trivy
trivy copied to clipboard
aquasecurity
HTML template missing target names for go, npm, python/pip, java pom.xml, config files
For many different types of files being scanned, the target names are not being reported in the HTML template, only the type of file. This makes it impossible to know which file contains the vulnerabilities and/or misconfigurations that were found.
- The HTML title of the file is only for the first item scanned, all other items only list their type. It would be great if the title was set to directory, repo, or image that was scanned (.ArtifactName, .ArtifactType)
- Now that config entries are included with the vulnerabilities (which is awesome btw, thanks!), it's slightly confusing to see entries with "No vulnerabilities found" that are followed immediately by what looks like a vulnerability (but is actually a misconfiguration)
I happened to have a local clone of https://github.com/docker/awesome-compose available, which is good for scanning because it contains files of multiple types (except golang). I've attached the json output of the scan and the HTML output for comparison (for some reason GH doesn't support HTML or JSON file attachments....so I gzip'd them). I attached trivy results of Trivy as well, since it contains golang examples plus lots of config files.
And here's some screenshots of the lack of Target name:
awesome-compose.html.gz awesome-compose.json.gz trivy_results_of_trivy_itself.json.gz trivy_results_of_trivy_itself.html.gz
NOTE: These reports were generated with Trivy v0.22.0
I've taken a first pass at tweaking the template to increase readability. This round was more about determining what data I can add to the page, vs fussing too much with styling. Feedback is welcome
Was also facing this issue, where we scan a large number of .NET projects at the same time, and each project would only get the header "nuget". Would be great to see the modifications by @jpinkham implemented.
@frjonsen you can use any custom templates for trivy results:
$ trivy image --format template --template @path/to/custom/html.tpl --output result.html alpine:latest
it seems that @jpinkham's changes are here: https://github.com/aquasecurity/trivy/commit/7b4fb9daadffa758337a9042ff37b057b602a772
@afdesk and @frjonsen : thank you for providing the impetus to stop futzing with the template and finally submit a PR with my changes. Hopefully https://github.com/aquasecurity/trivy/pull/1741 will be reviewed soon.
This issue is stale because it has been labeled with inactivity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I think this shouldn't be closed, I'd like to see this fixed at some point... And the PR hasn't been merged yet
This also applies when using Trivy's misconfiguration scanning AND filesystem scanning features.
This issue is stale because it has been labeled with inactivity.
Ping to keep this active. This is the official bundled HTML template and it's never worked properly. I think this should be fixed.
Hi @huornlmj, we have a plan to extract the non-essential output options out of trivy so that the community can develop it, therefore we are reluctant to invest in these areas right now. related: https://github.com/aquasecurity/trivy/discussions/4451
This issue is stale because it has been labeled with inactivity.