trivy icon indicating copy to clipboard operation
trivy copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Table output shows no summary if no vulnerability is detected

Open bgoareguer opened this issue 2 years ago • 10 comments

Description

I scan an image containing only one vulnerability with severity=HIGH. When I allow Trivy to show all vulnerabilities, the table output shows the summary:

2022-07-19T09:25:07.775+0200    INFO    Vulnerability scanning is enabled
2022-07-19T09:25:07.775+0200    INFO    Secret scanning is enabled
2022-07-19T09:25:07.775+0200    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-19T09:25:07.775+0200    INFO    Please see also https://aquasecurity.github.io/trivy/0.30.0/docs/secret/scanning/#recommendation for faster secret detection
2022-07-19T09:25:07.780+0200    INFO    Detected OS: alpine
2022-07-19T09:25:07.781+0200    INFO    Detecting Alpine vulnerabilities...
2022-07-19T09:25:07.782+0200    INFO    Number of language-specific files: 0

alpine:3.16.1 (alpine 3.16.1)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ busybox    │ CVE-2022-30065 │ HIGH     │ 1.35.0-r15        │ 1.35.0-r17    │ busybox: A use-after-free in Busybox's awk applet leads to │
│            │                │          │                   │               │ denial of service...                                       │
│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                 │
├────────────┤                │          │                   │               │                                                            │
│ ssl_client │                │          │                   │               │                                                            │
│            │                │          │                   │               │                                                            │
│            │                │          │                   │               │                                                            │
└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

But when I filter out all vulnerabilities (with --severity=CRITICAL), the table output does not show the summary:

2022-07-19T09:24:48.522+0200    INFO    Vulnerability scanning is enabled
2022-07-19T09:24:48.522+0200    INFO    Secret scanning is enabled
2022-07-19T09:24:48.522+0200    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-19T09:24:48.522+0200    INFO    Please see also https://aquasecurity.github.io/trivy/0.30.0/docs/secret/scanning/#recommendation for faster secret detection
2022-07-19T09:24:48.528+0200    INFO    Detected OS: alpine
2022-07-19T09:24:48.531+0200    INFO    Detecting Alpine vulnerabilities...
2022-07-19T09:24:48.534+0200    INFO    Number of language-specific files: 0

What did you expect to happen?

I expected to see a summary showing 0 vulnerabilities as it did in versions prior to 0.30.0. Here is the output I have with Trivy 0.29.2:

2022-07-19T09:24:30.905+0200    INFO    Vulnerability scanning is enabled
2022-07-19T09:24:30.910+0200    INFO    Secret scanning is enabled
2022-07-19T09:24:30.912+0200    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-19T09:24:30.912+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.29.2/docs/secret/scanning/#recommendation for faster secret detection
2022-07-19T09:24:30.918+0200    INFO    Detected OS: alpine
2022-07-19T09:24:30.918+0200    INFO    Detecting Alpine vulnerabilities...
2022-07-19T09:24:30.920+0200    INFO    Number of language-specific files: 0

alpine:3.16.1 (alpine 3.16.1)

Total: 0 (CRITICAL: 0)

Output of trivy -v:

Version: 0.30.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-07-19 06:08:05.847478212 +0000 UTC
  NextUpdate: 2022-07-19 12:08:05.847477912 +0000 UTC
  DownloadedAt: 2022-07-19 07:02:29.52459703 +0000 UTC

Additional details (base image name, container registry info...):

The image I am scanning is alpine:3.16.1

bgoareguer avatar Jul 19 '22 07:07 bgoareguer

@bgoareguer thanks for your report! I took a look at `apline:

$ docker pull alpine:3.16.1

$ docker run --rm -it --entrypoint /bin/sh alpine:3.16.1 

/ # apk list | grep busybox
busybox-1.35.0-r15 x86_64 {busybox} (GPL-2.0-only) [installed]

so I think that trivy works correctly now.

