Skip to content

Report is not empty even if there are no findings #6351

New issue
New issue
Closed
#6352
Closed
Report is not empty even if there are no findings#6351
#6352
Assignees
DmitriyLewen
Labels
kind/bugCategorizes issue or PR as related to a bug.
@DmitriyLewen

Description

@DmitriyLewen
DmitriyLewen
opened on Mar 20, 2024

Discussed in #6349

Originally posted by kanton10062006 March 19, 2024

Description

Hello,

With the most recent release, I've noticed that trivy report/output is not empty even if there are no findings when some particular findings are in place in .trivyignore.yaml.
The previous version did not have such behavior as expected.
Our CI/CD relies on this report, if something exists within the report CI proceeds with different logic.

It reproduces for vuln and license scanners.

Desired Behavior

Completely empty report:

./trivy --version
2024-03-19T15:10:56.700+0100	INFO	Loaded trivy.yaml
Version: 0.49.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-19 12:11:32.850008953 +0000 UTC
  NextUpdate: 2024-03-19 18:11:32.850008412 +0000 UTC
  DownloadedAt: 2024-03-19 13:37:47.401184 +0000 UTC
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-03-14 12:20:41.064572 +0000 UTC

./trivy fs -q --scanners vuln .
2024-03-19T15:11:01.736+0100	INFO	Loaded trivy.yaml

Actual Behavior

Here is an example of the actual output:

trivy --version
2024-03-19T15:09:27.820+0100	INFO	Loaded trivy.yaml
Version: 0.50.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-19 12:11:32.850008953 +0000 UTC
  NextUpdate: 2024-03-19 18:11:32.850008412 +0000 UTC
  DownloadedAt: 2024-03-19 13:37:47.401184 +0000 UTC
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-03-14 12:20:41.064572 +0000 UTC

trivy fs -q --scanners vuln .
2024-03-19T15:09:30.501+0100	INFO	Loaded trivy.yaml

package-lock.json (npm)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Reproduction Steps

1.Install latest(v0.50.0) trivy version 
2.Scan some package.json with findings
3.Add those findings to the .trivyignore.yaml
4.Scan it one more time
5.Observe non-empty report
6.Reapeat previous steps with the earlier trivy version(v0.49.0 for example)
7.Observe empty report

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

trivy fs -q --scanners vuln . --debug                 
2024-03-19T15:17:07.236+0100	INFO	Loaded trivy.yaml

package-lock.json (npm)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)



### Operating System

macOS Sonoma

### Version

```bash
trivy --version
2024-03-19T15:18:15.019+0100	INFO	Loaded trivy.yaml
Version: 0.50.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-19 12:11:32.850008953 +0000 UTC
  NextUpdate: 2024-03-19 18:11:32.850008412 +0000 UTC
  DownloadedAt: 2024-03-19 13:37:47.401184 +0000 UTC
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-03-14 12:20:41.064572 +0000 UTC



### Checklist

- [ ] Run `trivy image --reset`
- [ ] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)</div>

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions