Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report is not empty even if there are no findings #6351

Open
DmitriyLewen opened this issue Mar 20, 2024 Discussed in #6349 · 1 comment · May be fixed by #6352
Open

Report is not empty even if there are no findings #6351

DmitriyLewen opened this issue Mar 20, 2024 Discussed in #6349 · 1 comment · May be fixed by #6352
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@DmitriyLewen
Copy link
Contributor

Discussed in #6349

Originally posted by kanton10062006 March 19, 2024

Description

Hello,

With the most recent release, I've noticed that trivy report/output is not empty even if there are no findings when some particular findings are in place in .trivyignore.yaml.
The previous version did not have such behavior as expected.
Our CI/CD relies on this report, if something exists within the report CI proceeds with different logic.

It reproduces for vuln and license scanners.

Desired Behavior

Completely empty report:

./trivy --version
2024-03-19T15:10:56.700+0100	INFO	Loaded trivy.yaml
Version: 0.49.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-19 12:11:32.850008953 +0000 UTC
  NextUpdate: 2024-03-19 18:11:32.850008412 +0000 UTC
  DownloadedAt: 2024-03-19 13:37:47.401184 +0000 UTC
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-03-14 12:20:41.064572 +0000 UTC

./trivy fs -q --scanners vuln .
2024-03-19T15:11:01.736+0100	INFO	Loaded trivy.yaml

Actual Behavior

Here is an example of the actual output:

trivy --version
2024-03-19T15:09:27.820+0100	INFO	Loaded trivy.yaml
Version: 0.50.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-19 12:11:32.850008953 +0000 UTC
  NextUpdate: 2024-03-19 18:11:32.850008412 +0000 UTC
  DownloadedAt: 2024-03-19 13:37:47.401184 +0000 UTC
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-03-14 12:20:41.064572 +0000 UTC

trivy fs -q --scanners vuln .
2024-03-19T15:09:30.501+0100	INFO	Loaded trivy.yaml

package-lock.json (npm)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Reproduction Steps

1.Install latest(v0.50.0) trivy version 
2.Scan some package.json with findings
3.Add those findings to the .trivyignore.yaml
4.Scan it one more time
5.Observe non-empty report
6.Reapeat previous steps with the earlier trivy version(v0.49.0 for example)
7.Observe empty report

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

trivy fs -q --scanners vuln . --debug                 
2024-03-19T15:17:07.236+0100	INFO	Loaded trivy.yaml

package-lock.json (npm)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)



### Operating System

macOS Sonoma

### Version

```bash
trivy --version
2024-03-19T15:18:15.019+0100	INFO	Loaded trivy.yaml
Version: 0.50.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-19 12:11:32.850008953 +0000 UTC
  NextUpdate: 2024-03-19 18:11:32.850008412 +0000 UTC
  DownloadedAt: 2024-03-19 13:37:47.401184 +0000 UTC
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-03-14 12:20:41.064572 +0000 UTC



### Checklist

- [ ] Run `trivy image --reset`
- [ ] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)</div>
@DmitriyLewen DmitriyLewen added the kind/bug Categorizes issue or PR as related to a bug. label Mar 20, 2024
@DmitriyLewen DmitriyLewen self-assigned this Mar 20, 2024
@DmitriyLewen DmitriyLewen linked a pull request Mar 20, 2024 that will close this issue
Open
6 tasks
@AntonKarasov
Copy link

Hey @DmitriyLewen,
Do you have any plans to merge the PR related to this issue?
As I can see the major 0.51.0 version has been released recently but without this fix, unfortunately...
Thanks and looking forward to your reply.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(report): hide empty tables if all vulns has been filtered DmitriyLewen/trivy
2 participants
@DmitriyLewen @AntonKarasov