Open adamcohen2 opened 1 year ago
I think having the optional to disable jar scanning is great and should be added.
However, I think Trivy should caution users and make it very clear that using this option (should it be added) will result in Trivy being unable to discover and report against dependencies as one might expect.
For example, let there be an image containing log4j.jar
and have Trivy scan it. Currently, Trivy will use the Java DB is discover that this jar is log4j-core 2.14.0 and therefore report the log4shell vulnerability. With this --disable-jar-scan
argument, Trivy wouldn't know what log4j.jar
is and therefore wouldn't report log4jshell resulting in a very important vulnerability being missed.
Airgapped environments are usually particularly sensitive to security, so it would be a shame to have users trying to meet that requirement accidentally cause Trivy's security scanning to significantly regress by use of this option.
Is the --disable-jar-scan flag available in the higher versions?
Is the --disable-jar-scan flag available in the higher versions?
I don't see a disable-jar-scan
flag in the trivy source, where is this flag defined?
Is the --disable-jar-scan flag available in the higher versions?
I don't see a
disable-jar-scan
flag in the trivy source, where is this flag defined?
Is there another way to skip jar scanning in trivy?
Is the --disable-jar-scan flag available in the higher versions?
I don't see a
disable-jar-scan
flag in the trivy source, where is this flag defined?Is there another way to skip jar scanning in trivy?
no, that's the point of this very feature request - to add a flag to disable jar scanning.
As explained in this discussion, it's not currently possible to run
Trivy >= 0.38.0
in an offline environment without pre-fetching thejava-db.tar.gz
file fromghcr.io/aquasecurity/trivy-java-db:1
which is418MB
.This feature request is to add a
--disable-jar-scan
(or other appropriately named flag) to allow users to runTrivy
in an offline environment withoutJAR
scanning capabilities. Adding such a flag would avoid the requirement of fetching the418MB
java-db.tar.gz
for those who don't needJAR
scanning.