Trivy output mismatch between SARIF and non formatted/JSON for license scanning

[RonShvarz]

Description

I am scanning for licenses on the example from your documentation here :
https://aquasecurity.github.io/trivy/v0.36/docs/licenses/scanning/
and i am getting mismatched outputs between formats

Desired Behavior

I am scanning with the updated flags,

$ trivy image --scanners license --license-full --severity UNKNOWN,HIGH,CRITICAL alpine:3.15

produces -

Actual Behavior

when running :

trivy image --scanners license --license-full --severity UNKNOWN,HIGH,CRITICAL alpine:3.15 --format sarif --output image_license.sarif

the result is an empty file :

{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "fullName": "Trivy Vulnerability Scanner",
          "informationUri": "https://github.com/aquasecurity/trivy",
          "name": "Trivy",
          "rules": [],
          "version": "0.43.0"
        }
      },
      "results": [],
      "columnKind": "utf16CodeUnits",
      "originalUriBaseIds": {
        "ROOTPATH": {
          "uri": "file:///"
        }
      },
      "properties": {
        "imageName": "alpine:3.15",
        "repoDigests": [
          "alpine@sha256:3362f865019db5f14ac5154cb0db2c3741ad1cce0416045be422ad4de441b081"
        ],
        "repoTags": [
          "alpine:3.15"
        ]
      }
    }
  ]
}

Reproduction Steps

1. $trivy image --scanners license --license-full --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
2. view results
3. trivy image --scanners license --license-full --severity UNKNOWN,HIGH,CRITICAL alpine:3.15 --format sarif --output image_license.sarif
4. cat image_license.sarif
5. Compare results.
...

Target

Container Image

Scanner

License

Output Format

SARIF

Mode

Standalone

Debug Output

2023-07-18T08:25:54.918+0300	DEBUG	Sarif format automatically enables '--list-all-pkgs' to get locations
2023-07-18T08:25:54.918+0300	DEBUG	Severities: ["UNKNOWN" "HIGH" "CRITICAL"]
2023-07-18T08:25:54.920+0300	DEBUG	cache dir:  /home/ronshv/.cache/trivy
2023-07-18T08:25:54.920+0300	INFO	Full license scanning is enabled
2023-07-18T08:25:56.569+0300	DEBUG	Image ID: sha256:029bed813f07be84fae0344cbf8076ced5ea3c929d5f064ba617ac7d8c610a4b
2023-07-18T08:25:56.569+0300	DEBUG	Diff IDs: [sha256:579bc0f2bef2b2a8b9e33055679857993dd2a4bd8a06633bf0f9c9e9eb15dfd3]
2023-07-18T08:25:56.569+0300	DEBUG	Base Layers: []

Operating System

ubuntu 20.04

Version

Version: 0.43.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-07-11 12:10:03.782496624 +0000 UTC
  NextUpdate: 2023-07-11 18:10:03.782495924 +0000 UTC
  DownloadedAt: 2023-07-11 12:37:18.699315299 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[RonShvarz]

Any chance anyone can take a look at the issue ? I can't use trivy as long as this discrepancy is present..

[nikpivkin]

Hi @RonShvarz Thank you for your report!
At the moment, Trivy does not include licenses in SARIF format reports. I've created an issue to track it.

[RonShvarz]

I see, is there an alternative way to use license scanning in integration with Github Security Tab?

[knqyf263]

As documented here, secret findings are not supported in SARIF now.
https://aquasecurity.github.io/trivy/v0.43/docs/configuration/reporting/#sarif