search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.88k stars 2.35k forks source link

Filesystem Fully license Scan #3577

Closed daneb-ifm closed 1 year ago

daneb-ifm commented 1 year ago

Description

Trivy cannot find license files in npm or nuget package.lock files in --license-full filesystem (git repo) scan.

trivy fs --scanners license --license-full

Response is ->

2023-02-08T14:34:15.779Z INFO Vulnerability scanning is enabled 2023-02-08T14:34:15.779Z INFO Full license scanning is enabled 2023-02-08T14:34:21.581Z INFO Number of language-specific files: 11 2023-02-08T14:34:21.581Z INFO Detecting nuget vulnerabilities... 2023-02-08T14:34:21.587Z INFO Detecting npm vulnerabilities...

no more output.

What did you expect to happen?

Show license information for npm / nuget packages.

What happened instead?

No license output

Output of run with -debug:

See all files inside the folder (packages.lock, ...) (delete the file/folder names)

2023-02-08T14:34:04.706Z        DEBUG   ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-02-08T14:34:04.706Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-02-08T14:34:04.708Z        DEBUG   cache dir:  /home/d/.cache/trivy
2023-02-08T14:34:04.708Z        DEBUG   DB update was skipped because the local DB is the latest
2023-02-08T14:34:04.708Z        DEBUG   DB Schema: 2, UpdatedAt: 2023-02-08 12:08:04.454724024 +0000 UTC, NextUpdate: 2023-02-08 18:08:04.454723624 +0000 UTC, DownloadedAt: 2023-02-08 13:03:07.6307486 +0000 UTC
2023-02-08T14:34:04.709Z        INFO    Vulnerability scanning is enabled
2023-02-08T14:34:04.709Z        DEBUG   Vulnerability type:  [os library]
2023-02-08T14:34:04.709Z        INFO    Full license scanning is enabled
2023-02-08T14:34:04.709Z        DEBUG   Walk the file tree rooted at '/home/d/tm' in parallel
2023-02-08T14:34:04.710Z        DEBUG   License scanning: tests/tm.IntegrationTests/TestSetup/Extensions/ServiceCollectionExtensions.cs
2023-02-08T14:34:04.710Z        DEBUG   Loading the the default license classifier...
2023-02-08T14:34:04.710Z        DEBUG   License scanning: 
..................
............
2023-02-08T14:34:10.295Z        DEBUG   OS is not detected.
2023-02-08T14:34:10.295Z        DEBUG   Detected OS: unknown
2023-02-08T14:34:10.295Z        INFO    Number of language-specific files: 11
2023-02-08T14:34:10.295Z        INFO    Detecting nuget vulnerabilities...
2023-02-08T14:34:10.295Z        DEBUG   Detecting library vulnerabilities, type: nuget, path: src/Service/tm.Api/packages.lock.json
2023-02-08T14:34:10.297Z        DEBUG   Detecting library vulnerabilities, type: nuget, path: src/Service/tm.Application/packages.lock.json
2023-02-08T14:34:10.298Z        DEBUG   Detecting library vulnerabilities, type: nuget, path: src/Service/tm.Domain/packages.lock.json
2023-02-08T14:34:10.298Z        DEBUG   Detecting library vulnerabilities, type: nuget, path: src/Service/tm.Infrastructure/packages.lock.json
2023-02-08T14:34:10.300Z        INFO    Detecting npm vulnerabilities...
2023-02-08T14:34:10.300Z        DEBUG   Detecting library vulnerabilities, type: npm, path: src/UI/package-lock.json
2023-02-08T14:34:10.315Z        DEBUG   Detecting library vulnerabilities, type: npm, path: src/UI/tools/performance/package-lock.json
2023-02-08T14:34:10.315Z        DEBUG   Detecting library vulnerabilities, type: nuget, path: tests/tm.BenchmarkTests/packages.lock.json
2023-02-08T14:34:10.316Z        DEBUG   Detecting library vulnerabilities, type: nuget, path: tests/tm.DeviceClassMocks/packages.lock.json
2023-02-08T14:34:10.317Z        DEBUG   Detecting library vulnerabilities, type: nuget, path: tests/tm.IntegrationTests/packages.lock.json
2023-02-08T14:34:10.320Z        DEBUG   Detecting library vulnerabilities, type: nuget, path: tests/tm.PerformanceTests/packages.lock.json
2023-02-08T14:34:10.321Z        DEBUG   Detecting library vulnerabilities, type: nuget, path: tests/tm.UnitTests/packages.lock.json

Output of trivy -v:

Version: 0.37.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-02-08 12:08:04.454724024 +0000 UTC
  NextUpdate: 2023-02-08 18:08:04.454723624 +0000 UTC
  DownloadedAt: 2023-02-08 13:03:07.6307486 +0000 UTC

Additional details (base image name, container registry info...):

Thanks :)

knqyf263 commented 1 year ago

Please make sure there are license files such as LICENSE under the specified root dir.

daneb-ifm commented 1 year ago

Interesting, there is no LICENSE file in the root dir. I thought trivy scan through the packages.lock files or in container in the node_modules etc. directory. I guess the documentation suggests another functionality. Isn´t it? Thanks :)

knqyf263 commented 1 year ago

As described in the document, --license-full enables the following functionality.

Trivy scans source code files, Markdown documents, text files and LICENSE documents to identify license usage within the image or filesystem.

https://aquasecurity.github.io/trivy/v0.37/docs/licenses/scanning/

Filesystem scanning doesn't support package licenses such as package.json, while image scanning does.

daneb-ifm commented 1 year ago

okay, I understood!

knqyf263 commented 1 year ago

We have a plan to add support for package licenses in filesystem scanning. Please track the issue. https://github.com/aquasecurity/trivy/pull/2916