Open erzz opened 1 year ago
Hey
I have a similar problem with license scanning. @erzz I think license
should be passed to the scanners
parameter and not vuln-type
.
If I run Trivy locally with trivy rootfs --scanners license .
or trivy rootfs --config licence.yaml .
it works. But if I use the same configuration with the GitHub Action, Trivy scans for vulnerabilities instead. It also ignores the config file. There seems to be a bug.
Local output:
trivy rootfs --config licence.yaml .
2023-04-19T10:09:29.877+0200 INFO Loaded licence.yaml
2023-04-19T10:09:29.888+0200 INFO Full license scanning is enabled
Node.js (license)
...
Action output:
Run aquasecurity/trivy-action@0.9.2
with:
format: table
output: licenses.md
exit-code: 1
scan-type: rootfs
scanners: license
trivy-config: license.yaml
scan-ref: .
ignore-unfixed: false
vuln-type: os,library
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
list-all-pkgs: false
/usr/bin/docker run --name c04421f3d067f4aca45ff8d3252abb2922638_be1bc0 --label 6c0442 --workdir /github/workspace --rm -e "INPUT_FORMAT" -e "INPUT_OUTPUT" -e "INPUT_EXIT-CODE" -e "INPUT_SCAN-TYPE" -e "INPUT_SCANNERS" -e "INPUT_TRIVY-CONFIG" -e "INPUT_IMAGE-REF" -e "INPUT_INPUT" -e "INPUT_SCAN-REF" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_VULN-TYPE" -e "INPUT_SEVERITY" -e "INPUT_TEMPLATE" -e "INPUT_SKIP-DIRS" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_TIMEOUT" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_GITHUB-PAT" -e "INPUT_LIMIT-SEVERITIES-FOR-SARIF" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_ID_TOKEN_REQUEST_URL" -e "ACTIONS_ID_TOKEN_REQUEST_TOKEN" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/backend/backend":"/github/workspace" 6c0442:1f3d067f4aca45ff8d3252abb2922638 "-a rootfs" "-b table" "-c " "-d 1" "-e false" "-f os,library" "-g UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" "-h licenses.md" "-i " "-j ." "-k " "-l " "-m " "-n " "-o " "-p " "-q " "-r false" "-s license" "-t " "-u " "-v license.yaml" "-z "
Running Trivy with trivy.yaml config from: license.yaml
2023-04-19T08:01:00.052Z INFO Need to update DB
2023-04-19T08:01:00.052Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-04-19T08:01:00.052Z INFO Downloading DB...
20.73 MiB / 36.59 MiB [---------------------------------->__________________________] 56.66% ? p/s ?36.59 MiB / 36.59 MiB [----------------------------------------------------------->] 100.00% ? p/s ?36.59 MiB / 36.59 MiB [----------------------------------------------------------->] 100.00% ? p/s ?36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 26.42 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 26.42 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 26.42 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 24.72 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 24.72 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 24.72 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [-------------------------------------------------] 100.00% 21.68 MiB p/s 1.9s2023-04-19T08:01:02.522Z INFO Vulnerability scanning is enabled
2023-04-19T08:01:02.522Z INFO Secret scanning is enabled
2023-04-19T08:01:02.522Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-19T08:01:02.522Z INFO Please see also https://aquasecurity.github.io/trivy/v0.38/docs/secret/scanning/#recommendation for faster secret detection
2023-04-19T08:01:13.008Z INFO Number of language-specific files: 45
2023-04-19T08:01:13.008Z INFO Detecting gobinary vulnerabilities...
2023-04-19T08:01:13.008Z INFO Detecting gomod vulnerabilities...
2023-04-19T08:01:13.256Z INFO Detecting node-pkg vulnerabilities...
...
Config file:
format: table
exit-code: 1
license:
full: true
scan:
scanners:
- license
@PeterBurner thanks! You are right and it feels like something is working a little better by combining the two config methods (I am also using a later version v0.11.2)
Currently I am trying:
- name: Trivy License Scan
uses: aquasecurity/trivy-action@0.11.2
with:
image-ref: ''
scan-type: rootfs
scanners: license
exit-code: 1
trivy-config: ospo.yml
scan-ref: ${{ inputs.scan-directory }}
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
format: table
WITH the additional config file found here https://github.com/erzz/configs/blob/main/configs/trivy-ospo-licenses.yml
The success part is that I do get it to scan for licenses:
Run aquasecurity/trivy-action@0.11.2
with:
scan-type: rootfs
scanners: license
exit-code: 1
trivy-config: ospo.yml
scan-ref: ./
ignore-unfixed: false
vuln-type: library
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
format: table
list-all-pkgs: false
resulting in (shortened):
Node.js (license)
=================
Total: 1396 (UNKNOWN: 17, LOW: 1376, MEDIUM: 3, HIGH: 0, CRITICAL: 0)
┌──────────────────────────────────────────────────────────────┬─────────────────────────────────────┬────────────────┬──────────┐
│ Package │ License │ Classification │ Severity │
├──────────────────────────────────────────────────────────────┼─────────────────────────────────────┼────────────────┼──────────┤
│ commondir │ MIT │ notice │ LOW │
├──────────────────────────────────────────────────────────────┼─────────────────────────────────────┤ │ │
│ filesize │ BSD-3-Clause │ │ │
├──────────────────────────────────────────────────────────────┤ │ │ │
│ rtl-detect │ │ │ │
├──────────────────────────────────────────────────────────────┼─────────────────────────────────────┤ │ │
│ classnames │ MIT │ │ │
├──────────────────────────────────────────────────────────────┤ │ │ │
│ postcss-selector-parser │ │ │ │
├──────────────────────────────────────────────────────────────┤ │ │ │
│ regexpu-core │ │ │ │
So that is progress!
The issues are that:
image-ref:
is a mandatory input 😆 so I need to set it to ''
exit-code:
doesn't work - it always returns zero. In the example above it should be failing on the 3 MEDIUM licenses but it doesntSo thats like 3 separate bugs I see that need to be fixed. I guess both exit code and the reporting are not considering license findings
Stillllll messy but it seems like there is some conflicts between the action and the config. Use of a config file seems to cause the action to ignore any inputs and thus default values are passed through instead for many things (like exit code) but not others (like format).
The thing is we need to pass a config for a long custom license list
So reducing the inputs to the bare minimum:
with:
image-ref: ''
scan-type: rootfs
trivy-config: ospo.yml
scan-ref: ${{ inputs.scan-directory }}
and throwing everything else into a trivy.yaml mentioned in the previous post, seems to at least get the job to fail when it should.
For the SARIF issue - its not supported but there is an open PR for it in trivy project https://github.com/aquasecurity/trivy/pull/4866
This may be resolved by the recent change to a composite action: https://github.com/aquasecurity/trivy-action/pull/399
This may be resolved by the recent change to a composite action: #399
Thanks @cbandy
I think there is perhaps a related regression too - cross-posting here for visibility https://github.com/aquasecurity/trivy/discussions/7701
It seems to me that the action is limited to only the scanners
os
andlibrary
?Passing other valid types such as
license
is not possible.Not sure if this is because you want to ensure that all the possible combinations of scan type and scanners would work?
results in
2023-03-10T10:37:29.230Z WARN unknown vulnerability type: license