Trivy Image: Displaying Exact Paths for Identified Vulnerabilities

[michaelact]

Description

When scanning with trivy fs, I found the results target have the exact path of where the vulnerability found.

For example:

$ trivy fs -f json . | grep '"Target"'
2023-11-16T11:06:53.787+0700    INFO    Vulnerability scanning is enabled
2023-11-16T11:06:53.787+0700    INFO    Secret scanning is enabled
2023-11-16T11:06:53.787+0700    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-11-16T11:06:53.787+0700    INFO    Please see also https://aquasecurity.github.io/trivy/v0.35/docs/secret/scanning/#recommendation for faster secret detection
2023-11-16T11:06:58.628+0700    INFO    Number of language-specific files: 10
2023-11-16T11:06:58.628+0700    INFO    Detecting gomod vulnerabilities...
2023-11-16T11:06:58.629+0700    INFO    Detecting pip vulnerabilities...
2023-11-16T11:06:58.629+0700    INFO    Detecting bundler vulnerabilities...
      "Target": ".ci/magician/go.mod",
      "Target": "mmv1/Gemfile.lock",
      "Target": "mmv1/third_party/terraform/services/appengine/test-fixtures/hello-world-flask/requirements.txt",
      "Target": "tools/diff-processor/go.mod",
      "Target": "tools/go-changelog/go.mod",
      "Target": "tools/missing-test-detector/go.mod",
      "Target": "tpgtools/go.mod",

I wonder if we could make this also supported in trivy image command. In my experience of using Trivy, I confused where the vulnerability was found, it only shows like Node Package, Python Package, etc. For example #4705 , at first I thought this was coming from my NodeJS application, however it was coming from /usr/local/lib/node_modules/npm/node_modules/semver/package.json (my guess).

Target

Container Image

Scanner

Vulnerability