AVD-DS-0026",
  "Title": "No HEALTHCHECK defined",
  "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
  "Message": "Add HEALTHCHECK instruction in your Dockerfile",
  "Namespace": "builtin.dockerfile.DS026",
  "Query": "data.builtin.dockerfile.DS026.deny",
  "Resolution": "Add HEALTHCHECK instruction in Dockerfile",
  "Severity": "LOW",
  "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
  "References": [
    "https://blog.aquasec.com/docker-security-best-practices",
    "https://avd.aquasec.com/misconfig/ds026"
  ],
  "Status": "FAIL",
  "Layer": {},
  "CauseMetadata": {
    "Provider": "Dockerfile",
    "Service": "general",
    "Code": {
      "Lines": null
    }
  }
}

vs SARIF:

{
  "ruleId": "DS026",
  "ruleIndex": 39,
  "level": "note",
  "message": {
    "text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
  },
  "locations": [
    {
      "physicalLocation": {
        "artifactLocation": {
          "uri": "Dockerfile",
          "uriBaseId": "ROOTPATH"
        },
        "region": {
          "startLine": 1,
          "startColumn": 1,
          "endLine": 1,
          "endColumn": 1
        }
      },
      "message": {
        "text": "Dockerfile"
      }
    }
  ]
}

Desired Behavior

Both JSON format and SARIF format include the start/end line and start/end column information where available.

It works for Misconfigurations but vulnerabilities, at least for lock files, do not include this information when in JSON format.

Actual Behavior

No start/end line information is included in the output - see the example above

Reproduction Steps

1. git clone https://github.com/knqyf263/trivy-ci-test.git
2. cd trivy-ci-test
3. trivy fs --scanners config,secret,vuln --format=json  .
4. trivy fs --scanners config,secret,vuln --format=sarif  .

Observe that the json output does not include line numbers but the sarif output does

Target

Filesystem

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

2023-05-15T13:39:02.120+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-05-15T13:39:02.125+0100    DEBUG   cache dir:  C:\Users\tbutler\AppData\Local\trivy
2023-05-15T13:39:02.126+0100    DEBUG   DB update was skipped because the local DB was downloaded during the last hour
2023-05-15T13:39:02.127+0100    DEBUG   DB Schema: 2, UpdatedAt: 2023-05-15 06:07:23.960525707 +0000 UTC, NextUpdate: 2023-05-15 12:07:23.960525307 +0000 UTC, DownloadedAt: 2023-05-15 12:07:38.3956906 +0000 UTC
2023-05-15T13:39:02.127+0100    INFO    Vulnerability scanning is enabled
2023-05-15T13:39:02.127+0100    DEBUG   Vulnerability type:  [os library]
2023-05-15T13:39:02.127+0100    INFO    Misconfiguration scanning is enabled
2023-05-15T13:39:02.128+0100    DEBUG   Policies successfully loaded from disk
2023-05-15T13:39:02.128+0100    INFO    Secret scanning is enabled
2023-05-15T13:39:02.128+0100    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-05-15T13:39:02.128+0100    INFO    Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-05-15T13:39:02.128+0100    DEBUG   No secret config detected: trivy-secret.yaml
2023-05-15T13:39:02.179+0100    DEBUG   Walk the file tree rooted at '.' in parallel
2023-05-15T13:39:02.226+0100    DEBUG   Scanning Dockerfile files for misconfigurations...
2023-05-15T13:39:02.578+0100    DEBUG   Cargo: Cargo.toml not found
2023-05-15T13:39:02.631+0100    DEBUG   OS is not detected.
2023-05-15T13:39:02.631+0100    DEBUG   Detected OS: unknown
2023-05-15T13:39:02.631+0100    INFO    Number of language-specific files: 2
2023-05-15T13:39:02.631+0100    INFO    Detecting cargo vulnerabilities...
2023-05-15T13:39:02.631+0100    DEBUG   Detecting library vulnerabilities, type: cargo, path: Cargo.lock
2023-05-15T13:39:02.632+0100    INFO    Detecting pipenv vulnerabilities...
2023-05-15T13:39:02.632+0100    DEBUG   Detecting library vulnerabilities, type: pipenv, path: Pipfile.lock
2023-05-15T13:39:02.639+0100    INFO    Detected config files: 1
2023-05-15T13:39:02.639+0100    DEBUG   Scanned config file: Dockerfile

Operating System

Windows 10

Version

Version: 0.41.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-05-15 06:07:23.960525707 +0000 UTC
  NextUpdate: 2023-05-15 12:07:23.960525307 +0000 UTC
  DownloadedAt: 2023-05-15 12:07:38.3956906 +0000 UTC
Policy Bundle:
  Digest: sha256:97988c6fc189faa28aa7fc2fc93fb2605c46d2f6ae4092a70e03697ba1d6e620
  DownloadedAt: 2023-05-15 09:36:11.7876044 +0000 UTC

Checklist

Run trivy --reset
Read the troubleshooting

knqyf263 · 2023-05-16T02:34:48Z

knqyf263
May 16, 2023
Maintainer

It is not a lock file, but Dockerfile, right?

13 replies

tbutler-qontigo May 17, 2023
Author

@DmitriyLewen @knqyf263 Neither dependencies in lock files nor issues in Dockerfiles show line numbers when using json format but do when using sarif format - that is the issue.
Adding --list-all-pkgs does output them for lock files but obviously you get a ton of unwanted packages then too

knqyf263 May 17, 2023
Maintainer

@DmitriyLewen yes

@tbutler-qontigo Please see the above comment. Some checks don't have line numbers.

tbutler-qontigo May 17, 2023
Author

@knqyf263 agreed, but in all cases where they have line numbers in a sarif report, they should have line numbers in a json report right?

knqyf263 May 17, 2023
Maintainer

AFAIR, SARIF doesn't allow empty line numbers, so we just put dummy values to SARIF. The empty value is technically correct. I think we can leave JSON as is.

tbutler-qontigo May 17, 2023
Author

Let me rephrase then "in all cases where there is a valid line number available, as it appears in a SARIF report or when --list-all-pkgs is specified, it should be present in the standard json report"
thanks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

json output for lock files and Dockerfiles does not include line numbers #4394

{{title}}

Replies: 1 comment 13 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

json output for lock files and Dockerfiles does not include line numbers #4394

tbutler-qontigo May 15, 2023

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 1 comment · 13 replies

knqyf263 May 16, 2023 Maintainer

tbutler-qontigo May 17, 2023 Author

knqyf263 May 17, 2023 Maintainer

tbutler-qontigo May 17, 2023 Author

knqyf263 May 17, 2023 Maintainer

tbutler-qontigo May 17, 2023 Author

tbutler-qontigo
May 15, 2023

Replies: 1 comment 13 replies

knqyf263
May 16, 2023
Maintainer

tbutler-qontigo May 17, 2023
Author

knqyf263 May 17, 2023
Maintainer

tbutler-qontigo May 17, 2023
Author

knqyf263 May 17, 2023
Maintainer

tbutler-qontigo May 17, 2023
Author