trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

fix(report): don't panic when report contains vulns, but doesn't contain packages for `table` format

Open DmitriyLewen opened this issue 9 months ago • 1 comments

Description

When using Trivy as a library, there may be cases where the Result with vulnerabilities does not contain any packages. Trivy panics in these cases. To avoid panic and return at least some information, for such cases we use Vulnerabilities instead of Packages to separate aggregated packages.

Related discussions

  • #8537

Related issues

  • Close #8622

Checklist

  • [x] I've read the guidelines for contributing to this repository.
  • [x] I've followed the conventions in the PR title.
  • [ ] I've added tests that prove my fix is effective or that my feature works.
  • [ ] I've updated the documentation with the relevant information (if needed).
  • [ ] I've added usage information (if the PR introduces new options)
  • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

DmitriyLewen avatar Mar 14 '25 05:03 DmitriyLewen

for convert mode - it's not big deal because we ask users to always use --list-all-pkgs for the base json file. for client/server mode I still couldn't reproduce the bug

so we haven't decided yet what the right solution for this problem will be (see https://github.com/aquasecurity/trivy/discussions/8537#discussioncomment-12496636)

so I think we can leave it out of the release until we reproduce the bug

DmitriyLewen avatar Mar 28 '25 03:03 DmitriyLewen

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Jun 07 '25 00:06 github-actions[bot]