Open
Description
Discussed in #8420
Originally posted by martinclaus February 19, 2025
Description
In an CI Job, I am creating a single trivy misconfiguration scan report in JSON Format and then convert this report into different formats using the trivy convert command. The original JSON report is configured to contain also non-failures, however, the reports resulting from conversion do not contain any non-failures.
This is behavior disadvantageous, if you generate a JUnit Report, since the CI, which is capable of integrating theses reports in the pipeline UI, will not show the checks that has been passed. And it is particularly confusing if all checks have been passed but none are displayed.
Desired Behavior
I expect that
trivy filesystem --scanners misconfig --include-non-failures --format json --output "report.json" .
trivy convert --format template --template "@contrib/junit.tpl" --output "report.junit.xml" "report.json"and
trivy filesystem --scanners misconfig --include-non-failures --format template --template "@contrib/junit.tpl" --output "report.junit.xml" .Produce identical files report.junit.xml.
Actual Behavior
Reports of a Dockerfile containing only FROM alpine:latest share the failed but lack the passed test cases:
--- desired_report.junit.xml
+++ test_report.junit.xml
@@ -18,55 +18,5 @@
<testcase classname="Dockerfile Security Check" name="[LOW] DS026" time="">
<failure message="No HEALTHCHECK defined" type="description">You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.</failure>
</testcase>
- <testcase classname="Dockerfile Security Check" name="[MEDIUM] DS004" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[LOW] DS005" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS006" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS007" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS008" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[HIGH] DS009" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS010" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS011" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS012" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[MEDIUM] DS013" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[LOW] DS014" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[HIGH] DS015" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[HIGH] DS016" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[HIGH] DS017" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[HIGH] DS019" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[HIGH] DS020" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[HIGH] DS021" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[HIGH] DS022" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[MEDIUM] DS023" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[HIGH] DS024" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[HIGH] DS025" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[HIGH] DS027" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[HIGH] DS029" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[HIGH] DS030" time="">
- </testcase>
- <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS031" time="">
- </testcase>
</testsuite>
</testsuites>Reproduction Steps
1. echo "FROM alpine:latest" > Dockerfile
2. trivy filesystem --scanners misconfig --include-non-failures --format template --template "@contrib/junit.tpl" --output "desired_report.junit.xml" .
3. trivy filesystem --scanners misconfig --include-non-failures --format json --output "report.json" .
4. trivy convert --format template --template "@contrib/junit.tpl" --output "test_report.junit.xml" "report.json"
5. diff desired_report.junit.xml test_report.junit.xmlTarget
Filesystem
Scanner
Misconfiguration
Output Format
Template
Mode
Standalone
Debug Output
`trivy convert --format template --template "@contrib/junit.tpl" --output "test_report.junit.xml" "report.json" --debug`
2025-02-19T15:59:51Z DEBUG No plugins loaded
2025-02-19T15:59:51Z DEBUG Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-19T15:59:51Z DEBUG Cache dir dir="/trivy/.cache/trivy"
2025-02-19T15:59:51Z DEBUG Cache dir dir="/trivy/.cache/trivy"
2025-02-19T15:59:51Z DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-19T15:59:51Z DEBUG Specified ignore file does not exist file=".trivyignore"
2025-02-19T15:59:51Z DEBUG [vex] VEX filtering is disabled
2025-02-19T15:59:51Z DEBUG Writing report to output...Operating System
Linux
Version
Version: 0.59.1
Vulnerability DB:
Version: 2
UpdatedAt: 2025-02-19 06:16:52.057053042 +0000 UTC
NextUpdate: 2025-02-20 06:16:52.057052812 +0000 UTC
DownloadedAt: 2025-02-19 10:40:57.960950223 +0000 UTC
Check Bundle:
Digest: sha256:ac89e7d82ab5feeabc055a454066bc182f9248e96b8ecb1ca5810cd59c659800
DownloadedAt: 2025-02-19 10:42:49.863396592 +0000 UTCChecklist
- Run
trivy clean --all - Read the troubleshooting
Metadata
Metadata
Assignees
Type
Projects
Status
No status