Tried scanning rootfs but didn't get a significant result #4929
-
DescriptionHi Im trying to scan a .jar file which is not an image using trivy. But I didn't get a significant result Desired BehaviorI want the trivy result to Indicate whether the jar has vulnerabilities or none Actual BehaviorIt only outputs below which didn't mention if there are vulnerabilities or none [jenkins@11c22455146c ~]$ trivy rootfs sample-calculator-bundle-2.0.jar Reproduction Steps1. trivy rootfs sample-calculator-bundle-2.0.jar
2.
3.
...TargetNone ScannerNone Output FormatNone ModeNone Debug Output[jenkins@11c22455146c ~]$ trivy rootfs sample-calculator-bundle-2.0.jar --debug
2023-08-02T18:09:20.295+0800 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-08-02T18:09:20.310+0800 DEBUG cache dir: /opt/trivy/.cache
2023-08-02T18:09:20.314+0800 DEBUG DB update was skipped because the local DB is the latest
2023-08-02T18:09:20.322+0800 DEBUG DB Schema: 2, UpdatedAt: 2023-08-02 06:10:59.297975856 +0000 UTC, NextUpdate: 2023-08-02 12:10:59.297975656 +0000 UTC, DownloadedAt: 2023-08-02 09:47:19.712693808 +0000 UTC
2023-08-02T18:09:20.327+0800 INFO Vulnerability scanning is enabled
2023-08-02T18:09:20.331+0800 DEBUG Vulnerability type: [os library]
2023-08-02T18:09:20.331+0800 INFO Secret scanning is enabled
2023-08-02T18:09:20.331+0800 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-02T18:09:20.331+0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
2023-08-02T18:09:20.331+0800 DEBUG No secret config detected: trivy-secret.yaml
2023-08-02T18:09:20.332+0800 DEBUG Walk the file tree rooted at 'sample-calculator-bundle-2.0.jar' in parallel
2023-08-02T18:09:20.332+0800 INFO JAR files found
2023-08-02T18:09:20.333+0800 INFO Analyzing JAR files takes a while...
2023-08-02T18:09:20.333+0800 DEBUG Parsing Java artifacts... {"file": "sample-calculator-bundle-2.0.jar"}
2023-08-02T18:09:20.369+0800 DEBUG OS is not detected.
2023-08-02T18:09:20.370+0800 DEBUG Detected OS: unknown
2023-08-02T18:09:20.372+0800 INFO Number of language-specific files: 1
2023-08-02T18:09:20.374+0800 INFO Detecting jar vulnerabilities...
2023-08-02T18:09:20.378+0800 DEBUG Detecting library vulnerabilities, type: jar, path:
[jenkins@11c22455146c ~]$Operating SystemLinux Version[jenkins@11c22455146c ~]$ trivy --version
Version: 0.43.0
Vulnerability DB:
Version: 2
UpdatedAt: 2023-08-02 06:10:59.297975856 +0000 UTC
NextUpdate: 2023-08-02 12:10:59.297975656 +0000 UTC
DownloadedAt: 2023-08-02 09:47:19.712693808 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2023-07-31 00:51:48.861488562 +0000 UTC
NextUpdate: 2023-08-03 00:51:48.861488162 +0000 UTC
DownloadedAt: 2023-07-31 09:38:09.750336833 +0000 UTCChecklist
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
|
What did you expect? |
Beta Was this translation helpful? Give feedback.
-
|
I expected it to say whether it has vulnerabilities or not. How can I tell if it has no vulnerabilities? |
Beta Was this translation helpful? Give feedback.
-
|
If no table is shown, it means no vulnerabilities. |
Beta Was this translation helpful? Give feedback.
-
|
okay, thanks. Do you have future enhancements for this? Can it at least say "No vulnerabilities found." just to avoid confusion. |
Beta Was this translation helpful? Give feedback.
-
|
Also, is there a way to provide path to pom.xml, so trivy can scan dependent jars of this jar? |
Beta Was this translation helpful? Give feedback.
-
I think there is the same issue, but I didn't find it.
You can scan pom.xml instead of JAR. |
Beta Was this translation helpful? Give feedback.
If no table is shown, it means no vulnerabilities.