afdesk avatar Jul 19 '22 12:07 afdesk

also I tested v0.29.2, it works correctly too:

$ trivy-29-2 i alpine:3.16.1
2022-07-19T18:52:30.862+0600	INFO	Vulnerability scanning is enabled
2022-07-19T18:52:30.862+0600	INFO	Secret scanning is enabled
2022-07-19T18:52:30.863+0600	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-19T18:52:30.863+0600	INFO	Please see also https://aquasecurity.github.io/trivy/v0.29.2/docs/secret/scanning/#recommendation for faster secret detection
2022-07-19T18:52:30.867+0600	INFO	Detected OS: alpine
2022-07-19T18:52:30.867+0600	INFO	Detecting Alpine vulnerabilities...
2022-07-19T18:52:30.868+0600	INFO	Number of language-specific files: 0

alpine:3.16.1 (alpine 3.16.1)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ busybox    │ CVE-2022-30065 │ HIGH     │ 1.35.0-r15        │ 1.35.0-r17    │ busybox: A use-after-free in Busybox's awk applet leads to │
│            │                │          │                   │               │ denial of service...                                       │
│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                 │
├────────────┤                │          │                   │               │                                                            │
│ ssl_client │                │          │                   │               │                                                            │
│            │                │          │                   │               │                                                            │
│            │                │          │                   │               │                                                            │
└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

afdesk avatar Jul 19 '22 12:07 afdesk

please, feel free reopen this issue, if the issue still exists

afdesk avatar Jul 19 '22 12:07 afdesk

@afdesk the problem was not about detecting the vulnerability but simply not showing the summary: Total: 0 (CRITICAL: 0)

bgoareguer avatar Jul 19 '22 13:07 bgoareguer

@afdesk the problem was not about detecting the vulnerability but simply not showing the summary: Total: 0 (CRITICAL: 0)

oh, yes, i understood it now. thanks

afdesk avatar Jul 19 '22 13:07 afdesk

We probably removed it by mistake. @afdesk Could you revert it?

knqyf263 avatar Jul 19 '22 14:07 knqyf263

yes, sure. I'll do it today.

afdesk avatar Jul 20 '22 06:07 afdesk

FYI, alpine linux security db was updated yesterday, and now CVE-2022-30065 doesn't affect on busybox-1.35.0-r15

afdesk avatar Jul 20 '22 07:07 afdesk

@knqyf263 @afdesk I'm on trivy v0.30.3 and I still see no summary with trivy fs for my poetry.lock file. I saw in this comment that it was decided to not output an empty table for language-specific packages: https://github.com/aquasecurity/trivy/pull/2548#discussion_r925466888 I do agree that an empty table is not necessary but I would still expect a summary confirming that no vulnerabilities were found. From the current output it is just not obvious if the scan actually ran successfully:

2022-07-26T17:41:05.070+0200	INFO	Vulnerability scanning is enabled
2022-07-26T17:41:05.085+0200	INFO	Number of language-specific files: 1
2022-07-26T17:41:05.085+0200	INFO	Detecting poetry vulnerabilities...

This way it would be much more reassuring:

2022-07-26T17:41:05.070+0200	INFO	Vulnerability scanning is enabled
2022-07-26T17:41:05.085+0200	INFO	Number of language-specific files: 1
2022-07-26T17:41:05.085+0200	INFO	Detecting poetry vulnerabilities...

poetry.lock (poetry)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Would you consider reopening and adding this?

KDMichaelis avatar Jul 26 '22 16:07 KDMichaelis

@KDMichaelis thanks for your report I'll retest it again

afdesk avatar Jul 27 '22 05:07 afdesk

I have this as well in 0.30.4 - would be really useful to get a summary showing no issues with an image.

lizduke avatar Aug 12 '22 14:08 lizduke

Still present in Trivy 0.38.3 (for trivy fs only, not for trivy image)

bgoareguer avatar Mar 30 '23 09:03 bgoareguer