Additional pkgPath column in HTML template

[JanMosigItemis]

Description

Hello everyone,

I'd like to suggest a minor addendum to the HTML template which makes the life of me and my colleagues easier.

When a vulnerability has been found, I find it helpful if the report was to contain the name of the artifact that contains the vulnerability. E. g. if a vulnerability has been found inside a Java dependency - which is usually a jar file - it makes things much more easier to debug if the report would contain the jar's name.

I am already using this "feature" in my daily work. I have a fully functional example available and could easily provide a PR if you don't mind.

Target

Container Image

Scanner

Vulnerability

[DmitriyLewen]

Hello @JanMosigItemis

I'm worried about long file paths. They can make the HTML table unreadable.
Can you send some examples?

Regards, Dmitriy

[DmitriyLewen]

hm... thanks, for example.

I am not sure if 2 fields without length limit is good.
Perhaps we can add character limit:
if path length is greater than limit => use only filename
else => use file path.

[JanMosigItemis]

Well how about doing this in the CSS then:

table, th, td {
        border: 1px solid black;
        border-collapse: collapse;
        word-break: break-all;
        padding: .3em;
      }

Will result in

[DmitriyLewen]

Looks better!
But can we do this only for new column?
The package name or table headers don't look very good in a few lines.

[JanMosigItemis]

Well I guess we could, but it would look like this:

Notice how there are no line breaks in the Links column which causes horizontal scrolling.

How about applying the line breaks to non header cells only, like this:

[DmitriyLewen]

@JanMosigItemis Thanks a lot for your examples!

Hm...
It seems first option (horizontal scrollbar) was best:
User can scroll to links (if needed), but there are no big cells with single number (like fixed version).

@knqyf263 wdyt?

[fatihtokus]

Hi @JanMosigItemis ,

I have a trivy plugin(https://github.com/fatihtokus/scan2html) that creates a well-formated filterable/sortable html report for any scan result of trivy. The usage is very simple and I guess it does what you are looking for, please have a look:

Install the plugin: $ trivy plugin install github.com/fatihtokus/scan2html
$ trivy scan2html k8s --report=all cluster result.html

Regards!

[JanMosigItemis]

Community plugin is better than nothing. Anyway, I'd be happy to enhance the html template nevertheless.

[fatihtokus]

I think trivy has a strong mechanism that allows the community to extend it by introducing new plugins. So I would suggest using/extending/contributing trivy plugins as well. Do not forget scan2html is opensource like trivy!

@DmitriyLewen adding this plugin to the ecosystem is a very good idea, shall I create a pr for that?

Regards,
Fatih

[DmitriyLewen]

@knqyf263 Can you take part in this discussion?
What do you think about changes for html template and the addition of plugin created by @fatihtokus to docs in ecosystem section?

[itaysk]

Hi there, we are not really maintaining additional output formats in Trivy anymore (except the basic ones) as this tends to be very subjective and customizable topic. The solution will be to use template or a plugin like @fatihtokus suggested. We also have plans to make "output plugins" which will make discovering and using such custom formatters easier #4860

[knqyf263]

@DmitriyLewen Sorry I missed the discussion.

@DmitriyLewen adding this plugin to the ecosystem is a very good idea, shall I create a pr for that?

@fatihtokus Yes, please!