trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

bug(report): Trivy panics when converting json report without `Packages` to table report with summary table

Open DmitriyLewen opened this issue 9 months ago • 2 comments

Description

When Trivy converts json report without Packages to table report with summary table - Trivy returns panic.

It works only if report contains aggregated packages

  8537 trivy -q rootfs ./package.json  -f json -o report.json
➜  8537 trivy convert report.json --table-mode summary --scanners vuln
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x58 pc=0x1038add24]

goroutine 1 [running]:
github.com/aquasecurity/trivy/pkg/report/table.splitAggregatedVulns({{0x1400158e677, 0x7}, {0x1400158e6b0, 0x9}, {0x1400158e6c0, 0x8}, {0x0, 0x0, 0x0}, {0x14001515380, ...}, ...})
	github.com/aquasecurity/trivy/pkg/report/table/summary.go:266 +0x274
github.com/aquasecurity/trivy/pkg/report/table.splitAggregatedPackages({0x140015400e0?, 0x1400158ce70?, 0x104e4ee01?})
	github.com/aquasecurity/trivy/pkg/report/table/summary.go:247 +0x288
github.com/aquasecurity/trivy/pkg/report/table.(*summaryRenderer).Render(_, {0x2, {0xb6d3390, 0xedf770900, 0x10ac9eb80}, {0x1400158e680, 0xc}, {0x1400158e690, 0xa}, {0x0, ...}, ...})
	github.com/aquasecurity/trivy/pkg/report/table/summary.go:174 +0x344
github.com/aquasecurity/trivy/pkg/report/table.(*Writer).Write(_, {_, _}, {0x2, {0xb6d3390, 0xedf770900, 0x10ac9eb80}, {0x1400158e680, 0xc}, {0x1400158e690, ...}, ...})
	github.com/aquasecurity/trivy/pkg/report/table/table.go:94 +0xd0
github.com/aquasecurity/trivy/pkg/report.Write({_, _}, {0x2, {0xb6d3390, 0xedf770900, 0x10ac9eb80}, {0x1400158e680, 0xc}, {0x1400158e690, 0xa}, ...}, ...)
	github.com/aquasecurity/trivy/pkg/report/writer.go:105 +0x7bc
github.com/aquasecurity/trivy/pkg/commands/convert.Run({_, _}, {{{0x104cdc83d, 0xa}, 0x0, 0x0, 0x0, 0x0, 0x45d964b800, {0x1400117e510, ...}, ...}, ...})
	github.com/aquasecurity/trivy/pkg/commands/convert/run.go:56 +0x5c4
github.com/aquasecurity/trivy/pkg/commands.NewConvertCommand.func2(0x140005c3508, {0x140013a2f00, 0x1, 0x5})
	github.com/aquasecurity/trivy/pkg/commands/app.go:554 +0x17c
github.com/spf13/cobra.(*Command).execute(0x140005c3508, {0x140013a2eb0, 0x5, 0x5})
	github.com/spf13/[email protected]/command.go:1015 +0x828
github.com/spf13/cobra.(*Command).ExecuteC(0x1400123ac08)
	github.com/spf13/[email protected]/command.go:1148 +0x350
github.com/spf13/cobra.(*Command).Execute(0x104d3fb76?)
	github.com/spf13/[email protected]/command.go:1071 +0x1c
main.run()
	github.com/aquasecurity/trivy/cmd/trivy/main.go:45 +0x124
main.main()
	github.com/aquasecurity/trivy/cmd/trivy/main.go:19 +0x20

Despite the fact that we recommend including packages in json report for conversion - this is still a recommendation. Therefore, Trivy should not panic in any case.

Discussed in https://github.com/aquasecurity/trivy/discussions/8537

DmitriyLewen avatar Mar 27 '25 08:03 DmitriyLewen

A similar issue with table-mode... When you have a trivy.yaml config file with

table-mode:
 - detailed

but you need to generate a JSON-formatted report trivy fails with an error

2025-04-16T13:03:27Z	FATAL	Fatal error	flag error: report flag error: "--table-mode" can be used only with "--format table".

It seem to me that app should take this option into account only when generating a table report.

ivan-morgun avatar Apr 16 '25 13:04 ivan-morgun

Hi @ivan-morgun Sorry for the late reply.

It was our decision to return an error - https://github.com/aquasecurity/trivy/pull/8177#discussion_r1933701726

DmitriyLewen avatar May 12 '25 12:05 DmitriyLewen