Trivy output split "target" into "target" and "system"

[mrueg]

Target currently consists of the image name and the detected system in parentheses. This makes it harder to parse when using the json bits.

Can we split this up into two variables in the report struct?

"Target" to maintain compatibility containing the scanned image name
and a new variable "system" or "operating_system" with the detected system that was in parentheses.

[knqyf263]

It sounds a nice idea. Also, we need to think of application dependencies such as Gemfile.lock and package-lock.json.

[mrueg]

Or maybe the other way around, keep target and add an imagename to the struct?

[knqyf263]

In that case, you can't get an OS name. Does it work for you?

[mrueg]

I'm trying to map something to the keys specified in Gitlab's container scanning report json - vulnerabilities[].location.operating_system The operating system that contains the vulnerable package.
and
vulnerabilities[].location.image | The Docker image that was analyzed. Optional.

Target seems to contain both.

An Image key from trivy could map easily to .image.
The Target key could provide info on the Operating System, Language-level Package Manager, etc.

See:
https://docs.gitlab.com/ee/user/application_security/container_scanning/#reports-json-format

[heidemn]

What about something like the following.
(Optionally, TargetType + TargetSubType could be merged.)

// Target = Debian packages in Ubuntu image
TargetImage:    "repo.org/image:1.2.3",
TargetType:     "OS",
TargetSubType:  "dpkg",
TargetOS:       "ubuntu 18.04"

// Target = NPM application dependencies
TargetImage:    "repo.org/image:1.2.3",
TargetType:     "AppDependencies",
TargetSubType:  "npm",
TargetFile:     "/app/package-lock.json"