trivy: NPM v7 lockFileVersion = 2 is not supported in Trivy filesystem scan

Description

we have NPM7 generated package-lock.json with lockFileVersion = 2. Now when we scan Node.js project using Trivy filesystem scan, Trivy does not find out packages from package-lock.json. It is working with lockFileVersion = 1

What did you expect to happen?

It should find out packages in package-lock.json

What happened instead?

It did not find out packages from package-lock.json

Output of run with -debug:

trivy -d fs 1/ 2021-11-01T11:46:05.190+0530 DEBUG Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL 2021-11-01T11:46:05.216+0530 DEBUG cache dir: /root/.cache/trivy 2021-11-01T11:46:05.216+0530 INFO Need to update DB 2021-11-01T11:46:05.216+0530 INFO Downloading DB… 2021-11-01T11:46:06.602+0530 DEBUG asset name: trivy.db.gz

2021-11-01T11:46:09.851+0530 DEBUG Vulnerability type: [os library] 2021-11-01T11:46:09.863+0530 DEBUG OS is not detected and vulnerabilities in OS packages are not detected. 2021-11-01T11:46:09.863+0530 DEBUG Detected OS: unknown 2021-11-01T11:46:09.863+0530 INFO Number of language-specific files: 0

ls -ltr 1/

-rwxr-xr-x 1 root root 575977 Oct 29 17:39 package-lock.json

cat 1/package-lock.json |head { “name”: “jhipster-public-wesite”, “lockfileVersion”: 2, “requires”: true, “packages”: { “”: { “name”: “jhipster-public-wesite”, “devDependencies”: { “browser-sync”: “2.27.5”, “gulp”: “^3.9.1”,

(paste your output here)

Output of trivy -v:

Version: 0.20.2 Vulnerability DB: Type: Full Version: 1

(paste your output here)

## Additional details (base image name, container registry info...):

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 24 (5 by maintainers)

Most upvoted comments

@ShubhamPalriwala My personal expectation is that this table wouldn’t be different for the different commands https://aquasecurity.github.io/trivy/v0.30.4/docs/vulnerability/detection/language/.

Instead, users would be able to specify --ignore-dev-dependencies and literally everything would be scanned consistently across the board.

I suppose, as a stretch goal, you would be able to disable/enable specific scanning engines easily. The experimental rego capability might do this but I don’t know that I’d call that “easy”.

+2
trevor-vaughan on Jul 29, 2022

Yep, I also had similar ideas about the --ignore-dev-dependencies flag to make it consistent across different languages. That would make the ecosystem easy to use and pretty uniform.

I do not know much about the rego capability/ other scanning engines; hence, I think that can be implemented once the initial part is implemented and perfectly working.

What do you say?

+1
ShubhamPalriwala on Jul 29, 2022

Just had the same issue. A scan with trivy repo gave me a list of vulnerabilities while trivy fs didn’t.

It would be nice to have the same behaviour across the commands. In the spirit of --ignore-unfixed, a --ignore-dev-dependencies (or anything with a better name) would be great.

+1
ldouchy-bl on Jul 28, 2022

Thanks for assigning me this

+1
rahul2393 on Nov 11, 2021

@rahul2393 Could you take a look at this issue?

+1
knqyf263 on Nov 10, 2021
Read more comments on GitHub
← trivy: Not able to scan image in Google Artifact Registry
trivy-operator: Bug in metrics format (code 500) →