Report is not empty even if there are no findings: Part 2

[DmitriyLewen]

Discussed in #7134

^{Originally posted by AntonKarasov July 9, 2024}

Description

Hello,

I've already reported such a bug there - #6351 but it is still reproducing for 0.52.0 and 0.53.0 versions.
I've noticed that trivy report/output is not empty even if there are no findings when some particular findings are in place in .trivyignore.yaml.
The previous version did not have such behavior as expected.
Our CI/CD relies on this report, if something exists within the report CI proceeds with different logic.

It reproduces for vuln and license scanners.

Desired Behavior

Completely empty report:

./trivy --version
2024-03-19T15:10:56.700+0100 INFO Loaded trivy.yaml
Version: 0.49.0
Vulnerability DB:
Version: 2
UpdatedAt: 2024-03-19 12:11:32.850008953 +0000 UTC
NextUpdate: 2024-03-19 18:11:32.850008412 +0000 UTC
DownloadedAt: 2024-03-19 13:37:47.401184 +0000 UTC
Policy Bundle:
Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
DownloadedAt: 2024-03-14 12:20:41.064572 +0000 UTC

./trivy fs -q --scanners vuln .
2024-03-19T15:11:01.736+0100 INFO Loaded trivy.yaml

Actual Behavior

trivy --version
2024/07/09 17:20:39 INFO Loaded file_path=trivy.yaml
Version: 0.52.0
Vulnerability DB:
Version: 2
UpdatedAt: 2024-05-15 06:11:26.28841171 +0000 UTC
NextUpdate: 2024-05-15 12:11:26.28841142 +0000 UTC
DownloadedAt: 2024-05-15 11:26:24.448386 +0000 UTC
Check Bundle:
Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e
DownloadedAt: 2024-05-17 14:18:27.189189 +0000 UTC

trivy fs --scanners license --severity UNKNOWN,HIGH,CRITICAL,MEDIUM .
2024/07/09 17:20:30 INFO Loaded file_path=trivy.yaml
2024-07-09T17:20:30+02:00 INFO License scanning is enabled
2024-07-09T17:20:31+02:00 INFO Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.

package-lock.json (license)

Total: 0 (UNKNOWN: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────┬─────────┬────────────────┬──────────┐
│ Package │ License │ Classification │ Severity │
└─────────┴─────────┴────────────────┴──────────┘

Reproduction Steps

1.Install latest(v0.53.0 or 0.52.0) trivy version 
2.Scan some package.json with findings
3.Add those findings to the .trivyignore.yaml
4.Scan it one more time
5.Observe non-empty report
6.Reapeat previous steps with the earlier trivy version(v0.49.0 for example)
7.Observe empty report

Target

Filesystem

Scanner

License

Output Format

Table

Mode

Standalone

Debug Output

trivy fs --scanners license --debug --severity UNKNOWN,HIGH,CRITICAL,MEDIUM .                                                                                                                      
2024/07/09 17:25:49 INFO Loaded file_path=trivy.yaml
2024-07-09T17:25:49+02:00       DEBUG   Cache dir       dir="/Users/anton.karasov/Library/Caches/trivy"
2024-07-09T17:25:49+02:00       DEBUG   Parsed severities       severities=[UNKNOWN HIGH CRITICAL MEDIUM]
2024-07-09T17:25:49+02:00       DEBUG   Ignore statuses statuses=[0 1 2 4 5 6 7]
2024-07-09T17:25:49+02:00       INFO    License scanning is enabled
2024-07-09T17:25:49+02:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-07-09T17:25:49+02:00       DEBUG   Initializing scan cache...      type="memory"
2024-07-09T17:25:49+02:00       DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-07-09T17:25:49+02:00       DEBUG   Skipping path   path=".git"
2024-07-09T17:25:50+02:00       DEBUG   OS is not detected.
2024-07-09T17:25:50+02:00       INFO    Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2024-07-09T17:25:50+02:00       DEBUG   Found an ignore yaml    path=".trivyignore.yaml"

package-lock.json (license)

Total: 0 (UNKNOWN: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────┬─────────┬────────────────┬──────────┐
│ Package │ License │ Classification │ Severity │
└─────────┴─────────┴────────────────┴──────────┘

Operating System

macOS Sonoma

Version

trivy --version                                                                                                          
2024/07/09 17:27:17 INFO Loaded file_path=trivy.yaml
Version: 0.53.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-15 06:11:26.28841171 +0000 UTC
  NextUpdate: 2024-05-15 12:11:26.28841142 +0000 UTC
  DownloadedAt: 2024-05-15 11:26:24.448386 +0000 UTC
Check Bundle:
  Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e
  DownloadedAt: 2024-05-17 14:18:27.189189 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting