aquasecurity/trivy

--vuln-type library returning null in JSON when no vulnerabilites are found

Open

#828 opened on Feb 1, 2021

View on GitHub
 (14 comments) (0 reactions) (0 assignees)Go (35,000 stars) (371 forks)batch import
help wantedkind/featurepriority/important-longterm

Description

Description

Command running: trivy image --list-all-pkgs --vuln-type library -f json debian:10.6 Option --vuln-type library returns null in JSON when no vulnerabilities are found, even if --list-all-pkgs is also present.

What did you expect to happen?

I would expect it to return in JSON the Target, Type, the list of Packages, and an empty list of Vulnerabilities.

What happened instead?

It simply returns null.

Output of run with -debug:

2021-02-01T08:29:44.155-1000	DEBUG	Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2021-02-01T08:29:44.208-1000	DEBUG	cache dir:  /Users/$USER/Library/Caches/trivy
2021-02-01T08:29:44.209-1000	INFO	Need to update DB
2021-02-01T08:29:44.209-1000	INFO	Downloading DB...
2021-02-01T08:29:44.903-1000	DEBUG	release name: v1-2021020112
2021-02-01T08:29:44.904-1000	DEBUG	asset name: trivy-light-offline.db.tgz
2021-02-01T08:29:44.904-1000	DEBUG	file name doesn't match
2021-02-01T08:29:44.904-1000	DEBUG	asset name: trivy-light.db.gz
2021-02-01T08:29:44.904-1000	DEBUG	file name doesn't match
2021-02-01T08:29:44.904-1000	DEBUG	asset name: trivy-offline.db.tgz
2021-02-01T08:29:44.904-1000	DEBUG	file name doesn't match
2021-02-01T08:29:44.904-1000	DEBUG	asset name: trivy.db.gz
2021-02-01T08:29:45.029-1000	DEBUG	asset URL: https://github-releases.githubusercontent.com/216830441/a61a3f80-6488-11eb-8c55-6d691ed757aa?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210201%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210201T182807Z&X-Amz-Expires=300&X-Amz-Signature=d514164bb9e900efb7df53ffe94bb28674ad8ccfab9b8b445de19bd8a1a9f4f8&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=216830441&response-content-disposition=attachment%3B%20filename%3Dtrivy.db.gz&response-content-type=application%2Foctet-stream
19.93 MiB / 19.93 MiB [--------------------------------] 100.00% 4.32 MiB p/s 5s
2021-02-01T08:29:50.202-1000	DEBUG	Updating database metadata...
2021-02-01T08:29:50.203-1000	DEBUG	DB Schema: 1, Type: 1, UpdatedAt: 2021-02-01 12:22:39.009526881 +0000 UTC, NextUpdate: 2021-02-02 00:22:39.009526481 +0000 UTC, DownloadedAt: 2021-02-01 18:29:50.202728 +0000 UTC
2021-02-01T08:29:53.630-1000	DEBUG	Vulnerability type:  [library]
2021-02-01T08:29:58.979-1000	DEBUG	Artifact ID: sha256:ef05c61d51129e3866d5b71b4f44864919dd2b9e5f2644f0a511703182acf8f9
2021-02-01T08:29:58.979-1000	DEBUG	Blob IDs: [sha256:114ca5b7280f3b49e94a67659890aadde83d58a8bde0d9020b2bc8c902c3b9de]
2021-02-01T08:29:58.980-1000	INFO	Trivy skips scanning programming language libraries because no supported file was detected

Output of trivy -v:

Version: 0.15.0
Vulnerability DB:
  Type: Light
  Version: 1
  UpdatedAt: 2021-02-01 12:22:39.009526881 +0000 UTC
  NextUpdate: 2021-02-02 00:22:39.009526481 +0000 UTC
  DownloadedAt: 2021-02-01 18:29:50.202728 +0000 UTC

Additional details (base image name, container registry info...):

Just tested using Debian:10.6.

Contributor guide

Tech stack
go
Domain
cli
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
GoJSON serializationTrivy output code
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
70
Research direction
The issue occurs when using vuln type library and no vulnerabilities are found. The JSON output returns null instead of including the expected Target, Type, Packages, and an empty Vulnerabilities list. The fix likely lies in the report or output formatting code, possibly in the report package (e.g., pkg/report/). The developer should locate the function that constructs the JSON response for vulnerability scanning, check the condition that leads to null output, and ensure that the JSON always includes the required fields even when vulnerabilities are absent. Look for any recent changes or related issues in the repository.