scan2html icon indicating copy to clipboard operation
scan2html copied to clipboard
verified publisher icon fatihtokus

trivy scan fs report is empty if generated inside alpine based image

Open Fatima-Zahraebhbn opened this issue 1 year ago • 9 comments

Hi Fatih, I hope you are doing well !

Recently I created a job to perfom trivy scan image and trivy scan filesystem which is running fine inside opensuse. As the step zypper refresh takes time, and also after last issue due to the absence of bash and git I have decided to run the same job inside alpine and aquasec/trivy docker image.

I could notice that the generated html file inside alpine (also aquasec/trivy) is giving me empty page, even tho the file has content. When i run the command in my wsl ubuntu the report fine also the same in opensuse docker images. trivy scan2html fs --scanners vuln,misconfig --exit-code 0 . interactive_fs_scan_report.html

I tried to compare the two html files, I could see some differences but unable to figure it out ( I'm not a react expert :)), I attached them bellow reports.zip

I should mention that I don't have any issue for trivy image scanning when I execute the scan in opensuse nor alpine (aquasec/trivy).

Can you please support in this matter ?

Thank you !

Fatima-Zahraebhbn avatar May 10 '24 10:05 Fatima-Zahraebhbn

Hi @Fatima-Zahraebhbn ,

Thanks for reporting this, we will investigate and revert back to you soon.

Regards, Fatih

fatihtokus avatar May 10 '24 11:05 fatihtokus

Hi @Fatima-Zahraebhbn ,

I think the issue is related to '\' in the results.json which is created by trivy. Can you run the following command and share the results.json?

trivy fs --scanners vuln,misconfig --exit-code 0 . --format json -o results.json

Regards, Fatih

fatihtokus avatar May 10 '24 14:05 fatihtokus

Hi Fatih,

Thank you for the quick feedback, I've attached the result.json file after running the command inside aquasec/trivy container.

kind regards,

Fatima results.zip

Fatima-Zahraebhbn avatar May 10 '24 15:05 Fatima-Zahraebhbn

I am not sure you are running the command against the same environment. Because the latest results.json has only 2 vulnerabilities but the broken one (non working interactive_fs_scan_report.html) has 6 misconfigs and 1 vulnerabilities image fatima-error-fixed.html.zip

Can you share the details of 'aquasec/trivy container' and gitLab ci-cd.yml file so that I can reproduce it by myself?

fatihtokus avatar May 10 '24 15:05 fatihtokus

My apologies, I've attached the wrong results.json, I just added the good one. results.zip

For gilab ci file, nothing special execpt the installation of the additional package and the verification of the trivy version .template:trivy:check: image: name: aquasec/trivy entrypoint: [""] variables: TRIVY_NO_PROGRESS: "true" TRIVY_CACHE_DIR: ".trivycache/" before_script: - apk update && apk add curl jq bash git - export TRIVY_VERSION=$(curl -s "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/."v([^"]+)"./\1/') - printf "Installing trivy at version %s\n" "$TRIVY_VERSION" - trivy plugin list - trivy plugin install github.com/fatihtokus/scan2html - trivy plugin list

script: 
    printf "Checking directory %s with trivy\n" "${TRIVY_CHECK_GLOB}"
    trivy scan2html fs --scanners vuln,misconfig --exit-code 0 "${TRIVY_CHECK_GLOB}" interactive_fs_scan_report.html

Thank you

Fatima-Zahraebhbn avatar May 10 '24 15:05 Fatima-Zahraebhbn

fatima-broken-results.json Thanks for the ci file. But you shared a new json with the same (non problematic) content. Could you please share the problematic json? I think trivy is generating a broken json report (unescaped backslash, "Content": "RUN cd src \",)

fatihtokus avatar May 10 '24 15:05 fatihtokus

I did misunderstood your request earlier, the problematic json file was redirected to /root/.trivy/plugins/scan2html/results.json i attached a copy if it along with the problematic html. I just checked the json file and I see a \ to cancel the first one; i believe that when we convert the file to html one \ is removed artifacts(6).zip

Thank you

Fatima-Zahraebhbn avatar May 10 '24 16:05 Fatima-Zahraebhbn

Hi @Fatima-Zahraebhbn ,

I tried to reproduce your issue but no luck. Could you help with that? https://gitlab.com/fatih.tokus/scan2html-test/-/blob/test-issue-47/.gitlab-ci.yml?ref_type=heads

Regards, Fatih

fatihtokus avatar May 15 '24 21:05 fatihtokus

Hi Fatih, I could notice that the issue appears when trivy scan Dockerfile.

To reproduce the issue, try to place the Dockerfile in attachment inside the pod where the trivy scan will be executed (inside for example docker directory) and run the command trivy scan while setting the var TRIVY_CHECK_GLOB to docker/ FBO-Dockerfile.zip 2024-05-16 09_38_19-

Thank you

Fatima-Zahraebhbn avatar May 16 '24 07:05 Fatima-Zahraebhbn

Hi @fatihtokus ,

Do you have any update on this matter ?

Thank you !

Fatima-Zahraebhbn avatar May 27 '24 08:05 Fatima-Zahraebhbn

Hi @Fatima-Zahraebhbn ,

Thanks for the patience, I have just released the latest version that includes your fix as well. Please try and let me know.

Regards, Fatih

fatihtokus avatar May 27 '24 19:05 fatihtokus

Hi @fatihtokus

Thank you for the quick update, I've tested trivy with the new vesion of scan2html and it is working as expected 🙌.

Thank you so much for your time, effort and support in this matter.

Kind regards, Fatima

Fatima-Zahraebhbn avatar May 28 '24 08:05 Fatima-Zahraebhbn