Description
By default, Trivy removes duplicates by Application type + filepath:
|
for _, app := range layer.Applications { |
|
key := fmt.Sprintf("%s/type:%s", app.FilePath, app.Type) |
|
nestedMap.SetByString(key, sep, app) |
|
} |
So for cases when two same
Application have different filepath (e.g. from SBOM and from file (see
#8863 (comment))) Trivy doesn't remove duplicates.
But we have one more logic:
|
for _, app := range result.Applications { |
|
skippedFiles = append(skippedFiles, app.FilePath) |
|
for _, pkg := range app.Packages { |
|
// The analysis result could contain packages listed in SBOM. |
|
// The files of those packages don't have to be analyzed. |
|
// This is especially helpful for expensive post-analyzers such as the JAR analyzer. |
|
if pkg.FilePath != "" { |
|
skippedFiles = append(skippedFiles, pkg.FilePath) |
|
} |
|
} |
|
} |
This logic helps with jar files (see #8863 (reply in thread)).
But this logic works only for PostAnalyzers.
That is why it doesn't work for GoBinaries.
Discussed in #8863
Description
By default, Trivy removes duplicates by Application type + filepath:
trivy/pkg/fanal/applier/docker.go
Lines 126 to 129 in 906b037
So for cases when two same
Applicationhave different filepath (e.g. from SBOM and from file (see #8863 (comment))) Trivy doesn't remove duplicates.But we have one more logic:
trivy/pkg/fanal/analyzer/analyzer.go
Lines 502 to 512 in 93e6680
This logic helps with jar files (see #8863 (reply in thread)).
But this logic works only for
PostAnalyzers.That is why it doesn't work for
GoBinaries.Discussed in #8863