Projects with the same path on different disks are merged into one project

[yusuke-koyoshi]

Description

Create two partitions on one disk and mount each as follows

$ uname -a
Linux ip-172-31-39-211 6.2.0-1012-aws #12~22.04.1-Ubuntu SMP Thu Sep  7 16:00:15 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

$ sudo parted /dev/nvme1n1
GNU Parted 3.4
Using /dev/nvme1n1
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) mklabel gpt
Warning: The existing disk label on /dev/nvme1n1 will be destroyed and all data on this disk will be lost. Do you want to continue?
Yes/No? yes
(parted) mkpart "1" xfs 0% 50%
(parted) mkpart "2" xfs 50% 100%
(parted) p
Model: Amazon Elastic Block Store (nvme)
Disk /dev/nvme1n1: 8590MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:

Number  Start   End     Size    File system  Name  Flags
 1      1049kB  4295MB  4294MB  xfs          1
 2      4295MB  8589MB  4294MB  xfs          2

$ df -T | grep data
/dev/nvme1n1p1  xfs     4183040   62428   4120612   2% /data1
/dev/nvme1n1p2  xfs     4183040   62428   4120612   2% /data2

Place two identical programming language projects as follows.
The paths after the mount directory should be same.

$ ll /data*/test-cargo
/data1/test-cargo:
total 28
drwxrwxr-x 4 ubuntu ubuntu   100 Oct 26 10:07 ./
drwxr-xr-x 3 ubuntu ubuntu    24 Oct 26 10:07 ../
drwxrwxr-x 8 ubuntu ubuntu   163 Oct 26 10:07 .git/
-rw-rw-r-- 1 ubuntu ubuntu   253 Oct 26 10:07 .gitignore
-rw-rw-r-- 1 ubuntu ubuntu 15276 Oct 26 10:07 Cargo.lock
-rw-rw-r-- 1 ubuntu ubuntu   352 Oct 26 10:07 Cargo.toml
-rw-rw-r-- 1 ubuntu ubuntu   124 Oct 26 10:07 README.md
drwxrwxr-x 2 ubuntu ubuntu    21 Oct 26 10:07 src/

/data2/test-cargo:
total 28
drwxrwxr-x 4 ubuntu ubuntu   100 Oct 26 10:07 ./
drwxr-xr-x 3 ubuntu ubuntu    24 Oct 26 10:07 ../
drwxrwxr-x 8 ubuntu ubuntu   163 Oct 26 10:07 .git/
-rw-rw-r-- 1 ubuntu ubuntu   253 Oct 26 10:07 .gitignore
-rw-rw-r-- 1 ubuntu ubuntu 15276 Oct 26 10:07 Cargo.lock
-rw-rw-r-- 1 ubuntu ubuntu   352 Oct 26 10:07 Cargo.toml
-rw-rw-r-- 1 ubuntu ubuntu   124 Oct 26 10:07 README.md
drwxrwxr-x 2 ubuntu ubuntu    21 Oct 26 10:07 src/

If you take a snapshot and run a scan with trivy vm in this state, the two projects will be merged into one project.

$ trivy vm --scanners vuln --format json  --list-all-pkgs --output test.json ebs:snap-021abdc5ef399d397 --debug
2023-10-26T19:18:16.853+0900	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-10-26T19:18:16.854+0900	DEBUG	Ignore statuses	{"statuses": null}
2023-10-26T19:18:16.855+0900	DEBUG	Timeout is set to less than 30 min - upgrading to 30 min for this command.
2023-10-26T19:18:16.863+0900	DEBUG	cache dir:  /Users/yusuke.koyoshi/Library/Caches/trivy
2023-10-26T19:18:16.864+0900	DEBUG	DB update was skipped because the local DB is the latest
2023-10-26T19:18:16.864+0900	DEBUG	DB Schema: 2, UpdatedAt: 2023-10-26 06:17:23.035879782 +0000 UTC, NextUpdate: 2023-10-26 12:17:23.035879382 +0000 UTC, DownloadedAt: 2023-10-26 10:15:21.712833 +0000 UTC
2023-10-26T19:18:16.864+0900	INFO	Vulnerability scanning is enabled
2023-10-26T19:18:16.864+0900	DEBUG	Vulnerability type:  [os library]
2023-10-26T19:18:17.052+0900	DEBUG	Missing virtual machine cache: sha256:2e160fa18aa91e126ee82bb944902ea43eb465d2929555db284ac3c7de340338
2023-10-26T19:18:17.127+0900	DEBUG	Found partition: 1
2023-10-26T19:18:17.745+0900	DEBUG	Found partition: 2
2023-10-26T19:18:18.603+0900	DEBUG	OS is not detected.
2023-10-26T19:18:18.603+0900	DEBUG	Detected OS: unknown
2023-10-26T19:18:18.603+0900	INFO	Number of language-specific files: 1
2023-10-26T19:18:18.603+0900	INFO	Detecting cargo vulnerabilities...
2023-10-26T19:18:18.603+0900	DEBUG	Detecting library vulnerabilities, type: cargo, path: test-cargo/Cargo.lock


$ grep "test-cargo" test.json
    "Target": "test-cargo/Cargo.lock",

However, if the project name is changed as shown below, the two projects are scanned separately.

