trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 4 weeks ago verified publisher icon aquasecurity

feat(php): add installed.json file support

Open DmitriyLewen opened this issue 2 years ago • 4 comments

Description

Add installed.json file support. Supported modes - image and rootfs.

Scanning composer.lock files is only possible in fs and repo modes now

Example of work:

➜  ./trivy rootfs ./installed.json 
2023-08-29T13:24:06.376+0600    INFO    Vulnerability scanning is enabled
2023-08-29T13:24:06.376+0600    INFO    Secret scanning is enabled
2023-08-29T13:24:06.376+0600    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-29T13:24:06.376+0600    INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-08-29T13:24:06.387+0600    INFO    Number of language-specific files: 1
2023-08-29T13:24:06.387+0600    INFO    Detecting composer-installed vulnerabilities...

installed.json (composer-installed)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐
│     Library     │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                        │
├─────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ guzzlehttp/psr7 │ CVE-2022-24775 │ MEDIUM   │ fixed  │ 1.8.3             │ 1.8.4, 2.1.1  │ Improper Input Validation in guzzlehttp/psr7       │
│                 │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-24775         │
│                 ├────────────────┤          │        │                   ├───────────────┼────────────────────────────────────────────────────┤
│                 │ CVE-2023-29197 │          │        │                   │ 1.9.1, 2.4.5  │ Improper header name validation in guzzlehttp/psr7 │
│                 │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-29197         │
└─────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘

Related Issues:

  • Close #5057

Checklist

  • [x] I've read the guidelines for contributing to this repository.
  • [x] I've followed the conventions in the PR title.
  • [x] I've added tests that prove my fix is effective or that my feature works.
  • [x] I've updated the documentation with the relevant information (if needed).
  • [ ] I've added usage information (if the PR introduces new options)
  • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

DmitriyLewen avatar Jul 24 '23 10:07 DmitriyLewen

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Oct 29 '23 00:10 github-actions[bot]

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Dec 30 '23 00:12 github-actions[bot]

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Mar 10 '24 00:03 github-actions[bot]

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar May 26 '24 00:05 github-actions[bot]