NPM: Development dependency were not completely excluded from trivy scan using the default trivy fs . command

[gobardhan]

Description

As per the trivy documentation By default, Trivy doesn't report development dependencies So ideally no vulnerability should be highlighted related to Development dependencies neither for the extraneous packages which are related to development dependencies.

Desired Behavior

Running trivy fs command (without flag --include-dev-deps) should not scan any extraneous (indirect) dependencies which are related to development dependencies

Actual Behavior

Running trivy fs command scans those indirect dependencies which are marked as extraneous in package-lock.json like:
"node_modules/@salesforce/cli/node_modules/@aws-sdk/client-cloudfront/node_modules/fast-xml-parser": { "version": "4.2.5", "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.2.5.tgz", "extraneous": true,

Reproduction Steps

1.Create a npm project with only Development Dependencies like: "devDependencies": {	"@salesforce/cli": "2.25.7"	}
2.Run `npm install`
3.Run trivy fs .
...

Target

Filesystem

Scanner

None

Output Format

None

Mode

Standalone

Debug Output

govardhan@Govardhan-Kumar:~/projects/tmp/tmpextraneous$ trivy fs . --debug
2024-09-13T22:04:39+05:30       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-09-13T22:04:39+05:30       DEBUG   Ignore statuses statuses=[]
2024-09-13T22:04:39+05:30       DEBUG   Cache dir       dir="/home/govardhan/.cache/trivy"
2024-09-13T22:04:39+05:30       DEBUG   DB update was skipped because the local DB is the latest
2024-09-13T22:04:39+05:30       DEBUG   DB info schema=2 updated_at=2024-09-13T12:12:21.448692961Z next_update=2024-09-13T18:12:21.4486927Z downloaded_at=2024-09-13T15:52:29.586287806Z
2024-09-13T22:04:39+05:30       INFO    Vulnerability scanning is enabled
2024-09-13T22:04:39+05:30       DEBUG   Vulnerability type      type=[os library]
2024-09-13T22:04:39+05:30       INFO    Secret scanning is enabled
2024-09-13T22:04:39+05:30       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-13T22:04:39+05:30       INFO    Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-09-13T22:04:39+05:30       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-13T22:04:39+05:30       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-09-13T22:04:39+05:30       DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/ajax/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/ajax/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/fetch/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/fetch/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/internal-compatibility/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/internal-compatibility/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/operators/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/operators/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/src/ajax/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/src/ajax/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/src/fetch/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/src/fetch/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/src/internal-compatibility/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/src/internal-compatibility/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/src/operators/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/src/operators/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/src/testing/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/src/testing/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/src/webSocket/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/src/webSocket/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/testing/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/testing/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/webSocket/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/jsforce/node_modules/rxjs/webSocket/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/rxjs/ajax/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/rxjs/ajax/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/rxjs/fetch/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/rxjs/fetch/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/rxjs/operators/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/rxjs/operators/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/rxjs/testing/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/rxjs/testing/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   Walk error      file_path="node_modules/@salesforce/cli/node_modules/rxjs/webSocket/package.json" err="unable to parse \"node_modules/@salesforce/cli/node_modules/rxjs/webSocket/package.json\": Name can only contain URL-friendly characters"
2024-09-13T22:04:40+05:30       DEBUG   [npm] Unable to resolve the version     name="fsevents" version="~2.3.2"
2024-09-13T22:04:40+05:30       DEBUG   OS is not detected.
2024-09-13T22:04:40+05:30       INFO    Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2024-09-13T22:04:40+05:30       DEBUG   Detected OS: unknown
2024-09-13T22:04:40+05:30       INFO    Number of language-specific files       num=1
2024-09-13T22:04:40+05:30       INFO    [npm] Detecting vulnerabilities...
2024-09-13T22:04:40+05:30       DEBUG   [npm] Scanning packages for vulnerabilities     file_path="package-lock.json"

package-lock.json (npm)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌─────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│     Library     │ Vulnerability  │ Severity │ Status │ Installed Version │           Fixed Version            │                            Title                             │
├─────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ fast-xml-parser │ CVE-2024-41818 │ HIGH     │ fixed  │ 4.2.5             │ 4.4.1                              │ fast-xml-parser: ReDOS at currency parsing in currency.js    │
│                 │                │          │        │                   │                                    │ https://avd.aquasec.com/nvd/cve-2024-41818                   │
├─────────────────┼────────────────┤          │        ├───────────────────┼────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ path-to-regexp  │ CVE-2024-45296 │          │        │ 1.8.0             │ 1.9.0, 0.1.10, 8.0.0, 3.3.0, 6.3.0 │ path-to-regexp: Backtracking regular expressions cause ReDoS │
│                 │                │          │        │                   │                                    │ https://avd.aquasec.com/nvd/cve-2024-45296                   │

Operating System

Ubuntu 22.04.4 LTS

Version

trivy --version
Version: 0.52.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-09-13 12:12:21.448692961 +0000 UTC
  NextUpdate: 2024-09-13 18:12:21.4486927 +0000 UTC
  DownloadedAt: 2024-09-13 15:52:29.586287806 +0000 UTC
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-09-10 14:57:43.78036929 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[gobardhan]

I have verified that same behaviour exits at latest version of trivy: Version: 0.55.1

[DmitriyLewen]

Hello @gobardhan
Thanks for your interest to Trivy!

Trivy's current logic is:
Detect all dependencies and exclude developers when generating a report.
We are working on updating this logic.
For more information, see #7476.

Regards, Dmitriy