Only one dependency file is scanned #4580

dmytrozelonkin · 2023-06-07T16:40:33Z

dmytrozelonkin
Jun 7, 2023

Description

I have two dependency files in the root directory of my project: composer.lock & yarn.lock .

When I do check I see the next result:

dzelonkin ~/projects/laravel_trivy  trivy -d fs --skip-dirs ./node_modules --skip-dirs ./vendor --format table --exit-code 0 ./
2023-06-07T19:33:58.880+0300    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-06-07T19:33:58.921+0300    DEBUG   cache dir:  /Users/dzelonkin/Library/Caches/trivy
2023-06-07T19:33:58.921+0300    DEBUG   DB update was skipped because the local DB was downloaded during the last hour
2023-06-07T19:33:58.921+0300    DEBUG   DB Schema: 2, UpdatedAt: 2023-06-07 06:07:05.537434966 +0000 UTC, NextUpdate: 2023-06-07 12:07:05.537434566 +0000 UTC, DownloadedAt: 2023-06-07 15:39:33.280536 +0000 UTC
2023-06-07T19:33:58.921+0300    INFO    Vulnerability scanning is enabled
2023-06-07T19:33:58.921+0300    DEBUG   Vulnerability type:  [os library]
2023-06-07T19:33:58.921+0300    INFO    Secret scanning is enabled
2023-06-07T19:33:58.921+0300    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-07T19:33:58.921+0300    INFO    Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-06-07T19:33:58.921+0300    DEBUG   No secret config detected: trivy-secret.yaml
2023-06-07T19:33:58.921+0300    DEBUG   Walk the file tree rooted at '.' in parallel
2023-06-07T19:33:58.922+0300    DEBUG   Skipping directory: node_modules
2023-06-07T19:33:58.940+0300    DEBUG   Skipping directory: vendor
2023-06-07T19:33:59.184+0300    DEBUG   unable to find version of illuminate/console
2023-06-07T19:33:59.184+0300    DEBUG   unable to find version of illuminate/contracts
2023-06-07T19:33:59.184+0300    DEBUG   unable to find version of illuminate/database
2023-06-07T19:33:59.184+0300    DEBUG   unable to find version of illuminate/support
2023-06-07T19:33:59.184+0300    DEBUG   unable to find version of composer-runtime-api
2023-06-07T19:33:59.184+0300    DEBUG   unable to find version of illuminate/support
2023-06-07T19:33:59.184+0300    DEBUG   unable to find version of illuminate/console
2023-06-07T19:33:59.184+0300    DEBUG   unable to find version of illuminate/contracts
2023-06-07T19:33:59.226+0300    DEBUG   OS is not detected.
2023-06-07T19:33:59.226+0300    DEBUG   Detected OS: unknown
2023-06-07T19:33:59.226+0300    INFO    Number of language-specific files: 2
2023-06-07T19:33:59.226+0300    INFO    Detecting composer vulnerabilities...
2023-06-07T19:33:59.226+0300    DEBUG   Detecting library vulnerabilities, type: composer, path: composer.lock

composer.lock (composer)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 5, CRITICAL: 0)

┌───────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ guzzlehttp/guzzle │ CVE-2022-29248 │ HIGH     │ 7.2.0             │ 7.4.3, 6.5.6  │ Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 │
│                   │                │          │                   │               │ and...                                                      │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-29248                  │
│                   ├────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-31042 │          │                   │ 7.4.4, 6.5.7  │ Guzzle is an open source PHP HTTP client. In affected       │
│                   │                │          │                   │               │ versions the...                                             │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-31042                  │
│                   ├────────────────┤          │                   │               ├─────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-31043 │          │                   │               │ Guzzle is an open source PHP HTTP client. In affected       │
│                   │                │          │                   │               │ versions `Author...                                         │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-31043                  │
│                   ├────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-31090 │          │                   │ 7.4.5, 6.5.8  │ Guzzle, an extensible PHP HTTP client. `Authorization`      │
│                   │                │          │                   │               │ headers on requ ...                                         │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-31090                  │
│                   ├────────────────┤          │                   │               ├─────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-31091 │          │                   │               │ Guzzle, an extensible PHP HTTP client. `Authorization` and  │
│                   │                │          │                   │               │ `Cookie` he ...                                             │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-31091                  │
└───────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
dzelonkin ~/projects/laravel_trivy

As you can see trivy detected 2 dependency files but I see result only for composer.lock.

