YAML and JSON inputs of same file yield different output formats from Trivy

[huornlmj]

Description

If I supply a K8s manifest in YAML format for misconfiguration scanning, Trivy will return findings which include line excerpts from the scanned manifest. For example:

31 ┌       - name: kube-rbac-proxy
32 │         securityContext:
33 │           allowPrivilegeEscalation: false
34 │           capabilities:
35 │             drop:
36 │               - "ALL"
37 │         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1
38 │         args:
39 └         - "--secure-listen-address=0.0.0.0:8443"
..

However if I convert the exact same K8s manifest from YAML to JSON and scan the JSON version with Trivy, Trivy finds the same issues but yields a report that omits the line excerpts.

Desired Behavior

Give the user the option to either include or omit line excerpts. The difference in how Trivy operates depending on YAML or JSON input helped show me that I actually prefer the results when they come from JSON, as I think the line excerpts are unnecessary clutter and I would actually like to control whether I see the excerpts or not.

Actual Behavior

Described above

Reproduction Steps

Described above.

Target

Kubernetes

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Debug Output

Described above

Operating System

Linux

Version

$ trivy --version
Version: 0.48.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-08 06:09:54.29888255 +0000 UTC
  NextUpdate: 2024-03-08 12:09:54.29888228 +0000 UTC
  DownloadedAt: 2024-03-08 10:37:58.762840774 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-09-29 00:52:37.313156528 +0000 UTC
  NextUpdate: 2023-10-02 00:52:37.313156128 +0000 UTC
  DownloadedAt: 2023-09-29 15:01:46.188254631 +0000 UTC
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-03-07 12:01:13.501150513 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[simar7]

Outputs are subjective and as a result hard to satisfy every use case with. You can always write a Trivy output plugin that formats the output as you wish https://aquasecurity.github.io/trivy/v0.49/docs/advanced/plugins/#output-plugins

[huornlmj]

Maybe I didn't explain the key issue. Trivy is inconsistent in its output based in the input. The format of output should be consistent regardless of whether the input was in YAML or JSON format, if Trivy is claiming to be able to take both inputs as a K8s manifest.

[itaysk]

@simar7 @chen-keinan is this a limitation or a bug? (we don't need to rush to fix it just to understand)

[simar7]

I'm taking a look at it.

[simar7]

@huornlmj thanks for flagging it. This is actually a bug in the parser. I'll create an issue from it as the output should be the same for both JSON and YAML scanners.

[simar7]

Track here #6485