Skip to content

Commit

Permalink
BREAKING: disable JAR detection in fs/repo scanning (#1512)
Browse files Browse the repository at this point in the history 
Co-authored-by: Andrey Levchenko <levchenko.andrey@gmail.com>
  • Loading branch information
@knqyf263 @AndreyLevchenko
knqyf263 and AndreyLevchenko committed Dec 24, 2021
1 parent 59957d4 commit 76249bd
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 26 deletions.
48 changes: 25 additions & 23 deletions docs/vulnerability/detection/language.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,23 +2,24 @@

`Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.

| Language | File | Image[^6] | Rootfs[^7] | Filesystem[^8] | Repository[^9] |Dev dependencies |
|----------|--------------------------|:---------:|:----------:|:--------------:|:---------------:|-----------------|
| Ruby | Gemfile.lock | - | - ||| included |
| | gemspec ||| - | - | included |
| Python | Pipfile.lock | - | - ||| excluded |
| | poetry.lock | - | - ||| included |
| | requirements.txt | - | - ||| included |
| | egg package[^1] ||| - | - | excluded |
| | wheel package[^2] ||| - | - | excluded |
| PHP | composer.lock ||||| excluded |
| Node.js | package-lock.json | - | - ||| excluded |
| | yarn.lock | - | - ||| included |
| | package.json ||| - | - | excluded |
| .NET | packages.lock.json ||||| included |
| Java | JAR/WAR/EAR[^3][^4] ||||| included |
| Go | Binaries built by Go[^5] ||| - | - | excluded |
| | go.sum | - | - ||| included |
| Language | File | Image[^7] | Rootfs[^8] | Filesystem[^9] | Repository[^10] |Dev dependencies |
|----------|--------------------------|:---------:|:----------:|:--------------:|:--------------:|-----------------|
| Ruby | Gemfile.lock | - | - ||| included |
| | gemspec ||| - | - | included |
| Python | Pipfile.lock | - | - ||| excluded |
| | poetry.lock | - | - ||| included |
| | requirements.txt | - | - ||| included |
| | egg package[^1] ||| - | - | excluded |
| | wheel package[^2] ||| - | - | excluded |
| PHP | composer.lock ||||| excluded |
| Node.js | package-lock.json | - | - ||| excluded |
| | yarn.lock | - | - ||| included |
| | package.json ||| - | - | excluded |
| .NET | packages.lock.json ||||| included |
| Java | JAR/WAR/EAR[^3][^4] ||| - | - | included |
| | pom.xml[^5] | - | - ||| excluded |
| Go | Binaries built by Go[^6] ||| - | - | excluded |
| | go.sum | - | - ||| included |

The path of these files does not matter.

Expand All @@ -27,9 +28,10 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do
[^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
[^2]: `.dist-info/META-DATA`
[^3]: `*.jar`, `*.war`, and `*.ear`
[^4]: It requires the Internet access
[^5]: UPX-compressed binaries don't work
[^6]: ✅ means "enabled" and `-` means "disabled" in the image scanning
[^7]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
[^8]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
[^9]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
[^4]: It requires Internet access
[^5]: It requires Internet access when the POM doesn't exist in your local repository
[^6]: UPX-compressed binaries don't work
[^7]: ✅ means "enabled" and `-` means "disabled" in the image scanning
[^8]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
[^9]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
[^10]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ require (
github.com/Masterminds/sprig v2.22.0+incompatible
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/fanal v0.0.0-20211224062610-102e2bce2240
github.com/aquasecurity/fanal v0.0.0-20211224122944-42225c99da09
github.com/aquasecurity/go-dep-parser v0.0.0-20211224061556-d0e33761a8ab
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -207,8 +207,8 @@ github.com/aquasecurity/cfsec v0.2.2 h1:hq6MZlg7XFZsrerCv297N4HRlnJM7K6LLd/l/xCz
github.com/aquasecurity/cfsec v0.2.2/go.mod h1:sUELRJqIPXTOZiHUx7TzyyFFzuk0W22IG6IWAoV8T6U=
github.com/aquasecurity/defsec v0.0.37 h1:zdZndlKrW257b8VLK1UwfmXiyPuDrNA+wzBilHRk1LA=
github.com/aquasecurity/defsec v0.0.37/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
github.com/aquasecurity/fanal v0.0.0-20211224062610-102e2bce2240 h1:wxeId0nDv3i3Ih98oFZE7Q6OeNY1R+itxOpkmpbaiek=
github.com/aquasecurity/fanal v0.0.0-20211224062610-102e2bce2240/go.mod h1:Uj+SCSOPxrU4xrxu9fFVvRWimkktPXv/VWzSfMx/dog=
github.com/aquasecurity/fanal v0.0.0-20211224122944-42225c99da09 h1:mydXHod777Xd44QS4I5JgRU2Cl6ZgssjPTm2KgJZrxI=
github.com/aquasecurity/fanal v0.0.0-20211224122944-42225c99da09/go.mod h1:Uj+SCSOPxrU4xrxu9fFVvRWimkktPXv/VWzSfMx/dog=
github.com/aquasecurity/go-dep-parser v0.0.0-20211224061556-d0e33761a8ab h1:/i0NsV3rYRcW0hkcCCrHmppX5rAr3rlWVIGKdeKBThU=
github.com/aquasecurity/go-dep-parser v0.0.0-20211224061556-d0e33761a8ab/go.mod h1:mYbm6nW+oy1o7gGYngbki6y2VPUf6BPt5U7+O9C78sI=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
Expand Down

0 comments on commit 76249bd

Please sign in to comment.