Now I move yarn.lock file to subdirectory and run scanning again.

dzelonkin ~/projects/laravel_trivy  trivy -d fs --skip-dirs ./node_modules --skip-dirs ./vendor --format table --exit-code 0 ./
2023-06-07T19:36:07.338+0300    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-06-07T19:36:07.379+0300    DEBUG   cache dir:  /Users/dzelonkin/Library/Caches/trivy
2023-06-07T19:36:07.380+0300    DEBUG   DB update was skipped because the local DB was downloaded during the last hour
2023-06-07T19:36:07.380+0300    DEBUG   DB Schema: 2, UpdatedAt: 2023-06-07 06:07:05.537434966 +0000 UTC, NextUpdate: 2023-06-07 12:07:05.537434566 +0000 UTC, DownloadedAt: 2023-06-07 15:39:33.280536 +0000 UTC
2023-06-07T19:36:07.380+0300    INFO    Vulnerability scanning is enabled
2023-06-07T19:36:07.380+0300    DEBUG   Vulnerability type:  [os library]
2023-06-07T19:36:07.380+0300    INFO    Secret scanning is enabled
2023-06-07T19:36:07.380+0300    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-07T19:36:07.380+0300    INFO    Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-06-07T19:36:07.380+0300    DEBUG   No secret config detected: trivy-secret.yaml
2023-06-07T19:36:07.380+0300    DEBUG   Walk the file tree rooted at '.' in parallel
2023-06-07T19:36:07.381+0300    DEBUG   Skipping directory: node_modules
2023-06-07T19:36:07.401+0300    DEBUG   Skipping directory: vendor
2023-06-07T19:36:07.631+0300    DEBUG   Yarn: app/package.json not found
2023-06-07T19:36:07.642+0300    DEBUG   unable to find version of illuminate/support
2023-06-07T19:36:07.642+0300    DEBUG   unable to find version of illuminate/console
2023-06-07T19:36:07.642+0300    DEBUG   unable to find version of illuminate/contracts
2023-06-07T19:36:07.642+0300    DEBUG   unable to find version of illuminate/database
2023-06-07T19:36:07.642+0300    DEBUG   unable to find version of composer-runtime-api
2023-06-07T19:36:07.642+0300    DEBUG   unable to find version of illuminate/support
2023-06-07T19:36:07.642+0300    DEBUG   unable to find version of illuminate/console
2023-06-07T19:36:07.642+0300    DEBUG   unable to find version of illuminate/contracts
2023-06-07T19:36:07.684+0300    DEBUG   OS is not detected.
2023-06-07T19:36:07.684+0300    DEBUG   Detected OS: unknown
2023-06-07T19:36:07.684+0300    INFO    Number of language-specific files: 2
2023-06-07T19:36:07.684+0300    INFO    Detecting yarn vulnerabilities...
2023-06-07T19:36:07.684+0300    DEBUG   Detecting library vulnerabilities, type: yarn, path: app/yarn.lock
2023-06-07T19:36:07.685+0300    INFO    Detecting composer vulnerabilities...
2023-06-07T19:36:07.685+0300    DEBUG   Detecting library vulnerabilities, type: composer, path: composer.lock

app/yarn.lock (yarn)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ jquery  │ CVE-2020-11022 │ MEDIUM   │ 3.4.1             │ 3.5.0         │ jquery: Cross-site scripting due to improper              │
│         │                │          │                   │               │ injQuery.htmlPrefilter method                             │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-11022                │
│         ├────────────────┤          │                   │               ├───────────────────────────────────────────────────────────┤
│         │ CVE-2020-11023 │          │                   │               │ jquery: Untrusted code execution via <option> tag in HTML │
│         │                │          │                   │               │ passed to DOM...                                          │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-11023                │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

composer.lock (composer)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 5, CRITICAL: 0)

┌───────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ guzzlehttp/guzzle │ CVE-2022-29248 │ HIGH     │ 7.2.0             │ 7.4.3, 6.5.6  │ Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 │
│                   │                │          │                   │               │ and...                                                      │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-29248                  │
│                   ├────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-31042 │          │                   │ 7.4.4, 6.5.7  │ Guzzle is an open source PHP HTTP client. In affected       │
│                   │                │          │                   │               │ versions the...                                             │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-31042                  │
│                   ├────────────────┤          │                   │               ├─────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-31043 │          │                   │               │ Guzzle is an open source PHP HTTP client. In affected       │
│                   │                │          │                   │               │ versions `Author...                                         │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-31043                  │
│                   ├────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-31090 │          │                   │ 7.4.5, 6.5.8  │ Guzzle, an extensible PHP HTTP client. `Authorization`      │
│                   │                │          │                   │               │ headers on requ ...                                         │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-31090                  │
│                   ├────────────────┤          │                   │               ├─────────────────────────────────────────────────────────────┤
│                   │ CVE-2022-31091 │          │                   │               │ Guzzle, an extensible PHP HTTP client. `Authorization` and  │
│                   │                │          │                   │               │ `Cookie` he ...                                             │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-31091                  │
└───────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
dzelonkin ~/projects/laravel_trivy

I believe it is an issue and trivy should scan all dependency files in one directory.

