HTML template missing target names for go, npm, python/pip, java pom.xml, config files

[jpinkham]

For many different types of files being scanned, the target names are not being reported in the HTML template, only the type of file. This makes it impossible to know which file contains the vulnerabilities and/or misconfigurations that were found.

• The HTML title of the file is only for the first item scanned, all other items only list their type. It would be great if the title was set to directory, repo, or image that was scanned (.ArtifactName, .ArtifactType)
• Now that config entries are included with the vulnerabilities (which is awesome btw, thanks!), it's slightly confusing to see entries with "No vulnerabilities found" that are followed immediately by what looks like a vulnerability (but is actually a misconfiguration)

I happened to have a local clone of https://github.com/docker/awesome-compose available, which is good for scanning because it contains files of multiple types (except golang). I've attached the json output of the scan and the HTML output for comparison (for some reason GH doesn't support HTML or JSON file attachments....so I gzip'd them). I attached trivy results of Trivy as well, since it contains golang examples plus lots of config files.

And here's some screenshots of the lack of Target name:

awesome-compose.html.gz awesome-compose.json.gz trivy_results_of_trivy_itself.json.gz trivy_results_of_trivy_itself.html.gz

NOTE: These reports were generated with Trivy v0.22.0

[jpinkham]

I've taken a first pass at tweaking the template to increase readability. This round was more about determining what data I can add to the page, vs fussing too much with styling. Feedback is welcome

[frjonsen]

Was also facing this issue, where we scan a large number of .NET projects at the same time, and each project would only get the header "nuget". Would be great to see the modifications by @jpinkham implemented.

[afdesk]

@frjonsen you can use any custom templates for trivy results:

$ trivy image --format template --template @path/to/custom/html.tpl --output result.html alpine:latest

it seems that @jpinkham's changes are here: https://github.com/aquasecurity/trivy/commit/7b4fb9daadffa758337a9042ff37b057b602a772

[jpinkham]

@afdesk and @frjonsen : thank you for providing the impetus to stop futzing with the template and finally submit a PR with my changes. Hopefully https://github.com/aquasecurity/trivy/pull/1741 will be reviewed soon.

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.

[jpvg10]

I think this shouldn't be closed, I'd like to see this fixed at some point... And the PR hasn't been merged yet

[huornlmj]

Same issue here - please merge the PR

[huornlmj]

This also applies when using Trivy's misconfiguration scanning AND filesystem scanning features.

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.

[huornlmj]

Ping to keep this active. This is the official bundled HTML template and it's never worked properly. I think this should be fixed.

[itaysk]

Hi @huornlmj, we have a plan to extract the non-essential output options out of trivy so that the community can develop it, therefore we are reluctant to invest in these areas right now. related: https://github.com/aquasecurity/trivy/discussions/4451

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.

[huornlmj]

Still an issue

[huornlmj]

Still an issue - quietly longing for this fix as I believe it would be one of those "missing puzzle piece" feature fixes.!

[itaysk]

@huornlmj I'm sorry but we have no intention to maintain the HTML template in-tree, most like we will remove it. I would advise people interested in an HTML output to either copy the html from Trivy and tweak it, or make the request with one of the existing plugins such as https://github.com/fatihtokus/scan2html