Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy output mismatch between SARIF and non formatted/JSON for license scanning #4862

Closed
2 tasks done
nikpivkin opened this issue Jul 24, 2023 Discussed in #4836 · 2 comments · Fixed by #4866
Closed
2 tasks done

Trivy output mismatch between SARIF and non formatted/JSON for license scanning #4862

nikpivkin opened this issue Jul 24, 2023 Discussed in #4836 · 2 comments · Fixed by #4866
Assignees
@nikpivkin
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/license Issues relating to license scanning
Milestone
v0.45.0

Comments

@nikpivkin
Copy link
Contributor

Discussed in #4836

Originally posted by RonShvarz July 18, 2023

Description

I am scanning for licenses on the example from your documentation here :
https://aquasecurity.github.io/trivy/v0.36/docs/licenses/scanning/
and i am getting mismatched outputs between formats

Desired Behavior

I am scanning with the updated flags,

$ trivy image --scanners license --license-full --severity UNKNOWN,HIGH,CRITICAL alpine:3.15

produces -
image

Actual Behavior

when running :

trivy image --scanners license --license-full --severity UNKNOWN,HIGH,CRITICAL alpine:3.15 --format sarif --output image_license.sarif

the result is an empty file :

{
  "version": "2.1.0",
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "fullName": "Trivy Vulnerability Scanner",
          "informationUri": "https://github.com/aquasecurity/trivy",
          "name": "Trivy",
          "rules": [],
          "version": "0.43.0"
        }
      },
      "results": [],
      "columnKind": "utf16CodeUnits",
      "originalUriBaseIds": {
        "ROOTPATH": {
          "uri": "file:///"
        }
      },
      "properties": {
        "imageName": "alpine:3.15",
        "repoDigests": [
          "alpine@sha256:3362f865019db5f14ac5154cb0db2c3741ad1cce0416045be422ad4de441b081"
        ],
        "repoTags": [
          "alpine:3.15"
        ]
      }
    }
  ]
}

Reproduction Steps

1. $trivy image --scanners license --license-full --severity UNKNOWN,HIGH,CRITICAL alpine:3.15
2. view results
3. trivy image --scanners license --license-full --severity UNKNOWN,HIGH,CRITICAL alpine:3.15 --format sarif --output image_license.sarif
4. cat image_license.sarif
5. Compare results.
...

Target

Container Image

Scanner

License

Output Format

SARIF

Mode

Standalone

Debug Output

2023-07-18T08:25:54.918+0300	DEBUG	Sarif format automatically enables '--list-all-pkgs' to get locations
2023-07-18T08:25:54.918+0300	DEBUG	Severities: ["UNKNOWN" "HIGH" "CRITICAL"]
2023-07-18T08:25:54.920+0300	DEBUG	cache dir:  /home/ronshv/.cache/trivy
2023-07-18T08:25:54.920+0300	INFO	Full license scanning is enabled
2023-07-18T08:25:56.569+0300	DEBUG	Image ID: sha256:029bed813f07be84fae0344cbf8076ced5ea3c929d5f064ba617ac7d8c610a4b
2023-07-18T08:25:56.569+0300	DEBUG	Diff IDs: [sha256:579bc0f2bef2b2a8b9e33055679857993dd2a4bd8a06633bf0f9c9e9eb15dfd3]
2023-07-18T08:25:56.569+0300	DEBUG	Base Layers: []

Operating System

ubuntu 20.04

Version

Version: 0.43.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-07-11 12:10:03.782496624 +0000 UTC
  NextUpdate: 2023-07-11 18:10:03.782495924 +0000 UTC
  DownloadedAt: 2023-07-11 12:37:18.699315299 +0000 UTC

Checklist
@nikpivkin nikpivkin added the kind/bug Categorizes issue or PR as related to a bug. label Jul 24, 2023
@nikpivkin nikpivkin self-assigned this Jul 24, 2023
@knqyf263 knqyf263 added the scan/license Issues relating to license scanning label Jul 24, 2023
@knqyf263 knqyf263 added this to the v0.44.0 milestone Jul 24, 2023
@knqyf263 knqyf263 added kind/feature Categorizes issue or PR as related to a new feature. and removed kind/bug Categorizes issue or PR as related to a bug. labels Jul 24, 2023
@knqyf263
Copy link
Collaborator

It is not a bug. Trivy doesn't support license findings in SARIF as documented here.
https://aquasecurity.github.io/trivy/v0.43/docs/configuration/reporting/#sarif

@nikpivkin nikpivkin mentioned this issue Jul 24, 2023
Merged
6 tasks
@knqyf263 knqyf263 modified the milestones: v0.44.0, v0.45.0 Jul 30, 2023
@erzz
Copy link

erzz commented Aug 4, 2023

@knqyf263 @nikpivkin Thanks for the PR on this issue - eagerly awaiting merge and implementation in the action too 🙏🏻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/license Issues relating to license scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.45.0
Development

Successfully merging a pull request may close this issue.

feat(report): add licenses to sarif format nikpivkin/trivy
3 participants
@knqyf263 @erzz @nikpivkin