--vuln-type library returning null in JSON when no vulnerabilites are found · aquasecurity/trivy#828

(14 留言) (0 反應) (0 負責人)Go (35,000 star) (371 fork)batch import

help wantedkind/featurepriority/important-longterm

描述

Description

Command running: trivy image --list-all-pkgs --vuln-type library -f json debian:10.6 Option --vuln-type library returns null in JSON when no vulnerabilities are found, even if --list-all-pkgs is also present.

What did you expect to happen?

I would expect it to return in JSON the Target, Type, the list of Packages, and an empty list of Vulnerabilities.

What happened instead?

It simply returns null.

Output of run with `-debug`:

2021-02-01T08:29:44.155-1000	DEBUG	Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2021-02-01T08:29:44.208-1000	DEBUG	cache dir:  /Users/$USER/Library/Caches/trivy
2021-02-01T08:29:44.209-1000	INFO	Need to update DB
2021-02-01T08:29:44.209-1000	INFO	Downloading DB...
2021-02-01T08:29:44.903-1000	DEBUG	release name: v1-2021020112
2021-02-01T08:29:44.904-1000	DEBUG	asset name: trivy-light-offline.db.tgz
2021-02-01T08:29:44.904-1000	DEBUG	file name doesn't match
2021-02-01T08:29:44.904-1000	DEBUG	asset name: trivy-light.db.gz
2021-02-01T08:29:44.904-1000	DEBUG	file name doesn't match
2021-02-01T08:29:44.904-1000	DEBUG	asset name: trivy-offline.db.tgz
2021-02-01T08:29:44.904-1000	DEBUG	file name doesn't match
2021-02-01T08:29:44.904-1000	DEBUG	asset name: trivy.db.gz
2021-02-01T08:29:45.029-1000	DEBUG	asset URL: https://github-releases.githubusercontent.com/216830441/a61a3f80-6488-11eb-8c55-6d691ed757aa?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210201%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210201T182807Z&X-Amz-Expires=300&X-Amz-Signature=d514164bb9e900efb7df53ffe94bb28674ad8ccfab9b8b445de19bd8a1a9f4f8&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=216830441&response-content-disposition=attachment%3B%20filename%3Dtrivy.db.gz&response-content-type=application%2Foctet-stream
19.93 MiB / 19.93 MiB [--------------------------------] 100.00% 4.32 MiB p/s 5s
2021-02-01T08:29:50.202-1000	DEBUG	Updating database metadata...
2021-02-01T08:29:50.203-1000	DEBUG	DB Schema: 1, Type: 1, UpdatedAt: 2021-02-01 12:22:39.009526881 +0000 UTC, NextUpdate: 2021-02-02 00:22:39.009526481 +0000 UTC, DownloadedAt: 2021-02-01 18:29:50.202728 +0000 UTC
2021-02-01T08:29:53.630-1000	DEBUG	Vulnerability type:  [library]
2021-02-01T08:29:58.979-1000	DEBUG	Artifact ID: sha256:ef05c61d51129e3866d5b71b4f44864919dd2b9e5f2644f0a511703182acf8f9
2021-02-01T08:29:58.979-1000	DEBUG	Blob IDs: [sha256:114ca5b7280f3b49e94a67659890aadde83d58a8bde0d9020b2bc8c902c3b9de]
2021-02-01T08:29:58.980-1000	INFO	Trivy skips scanning programming language libraries because no supported file was detected

Output of `trivy -v`:

Version: 0.15.0
Vulnerability DB:
  Type: Light
  Version: 1
  UpdatedAt: 2021-02-01 12:22:39.009526881 +0000 UTC
  NextUpdate: 2021-02-02 00:22:39.009526481 +0000 UTC
  DownloadedAt: 2021-02-01 18:29:50.202728 +0000 UTC

Additional details (base image name, container registry info...):

Just tested using Debian:10.6.

貢獻者指南

技術棧: go
領域: cli
議題類型: bug
難度: 3
預計時間: 1-3 hours
活動狀態: stale
清晰度: clear
前置要求: GoJSON serializationTrivy output code
新手友善度: 70
研究方向: The issue occurs when using vuln type library and no vulnerabilities are found. The JSON output returns null instead of including the expected Target, Type, Packages, and an empty Vulnerabilities list. The fix likely lies in the report or output formatting code, possibly in the report package (e.g., pkg/report/). The developer should locate the function that constructs the JSON response for vulnerability scanning, check the condition that leads to null output, and ensure that the JSON always includes the required fields even when vulnerabilities are absent. Look for any recent changes or related issues in the repository.

描述