trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 4 weeks ago verified publisher icon aquasecurity

fix(dotnet): mark libraries built into `.NETCore` as `Dev`

Open DmitriyLewen opened this issue 1 year ago • 0 comments

Description

Dependencies with empty runtime, runtimeTarget and native fields in (target section)[net-core-target] are not needed by the runtime, and the dotnet build command doesn't create *.dll files for them. (see https://github.com/aquasecurity/trivy/discussions/4282#discussioncomment-8830365). Mark these dependencies as Dev to skip them by default. This is needed to avoid false positives for system libraries.

Before:

➜  trivy -q fs -f json --list-all-pkgs  test.deps.json | jq ' .Results[0].Packages'
[
  {
    "Name": "JsonDiffPatch",
    "Identifier": {
      "PURL": "pkg:nuget/[email protected]",
      "UID": "a1803112f8f5a9ed"
    },
    "Version": "2.0.61",
    "Layer": {},
    "Locations": [
      {
        "StartLine": 60,
        "EndLine": 66
      }
    ]
  },
  {
    "Name": "Microsoft.NETCore.App",
    "Identifier": {
      "PURL": "pkg:nuget/[email protected]",
      "UID": "aefb36e8bb23323"
    },
    "Version": "1.1.2",
    "Layer": {},
    "Locations": [
      {
        "StartLine": 74,
        "EndLine": 80
      }
    ]
  }
]

after:

➜  trivy -q fs -f json --list-all-pkgs  test.deps.json | jq ' .Results[0].Packages'
[
  {
    "ID": "JsonDiffPatch/2.0.61",
    "Name": "JsonDiffPatch",
    "Identifier": {
      "PURL": "pkg:nuget/[email protected]",
      "UID": "bd2f74eae8eaf140"
    },
    "Version": "2.0.61",
    "Layer": {},
    "Locations": [
      {
        "StartLine": 60,
        "EndLine": 66
      }
    ]
  }
]


➜ trivy -q fs -f json --list-all-pkgs  test.deps.json --include-dev-deps | jq ' .Results[0].Packages'
[
  {
    "ID": "JsonDiffPatch/2.0.61",
    "Name": "JsonDiffPatch",
    "Identifier": {
      "PURL": "pkg:nuget/[email protected]",
      "UID": "bd2f74eae8eaf140"
    },
    "Version": "2.0.61",
    "Layer": {},
    "Locations": [
      {
        "StartLine": 60,
        "EndLine": 66
      }
    ]
  },
  {
    "ID": "Microsoft.NETCore.App/1.1.2",
    "Name": "Microsoft.NETCore.App",
    "Identifier": {
      "PURL": "pkg:nuget/[email protected]",
      "UID": "25de3b2fa73521a4"
    },
    "Version": "1.1.2",
    "Dev": true,
    "Layer": {},
    "Locations": [
      {
        "StartLine": 74,
        "EndLine": 80
      }
    ]
  }
]

Related Discussions

  • Close #4282

Checklist

  • [x] I've read the guidelines for contributing to this repository.
  • [x] I've followed the conventions in the PR title.
  • [x] I've added tests that prove my fix is effective or that my feature works.
  • [x] I've updated the documentation with the relevant information (if needed).
  • [x] I've added usage information (if the PR introduces new options)
  • [x] I've included a "before" and "after" example to the description (if the PR is a user interface change).

DmitriyLewen avatar Jun 27 '24 11:06 DmitriyLewen