Desired Behavior

Both files should be scanned in the root directory.

Actual Behavior

Only one files is scanned.

Reproduction Steps

Described in the description section.

Target

Filesystem

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

Added in the description section

Operating System

macOS

Version

Version: 0.42.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-06-07 06:07:05.537434966 +0000 UTC
  NextUpdate: 2023-06-07 12:07:05.537434566 +0000 UTC
  DownloadedAt: 2023-06-07 15:39:33.280536 +0000 UTC
Policy Bundle:
  Digest: sha256:030345bff4845bae1c89450da85681bc25c0c40d2144a0d9db5254674d155298
  DownloadedAt: 2023-06-05 08:38:12.878076 +0000 UTC

Checklist

Run trivy --reset
Read the troubleshooting

dmytrozelonkin · 2023-06-07T16:42:28Z

dmytrozelonkin
Jun 7, 2023
Author

It only happens if I have multiple dependency files in root directory. If I move both files to subfolder it works fine...

8 replies

dmytrozelonkin Jun 8, 2023
Author

@nikpivkin thank you for research!

In my case the best choice is to continue scanning even if these fields are missing. But if you need them it would be great to add a warning so users can see the reason why the file scan was skipped and add these fields to proceed.

Thank you!

knqyf263 Jun 8, 2023
Maintainer

I think we show a debug log.

In my case the best choice is to continue scanning even if these fields are missing.

It makes sense. @nikpivkin Can we fix it?

nikpivkin Jun 8, 2023
Maintainer

@knqyf263 I need to see where the name and version fields are used

nikpivkin Jun 9, 2023
Maintainer

@knqyf263 The name and id fields are used to build the id package. Therefore, we will think about how to solve it

knqyf263 Jun 11, 2023
Maintainer

If I remember correctly, the name and version are not used for yarn.lock. It just uses dependencies and optional dependencies.

trivy/pkg/fanal/analyzer/language/nodejs/yarn/yarn.go

Line 178 in 479cfdd

return lo.Assign(pkg.Dependencies, pkg.OptionalDependencies), nil

dmytrozelonkin · 2023-06-08T08:14:57Z

dmytrozelonkin
Jun 8, 2023
Author

I also want to notice you that your bug creation checklist has the following step "Run trivy --reset" but when I run that I got the next error: FATAL unknown flag: --reset .

1 reply

afdesk Jun 8, 2023
Maintainer

thanks for the report. I've created #4589

afdesk · 2023-06-14T05:36:33Z

afdesk
Jun 14, 2023
Maintainer

created #4629

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Only one dependency file is scanned #4580

{{title}}

Replies: 3 comments 9 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Only one dependency file is scanned #4580

dmytrozelonkin Jun 7, 2023

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 3 comments · 9 replies

dmytrozelonkin Jun 7, 2023 Author

dmytrozelonkin Jun 8, 2023 Author

knqyf263 Jun 8, 2023 Maintainer

nikpivkin Jun 8, 2023 Maintainer

nikpivkin Jun 9, 2023 Maintainer

knqyf263 Jun 11, 2023 Maintainer

dmytrozelonkin Jun 8, 2023 Author

afdesk Jun 8, 2023 Maintainer

afdesk Jun 14, 2023 Maintainer

dmytrozelonkin
Jun 7, 2023

Replies: 3 comments 9 replies

dmytrozelonkin
Jun 7, 2023
Author

dmytrozelonkin Jun 8, 2023
Author

knqyf263 Jun 8, 2023
Maintainer

nikpivkin Jun 8, 2023
Maintainer

nikpivkin Jun 9, 2023
Maintainer

knqyf263 Jun 11, 2023
Maintainer

dmytrozelonkin
Jun 8, 2023
Author

afdesk Jun 8, 2023
Maintainer

afdesk
Jun 14, 2023
Maintainer