Closed multani closed 1 year ago
This issue is stale because it has been labeled with inactivity.
Still valid
This issue is stale because it has been labeled with inactivity.
This is due to the ToPathUri
which assumes that everything passed to it is a Docker image: https://github.com/aquasecurity/trivy/blob/d99a7b82f7798c7bd9ee1ad088a4e480a628babb/pkg/report/sarif_test.go#L368-L393
We're trying to configure trivy as an custom blocking linter and this issue is making it difficult for us to continue since trivy is returning bad paths in the output. Wondering if there was plans to fix this ?
@shayaun-voxel I'm passively having a look. It mostly comes from this change IMO, but I haven't found what a proper fix would be yet.
@shayaun-voxel I'm passively having a look. It mostly comes from this change IMO, but I haven't found what a proper fix would be yet.
it's interesting. I'd take a look at this function: https://github.com/aquasecurity/trivy/blob/main/pkg/report/sarif.go#L273-L284
I'll do it, when i have more time
Description
I'm testing the SARIF output on various repositories, and it seems in some cases, Trivy prepends the artifact locations with a
library/
prefix. This results in a location which is not the right one and I don't see an obvious way to reconstruct the location correctly.For example, in this sample repository https://github.com/multani/sarif-sample-python:
Running
trivy fs --format sarif .
returns the following artifact locations (there are several of them, this is just a sample):Although the
requirements.txt
file is at the root of the repository, there's an additionallibrary/
in front of it.This can be tested using:
In the same repository, running the
config
Trivy command doesn't produce the same kind of location:and this one is actually good IMO:
What did you expect to happen?
I expect the location of the artifact to be correct, relatively to where Trivy was run.
What happened instead?
In some cases (with the
fs
command, at least), the location is prefixed with alibrary/
prefix.Output of run with
-debug
:Output of
trivy -v
: