Image scan doesn't find conan.lock file inside of image #6925
-
DescriptionImage scan does not find conan.lock file inside of a docker image when running a vulnerability scan Desired BehaviorImage scan finds the conan.lock file and runs a conan scan Actual BehaviorImage scan reports 0 language-specific-files found Reproduction Stepsconanfile.txt
Dockerfile
this creates a conan.lock file conan.lock
TargetContainer Image ScannerVulnerability Output FormatNone ModeStandalone Debug Output2024-06-13T10:38:05-06:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-06-13T10:38:05-06:00 DEBUG Ignore statuses statuses=[]
2024-06-13T10:38:05-06:00 DEBUG Cache dir dir="/home/benjaminulmer/.cache/trivy"
2024-06-13T10:38:05-06:00 DEBUG DB update was skipped because the local DB is the latest
2024-06-13T10:38:05-06:00 DEBUG DB info schema=2 updated_at=2024-06-13T12:13:22.596772287Z next_update=2024-06-13T18:13:22.596771977Z downloaded_at=2024-06-13T16:30:53.465836783Z
2024-06-13T10:38:05-06:00 INFO Vulnerability scanning is enabled
2024-06-13T10:38:05-06:00 DEBUG Vulnerability type type=[os library]
2024-06-13T10:38:05-06:00 INFO Secret scanning is enabled
2024-06-13T10:38:05-06:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-13T10:38:05-06:00 INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-13T10:38:05-06:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-06-13T10:38:05-06:00 DEBUG [secret] No secret config detected config_path="trivy-secret.yaml"
2024-06-13T10:38:05-06:00 DEBUG [nuget] The nuget packages directory couldn't be found. License search disabled
2024-06-13T10:38:05-06:00 DEBUG [secret] No secret config detected config_path="trivy-secret.yaml"
2024-06-13T10:38:05-06:00 DEBUG [image] Detected image ID image_id="sha256:04713acb481c0679460df07d9ec77184aa412f6f2a8959ec7abb18a95d50e8ca"
2024-06-13T10:38:05-06:00 DEBUG [image] Detected diff ID diff_ids=[sha256:d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820 sha256:583dba0a338adce08a6dc7eae85aeda981413a9b1aa855e89beffdbe711956fd]
2024-06-13T10:38:05-06:00 DEBUG [image] Detected base layers diff_ids=[sha256:d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820]
2024-06-13T10:38:05-06:00 DEBUG [image] Missing image ID in cache image_id="sha256:04713acb481c0679460df07d9ec77184aa412f6f2a8959ec7abb18a95d50e8ca"
2024-06-13T10:38:05-06:00 DEBUG [image] Missing diff ID in cache diff_id="sha256:583dba0a338adce08a6dc7eae85aeda981413a9b1aa855e89beffdbe711956fd"
2024-06-13T10:38:05-06:00 DEBUG [image] Missing diff ID in cache diff_id="sha256:d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820"
2024-06-13T10:38:05-06:00 DEBUG No secrets found in container image config
2024-06-13T10:38:05-06:00 INFO Detected OS family="alpine" version="3.19.1"
2024-06-13T10:38:05-06:00 INFO [alpine] Detecting vulnerabilities... os_version="3.19" repository="3.19" pkg_num=15
2024-06-13T10:38:05-06:00 INFO Number of language-specific files num=0
trivybug (alpine 3.19.1)
Total: 16 (UNKNOWN: 0, LOW: 2, MEDIUM: 14, HIGH: 0, CRITICAL: 0)
<vulnerability report below> Operating SystemLinux Ubuntu VersionVersion: 0.52.1
Vulnerability DB:
Version: 2
UpdatedAt: 2024-06-13 12:13:22.596772287 +0000 UTC
NextUpdate: 2024-06-13 18:13:22.596771977 +0000 UTC
DownloadedAt: 2024-06-13 16:30:53.465836783 +0000 UTC Checklist
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Hello @benjaminulmer Trivy checks conan lock files only in Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
Hello @benjaminulmer
Thanks for your report!
Trivy checks conan lock files only in
fs
andrepo
modes.more info - https://aquasecurity.github.io/trivy/v0.52/docs/coverage/language/#supported-languages
Regards, Dmitriy