Image scan doesn't find conan.lock file inside of image

[benjaminulmer]

Description

Image scan does not find conan.lock file inside of a docker image when running a vulnerability scan

Desired Behavior

Image scan finds the conan.lock file and runs a conan scan

Actual Behavior

Image scan reports 0 language-specific-files found

Reproduction Steps

conanfile.txt

[requires]
fmt/10.2.1

Dockerfile

FROM alpine:latest
COPY conan.lock conan.lock

conan install . -s build_type=RelWithDebInfo -b outdated --update -pr:b=clang -pr:h=clang

this creates a conan.lock file

conan.lock

{
 "graph_lock": {
  "nodes": {
   "0": {
    "options": "fmt:fPIC=True\nfmt:header_only=False\nfmt:shared=False\nfmt:with_fmt_alias=False\nfmt:with_os_api=True",
    "requires": [
     "1"
    ],
    "path": "conanfile.txt",
    "context": "host"
   },
   "1": {
    "ref": "fmt/10.2.1#9199a7a0611866dea5c8849a77467b25",
    "options": "fPIC=True\nheader_only=False\nshared=False\nwith_fmt_alias=False\nwith_os_api=True",
    "package_id": "db5db6993a612e920f5ed4b28433576261168680",
    "prev": "55beb3e08ad832438d3d3581eea3fc3e",
    "context": "host"
   }
  },
  "revisions_enabled": true
 },
 "version": "0.4",
 "profile_host": "[settings]\narch=x86_64\narch_build=x86_64\nbuild_type=RelWithDebInfo\ncompiler=clang\ncompiler.cppstd=20\ncompiler.libcxx=libstdc++11\ncompiler.version=16\nos=Linux\nos_build=Linux\n[options]\n[build_requires]\n[env]\n",
 "profile_build": "[settings]\narch=x86_64\narch_build=x86_64\nbuild_type=Release\ncompiler=clang\ncompiler.cppstd=20\ncompiler.libcxx=libstdc++11\ncompiler.version=16\nos=Linux\nos_build=Linux\n[options]\n[build_requires]\n[env]\n"
}

docker build -t trivybug ./
trivy -d image trivybug

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

2024-06-13T10:38:05-06:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-06-13T10:38:05-06:00       DEBUG   Ignore statuses statuses=[]
2024-06-13T10:38:05-06:00       DEBUG   Cache dir       dir="/home/benjaminulmer/.cache/trivy"
2024-06-13T10:38:05-06:00       DEBUG   DB update was skipped because the local DB is the latest
2024-06-13T10:38:05-06:00       DEBUG   DB info schema=2 updated_at=2024-06-13T12:13:22.596772287Z next_update=2024-06-13T18:13:22.596771977Z downloaded_at=2024-06-13T16:30:53.465836783Z
2024-06-13T10:38:05-06:00       INFO    Vulnerability scanning is enabled
2024-06-13T10:38:05-06:00       DEBUG   Vulnerability type      type=[os library]
2024-06-13T10:38:05-06:00       INFO    Secret scanning is enabled
2024-06-13T10:38:05-06:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-13T10:38:05-06:00       INFO    Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-13T10:38:05-06:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-06-13T10:38:05-06:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-06-13T10:38:05-06:00       DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-06-13T10:38:05-06:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-06-13T10:38:05-06:00       DEBUG   [image] Detected image ID       image_id="sha256:04713acb481c0679460df07d9ec77184aa412f6f2a8959ec7abb18a95d50e8ca"
2024-06-13T10:38:05-06:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820 sha256:583dba0a338adce08a6dc7eae85aeda981413a9b1aa855e89beffdbe711956fd]
2024-06-13T10:38:05-06:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820]
2024-06-13T10:38:05-06:00       DEBUG   [image] Missing image ID in cache       image_id="sha256:04713acb481c0679460df07d9ec77184aa412f6f2a8959ec7abb18a95d50e8ca"
2024-06-13T10:38:05-06:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:583dba0a338adce08a6dc7eae85aeda981413a9b1aa855e89beffdbe711956fd"
2024-06-13T10:38:05-06:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820"
2024-06-13T10:38:05-06:00       DEBUG   No secrets found in container image config
2024-06-13T10:38:05-06:00       INFO    Detected OS     family="alpine" version="3.19.1"
2024-06-13T10:38:05-06:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.19" repository="3.19" pkg_num=15
2024-06-13T10:38:05-06:00       INFO    Number of language-specific files       num=0

trivybug (alpine 3.19.1)

Total: 16 (UNKNOWN: 0, LOW: 2, MEDIUM: 14, HIGH: 0, CRITICAL: 0)
<vulnerability report below>

Operating System

Linux Ubuntu

Version

Version: 0.52.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-06-13 12:13:22.596772287 +0000 UTC
  NextUpdate: 2024-06-13 18:13:22.596771977 +0000 UTC
  DownloadedAt: 2024-06-13 16:30:53.465836783 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @benjaminulmer
Thanks for your report!

Trivy checks conan lock files only in fs and repo modes.
more info - https://aquasecurity.github.io/trivy/v0.52/docs/coverage/language/#supported-languages

Regards, Dmitriy