$ ll /data*/test-cargo*
/data1/test-cargo:
total 28
drwxrwxr-x 4 ubuntu ubuntu   100 Oct 26 10:07 ./
drwxr-xr-x 3 ubuntu ubuntu    24 Oct 26 10:07 ../
drwxrwxr-x 8 ubuntu ubuntu   163 Oct 26 10:07 .git/
-rw-rw-r-- 1 ubuntu ubuntu   253 Oct 26 10:07 .gitignore
-rw-rw-r-- 1 ubuntu ubuntu 15276 Oct 26 10:07 Cargo.lock
-rw-rw-r-- 1 ubuntu ubuntu   352 Oct 26 10:07 Cargo.toml
-rw-rw-r-- 1 ubuntu ubuntu   124 Oct 26 10:07 README.md
drwxrwxr-x 2 ubuntu ubuntu    21 Oct 26 10:07 src/

/data2/test-cargo2:
total 28
drwxrwxr-x 4 ubuntu ubuntu   100 Oct 26 10:07 ./
drwxr-xr-x 3 ubuntu ubuntu    25 Oct 26 10:20 ../
drwxrwxr-x 8 ubuntu ubuntu   163 Oct 26 10:07 .git/
-rw-rw-r-- 1 ubuntu ubuntu   253 Oct 26 10:07 .gitignore
-rw-rw-r-- 1 ubuntu ubuntu 15276 Oct 26 10:07 Cargo.lock
-rw-rw-r-- 1 ubuntu ubuntu   352 Oct 26 10:07 Cargo.toml
-rw-rw-r-- 1 ubuntu ubuntu   124 Oct 26 10:07 README.md
drwxrwxr-x 2 ubuntu ubuntu    21 Oct 26 10:07 src/

$ trivy vm --scanners vuln --format json  --list-all-pkgs --output test2.json ebs:snap-0a0e033f2a319d6ba --debug
2023-10-26T19:22:31.886+0900	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-10-26T19:22:31.887+0900	DEBUG	Ignore statuses	{"statuses": null}
2023-10-26T19:22:31.887+0900	DEBUG	Timeout is set to less than 30 min - upgrading to 30 min for this command.
2023-10-26T19:22:31.896+0900	DEBUG	cache dir:  /Users/yusuke.koyoshi/Library/Caches/trivy
2023-10-26T19:22:31.896+0900	DEBUG	DB update was skipped because the local DB is the latest
2023-10-26T19:22:31.896+0900	DEBUG	DB Schema: 2, UpdatedAt: 2023-10-26 06:17:23.035879782 +0000 UTC, NextUpdate: 2023-10-26 12:17:23.035879382 +0000 UTC, DownloadedAt: 2023-10-26 10:15:21.712833 +0000 UTC
2023-10-26T19:22:31.897+0900	INFO	Vulnerability scanning is enabled
2023-10-26T19:22:31.897+0900	DEBUG	Vulnerability type:  [os library]
2023-10-26T19:22:32.166+0900	DEBUG	Missing virtual machine cache: sha256:c4421b182508f38e03a269e11b0a004ed01e60125ecc627037447ac6a56ba184
2023-10-26T19:22:32.238+0900	DEBUG	Found partition: 1
2023-10-26T19:22:32.816+0900	DEBUG	Found partition: 2
2023-10-26T19:22:33.729+0900	DEBUG	OS is not detected.
2023-10-26T19:22:33.729+0900	DEBUG	Detected OS: unknown
2023-10-26T19:22:33.729+0900	INFO	Number of language-specific files: 2
2023-10-26T19:22:33.729+0900	INFO	Detecting cargo vulnerabilities...
2023-10-26T19:22:33.729+0900	DEBUG	Detecting library vulnerabilities, type: cargo, path: test-cargo/Cargo.lock
2023-10-26T19:22:33.733+0900	DEBUG	Detecting library vulnerabilities, type: cargo, path: test-cargo2/Cargo.lock

$ grep "test-cargo" test2.json
      "Target": "test-cargo/Cargo.lock",
      "Target": "test-cargo2/Cargo.lock",

Desired Behavior

That each project is detected as a separate project.
Target should include the name of the mount directory.

$ grep "test-cargo" test3.json
      "Target": "/data1/test-cargo/Cargo.lock",
      "Target": "/data2/test-cargo/Cargo.lock",

Actual Behavior

See Description.

Reproduction Steps

See Description

Target

Virtual Machine Image

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

See Description.

Operating System

macOS Ventura 13.6

Version

$ trivy version
Version: 0.46.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-10-18 06:13:34.171255389 +0000 UTC
  NextUpdate: 2023-10-18 12:13:34.171254889 +0000 UTC
  DownloadedAt: 2023-10-18 11:10:55.638346 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-10-22 01:13:16.418413758 +0000 UTC
  NextUpdate: 2023-10-25 01:13:16.418413358 +0000 UTC
  DownloadedAt: 2023-10-22 14:44:23.015405 +0000 UTC
Policy Bundle:
  Digest: sha256:24b38cdf646f0e5becf55a709ae9a3c4e819a348c28990cec0b6aabe4637d8b1
  DownloadedAt: 2023-10-06 09:32:15.263866 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting