candrews
commented
1 year ago I think having the optional to disable jar scanning is great and should be added.
However, I think Trivy should caution users and make it very clear that using this option (should it be added) will result in Trivy being unable to discover and report against dependencies as one might expect.
For example, let there be an image containing log4j.jar and have Trivy scan it. Currently, Trivy will use the Java DB is discover that this jar is log4j-core 2.14.0 and therefore report the log4shell vulnerability. With this --disable-jar-scan argument, Trivy wouldn't know what log4j.jar is and therefore wouldn't report log4jshell resulting in a very important vulnerability being missed.
Airgapped environments are usually particularly sensitive to security, so it would be a shame to have users trying to meet that requirement accidentally cause Trivy's security scanning to significantly regress by use of this option.
kangsumang
adamcohen2
knqyf263
As explained in this discussion, it's not currently possible to run
Trivy >= 0.38.0in an offline environment without pre-fetching thejava-db.tar.gzfile fromghcr.io/aquasecurity/trivy-java-db:1which is418MB.This feature request is to add a
--disable-jar-scan(or other appropriately named flag) to allow users to runTrivyin an offline environment withoutJARscanning capabilities. Adding such a flag would avoid the requirement of fetching the418MBjava-db.tar.gzfor those who don't needJARscanning.