Very-long HTML-like output while scanning an image

[Dentrax]

Description

Desired Behavior

It should print out vulns?

Actual Behavior

It prints HTML-like 5k+ lines.

Reproduction Steps

1. `trivy image docker.io/mattermost/mattermost-enterprise-edition:9.7.1`
2. See the very long output
3.
...

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

2024/06/20 23:25:53 INFO Loaded file_path=trivy.yaml
2024-06-20T23:25:53+03:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-06-20T23:25:53+03:00	DEBUG	Ignore statuses	statuses=[]
2024-06-20T23:25:53+03:00	DEBUG	Cache dir	dir="/Users/furkan.turkal/Library/Caches/trivy"
2024-06-20T23:25:53+03:00	DEBUG	DB update was skipped because the local DB is the latest
2024-06-20T23:25:53+03:00	DEBUG	DB info	schema=2 updated_at=2024-06-20T18:13:18.595104548Z next_update=2024-06-21T00:13:18.595104298Z downloaded_at=2024-06-20T20:24:00.479382Z
2024-06-20T23:25:53+03:00	INFO	Vulnerability scanning is enabled
2024-06-20T23:25:53+03:00	DEBUG	Vulnerability type	type=[os library]
2024-06-20T23:25:53+03:00	INFO	Secret scanning is enabled
2024-06-20T23:25:53+03:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-20T23:25:53+03:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-20T23:25:53+03:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-06-20T23:25:54+03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-06-20T23:25:54+03:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-06-20T23:25:54+03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-06-20T23:25:55+03:00	DEBUG	[image] Detected image ID	image_id="sha256:80ff40282191265fdc14fc4d3e36b10c508bce874a2f56cdcc46ff9461ca03ef"
2024-06-20T23:25:55+03:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:b93c1bd012ab8fda60f5b4f5906bf244586e0e3292d84571d3abb56472248466 sha256:9a955a56120548732e11aa384bbe021733322be64a8e64d4fe96b60fce9da28a sha256:6c0d78cbfd9ab92cad61594f67f456068c88cb491f47b0d5e944b8cb90b3a2ca sha256:01a82a33ed9b1c91912c173b6e73f673881a32da65533acea7c778ed91e65d67 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef]
2024-06-20T23:25:55+03:00	DEBUG	[image] Detected base layers	diff_ids=[sha256:b93c1bd012ab8fda60f5b4f5906bf244586e0e3292d84571d3abb56472248466]
2024-06-20T23:25:56+03:00	INFO	Detected OS	family="ubuntu" version="22.04"
2024-06-20T23:25:56+03:00	INFO	[ubuntu] Detecting vulnerabilities...	os_version="22.04" pkg_num=168
2024-06-20T23:25:56+03:00	INFO	Number of language-specific files	num=2
2024-06-20T23:25:56+03:00	INFO	[gobinary] Detecting vulnerabilities...
2024-06-20T23:25:56+03:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="mattermost/bin/mattermost"
2024-06-20T23:25:56+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/mattermost/mattermost/server/v8"
2024-06-20T23:25:56+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/mattermost/enterprise"
2024-06-20T23:25:56+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/mattermost/mattermost/server/public"
2024-06-20T23:25:56+03:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="mattermost/bin/mmctl"
2024-06-20T23:25:56+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/mattermost/mattermost/server/v8"
2024-06-20T23:25:56+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/mattermost/enterprise"
2024-06-20T23:25:56+03:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/mattermost/mattermost/server/public"
2024-06-20T23:25:56+03:00	DEBUG	Secret file	path="/mattermost/client/8055.c2e8394446fd4bca58d8.js"
2024-06-20T23:25:56+03:00	DEBUG	Secret file	path="/mattermost/client/8055.c2e8394446fd4bca58d8.js.map"

Operating System

macOS

Version

2024/06/20 23:28:08 INFO Loaded file_path=trivy.yaml
Version: 0.52.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-06-20 18:13:18.595104548 +0000 UTC
  NextUpdate: 2024-06-21 00:13:18.595104298 +0000 UTC
  DownloadedAt: 2024-06-20 20:24:00.479382 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @Dentrax
Thanks for your interest to Trivy!

This image contains 169 vulnerabilities:

➜ trivy -q image docker.io/mattermost/mattermost-enterprise-edition:9.7.1 -f json | grep VulnerabilityID | wc -l
169

That is why html file is large.

It should print out vulns?

Right. The html template is used to display vulnerabilities and misconfigurations.

Regards, Dmitriy

[DmitriyLewen]

2024/06/20 23:28:08 INFO Loaded file_path=trivy.yaml

@Dentrax do you use template in trivy.yaml file?

[Dentrax]

There is no such template field in the trivy.yaml file.

[Dentrax]

It seems I can write arbitrary values in YAML format in the config file. FWIW, Trivy should do some "strict unmarshaling" while parsing the config file.

[DmitriyLewen]

@itaysk you was right.
I was able to reproduce this case and found problem:
/mattermost/client/8055.c2e8394446fd4bca58d8.js file contains stripe-publishable-token

/mattermost/client/8055.c2e8394446fd4bca58d8.js (secrets)
=========================================================
Total: 2 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

LOW: Stripe (stripe-publishable-token)
════════════════════════════════════════════════════════════════════════════════
Stripe Publishable Key
────────────────────────────────────────────────────────────────────────────────
 /mattermost/client/8055.c2e8394446fd4bca58d8.js:1 (added by 'RUN |3 PUID=2000 PGID=2000 MM_PACKAGE=ht')
────────────────────────────────────────────────────────────────────────────────
   1 [ "use strict";(self.webpackChunkmattermost_webapp=self.webpackChunkmattermost_webapp||[]).push([[8055],{59713:(e,t,n)=>{n.d(

8055.c2e8394446fd4bca58d8.js is very large file, consisting of only 1 line.
Trivy includes full file in report (because Trivy shows secret line).

There are 3 solution for this case:

• skip /mattermost/client/8055.c2e8394446fd4bca58d8.js file
• use only vuln scanner (if you don't need to scan secrets) (use --scanners vuln)
• disable only Stripe Publishable Key secret - https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#disable-rules

[Dentrax]

Thanks, great finding! Looking from the UX perspective, end user may not know "what file to skip" or "disable specific rule". But it'd be nice if Trivy could parse only the "matched" line instead of printing out entire file content.

[DmitriyLewen]

Trivy only shows 3 lines: line with secret, one line before and one line after.
But this file is one big line...

[Dentrax]

Ah gotcha! What if particularly extract only matching words with Regex if line char count exceeds defined threshold?

[simar7]

Ah gotcha! What if particularly extract only matching words with Regex if line char count exceeds defined threshold?

Or to make it simpler we can just limit the displayed output.

[DmitriyLewen]

Track #6999

[fatihtokus]

Hi @Dentrax ,

I have good news for you. There is a trivy plugin out there and it tackles this problem. If you are interested give it a try:

1. trivy plugin install scan2html
2. trivy scan2html image docker.io/mattermost/mattermost-enterprise-edition:9.7.1 report.html