Yarn.lock files from node_modules are getting scanned which should not happen

[ResuBaka]

Description

In version 0.19.2 only the top level yarn.lock in a project was scanned but now even the yarn.lock's from node_modules get scanned an reported. Which leads to wrong reports as the installed version of a packages is different from the one in the node_module one.

What did you expect to happen?

Do not scan node_modules yarn.lock files.

What happened instead?

Yarn.lock files are getting scanned from node_modules..

Output of run with -debug:

trivy -debug fs --exit-code 1 --severity CRITICAL    . 
2021-10-07T14:36:46.450+0200      DEBUG    Severities: CRITICAL
2021-10-07T14:36:46.452+0200    DEBUG    cache dir:  /home/resubaka/.cache/trivy
2021-10-07T14:36:46.452+0200    DEBUG    DB update was skipped because DB was downloaded during the last hour
2021-10-07T14:36:46.452+0200    DEBUG    DB Schema: 1, Type: 1, UpdatedAt: 2021-10-07 06:05:11.101349224 +0000 UTC, NextUpdate: 2021-10-07 12:05:11.101348724 +0000 UTC, DownloadedAt: 2021-10-07 11:53:23.050582248 +0000 UTC
2021-10-07T14:36:46.452+0200    DEBUG    Vulnerability type:  [os library]
2021-10-07T14:36:46.720+0200    DEBUG    OS is not detected and vulnerabilities in OS packages are not detected.
2021-10-07T14:36:46.720+0200    DEBUG    Detected OS: unknown
2021-10-07T14:36:46.720+0200    INFO     Number of language-specific files: 12
2021-10-07T14:36:46.720+0200    INFO     Detecting yarn vulnerabilities...
2021-10-07T14:36:46.720+0200    DEBUG    Detecting library vulnerabilities, type: yarn, path: node_modules/eslint-plugin-vue-storefront/yarn.lock
2021-10-07T14:36:46.722+0200    DEBUG    Detecting library vulnerabilities, type: yarn, path: node_modules/uri-js/yarn.lock
2021-10-07T14:36:46.726+0200    INFO     Detecting bundler vulnerabilities...
2021-10-07T14:36:46.726+0200    DEBUG    Detecting library vulnerabilities, type: bundler, path: node_modules/@paypal/checkout-server-sdk/samples/node_modules/@paypal/paypalhttp/Gemfile.lock
2021-10-07T14:36:46.726+0200    DEBUG    Detecting library vulnerabilities, type: bundler, path: node_modules/@paypal/paypalhttp/Gemfile.lock
2021-10-07T14:36:46.727+0200    DEBUG    Detecting library vulnerabilities, type: yarn, path: node_modules/combined-stream/yarn.lock
2021-10-07T14:36:46.727+0200    DEBUG    Detecting library vulnerabilities, type: yarn, path: node_modules/magento2-rest-client/node_modules/form-data/yarn.lock
2021-10-07T14:36:46.732+0200    DEBUG    Detecting library vulnerabilities, type: yarn, path: node_modules/passport-azure-ad/node_modules/form-data/yarn.lock
2021-10-07T14:36:46.737+0200    DEBUG    Detecting library vulnerabilities, type: yarn, path: node_modules/redis-tag-cache/yarn.lock
2021-10-07T14:36:46.745+0200    DEBUG    Detecting library vulnerabilities, type: yarn, path: node_modules/request/node_modules/form-data/yarn.lock
2021-10-07T14:36:46.750+0200    DEBUG    Detecting library vulnerabilities, type: yarn, path: node_modules/elasticdump/node_modules/form-data/yarn.lock
2021-10-07T14:36:46.755+0200    DEBUG    Detecting library vulnerabilities, type: yarn, path: node_modules/magento1-vsbridge-client/node_modules/form-data/yarn.lock
2021-10-07T14:36:46.760+0200    DEBUG    Detecting library vulnerabilities, type: yarn, path: yarn.lock
.....

Output of trivy -v:

Version: 0.20.0
Vulnerability DB:
  Type: Light
  Version: 1
  UpdatedAt: 2021-10-07 06:05:11.101349224 +0000 UTC
  NextUpdate: 2021-10-07 12:05:11.101348724 +0000 UTC
  DownloadedAt: 2021-10-07 11:53:23.050582248 +0000 UTC

[jsjoeio]

Any updates on this? We're experiencing this as well.

[RolphH]

I'm having the same issue. Any update would be nice. I saw this was fixed for the vendor folder: https://github.com/aquasecurity/trivy/issues/147

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.

[kgeorgiou]

A workaround for this is to utilize the --skip-dirs flag to skip directories:

$ trivy fs . --skip-dirs node_modules

[knqyf263]

Was fixed a long time ago