Node language packages not detected in case of trivy image scans #5063

namandf · 2023-08-29T17:30:11Z

namandf
Aug 29, 2023

Description

Performed a scan for a node image. It contains package.json with information about node packages and dependencies. They are detected but not exposed in the final report

Potential Root Cause:

Even though packages are being detected , we seem to be filtering them out at some stage. Added log to confirm.

Sample package object dump before
https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/analyzer/language/nodejs/pkg/pkg.go#L40

{{pseudomap@1.0.2 pseudomap 1.0.2 false false ISC [] []  []} map[] map[] map[tap:^2.3.1] []}

{{psl@1.1.32 psl 1.1.32 false false MIT [] []  []} map[] map[] map[JSONStream:^1.3.5 browserify:^16.2.3 eslint:^5.10.0 eslint-config-hapi:^12.0.0 eslint-plugin-hapi:^4.1.0 event-stream:3.3.4 karma:^3.1.3 karma-browserify:^6.0.0 karma-mocha:^1.3.0 karma-mocha-reporter:^2.2.5 karma-phantomjs-launcher:^1.0.4 mocha:^5.2.0 phantomjs-prebuilt:^2.1.16 request:^2.88.0 uglify-js:^3.4.9 watchify:^3.11.0] []}

{{protobufjs@3.8.2 protobufjs 3.8.2 false false Apache-2.0 [] []  []} map[ascli:~0.3 bytebuffer:~3 >=3.5] map[] map[closurecompiler:~1 jsdoc:~3.3.0-alpha10 metascript:>=0.18 <1 testjs:~1] []}

Desired Behavior

List all node language packages

Actual Behavior

No node language packages listed

Reproduction Steps

1. trivy image --list-all-pkgs --debug openwhisk/nodejs6action --format json --output node.json
...

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

2023-08-29T22:51:41.800+0530	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-08-29T22:51:41.801+0530	DEBUG	Ignore statuses	{"statuses": null}
2023-08-29T22:51:41.844+0530	DEBUG	cache dir:  /Users/deepfactor/Library/Caches/trivy
2023-08-29T22:51:41.845+0530	DEBUG	DB update was skipped because the local DB is the latest
2023-08-29T22:51:41.845+0530	DEBUG	DB Schema: 2, UpdatedAt: 2023-08-29 12:22:24.882272358 +0000 UTC, NextUpdate: 2023-08-29 18:22:24.882271858 +0000 UTC, DownloadedAt: 2023-08-29 16:04:20.111377 +0000 UTC
2023-08-29T22:51:41.846+0530	INFO	Vulnerability scanning is enabled
2023-08-29T22:51:41.846+0530	DEBUG	Vulnerability type:  [os library]
2023-08-29T22:51:41.846+0530	INFO	Secret scanning is enabled
2023-08-29T22:51:41.846+0530	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-29T22:51:41.846+0530	INFO	Please see also https://aquasecurity.github.io/trivy/v0.44/docs/scanner/secret/#recommendation for faster secret detection
2023-08-29T22:51:56.390+0530	DEBUG	No secret config detected: trivy-secret.yaml
2023-08-29T22:51:56.397+0530	DEBUG	No secret config detected: trivy-secret.yaml
2023-08-29T22:51:57.715+0530	DEBUG	Image ID: sha256:43e6e6703f430830f97c68cc0fab2b833e186876ff27343b251b9889c65094f1
2023-08-29T22:51:57.715+0530	DEBUG	Diff IDs: [sha256:b057ab380990c219581e3b074919413ebe31079cbd0d615f63872c471b4dc633 sha256:46c1a22ffea5a01eaa8ee679a13536a88e11a85921d83e141abd495be842740b sha256:48334332ed8d6feb5dbd618924c4f02fce7e2b571d96dc93e1f2ba6961881202 sha256:66285ac4bf2430aeab0c55a77e630fe10018a8318df59b6e8734f8820b95b0c6 sha256:82dc29a7bc1f4fcf5b5e16dac96f4fe1921395d1291f15484eb859ab8f3d4cc2 sha256:0ea9be2cf63b8f5af3e6f1426609a5e04bd4887c6b8774c392060498ad39397d sha256:25a1d7985dff2d8706be7ae059e3598f45a79396362836b56c7ec938e26a0825 sha256:af43cccca5e70239f3b2942d070e41d7b4c370b57d26c37909a957270dfd68e5 sha256:42f6207e6da96e09c0da41bcebc5ad7709ae76199c82da3e00b53f1674230d3a sha256:347624136cfb9dca135c50c8e19c3ff460609d6e8a76eb89db307de29813be5b sha256:e7a13c7da179b5e3c30daea9ea8fe1808275b93889d945be38866ba71093e369 sha256:1ef059b1c8775b5ca2640becb15873713926b88863c0d9c99e1b91ddca2bf7e9 sha256:ef016d29d5f0f31cb5584e241ddf40c46eed4fe682a14e876181df0ca85c673c]
2023-08-29T22:51:57.715+0530	DEBUG	Base Layers: [sha256:b057ab380990c219581e3b074919413ebe31079cbd0d615f63872c471b4dc633 sha256:46c1a22ffea5a01eaa8ee679a13536a88e11a85921d83e141abd495be842740b sha256:48334332ed8d6feb5dbd618924c4f02fce7e2b571d96dc93e1f2ba6961881202 sha256:66285ac4bf2430aeab0c55a77e630fe10018a8318df59b6e8734f8820b95b0c6]
2023-08-29T22:51:57.720+0530	DEBUG	Missing image ID in cache: sha256:43e6e6703f430830f97c68cc0fab2b833e186876ff27343b251b9889c65094f1
2023-08-29T22:51:57.724+0530	DEBUG	Missing diff ID in cache: sha256:46c1a22ffea5a01eaa8ee679a13536a88e11a85921d83e141abd495be842740b
2023-08-29T22:51:57.724+0530	DEBUG	Missing diff ID in cache: sha256:b057ab380990c219581e3b074919413ebe31079cbd0d615f63872c471b4dc633
2023-08-29T22:51:57.724+0530	DEBUG	Missing diff ID in cache: sha256:66285ac4bf2430aeab0c55a77e630fe10018a8318df59b6e8734f8820b95b0c6
2023-08-29T22:51:57.724+0530	DEBUG	Missing diff ID in cache: sha256:48334332ed8d6feb5dbd618924c4f02fce7e2b571d96dc93e1f2ba6961881202
2023-08-29T22:51:57.724+0530	DEBUG	Missing diff ID in cache: sha256:82dc29a7bc1f4fcf5b5e16dac96f4fe1921395d1291f15484eb859ab8f3d4cc2
2023-08-29T22:51:59.440+0530	DEBUG	Missing diff ID in cache: sha256:0ea9be2cf63b8f5af3e6f1426609a5e04bd4887c6b8774c392060498ad39397d
2023-08-29T22:51:59.676+0530	DEBUG	Missing diff ID in cache: sha256:25a1d7985dff2d8706be7ae059e3598f45a79396362836b56c7ec938e26a0825
2023-08-29T22:51:59.718+0530	DEBUG	Missing diff ID in cache: sha256:af43cccca5e70239f3b2942d070e41d7b4c370b57d26c37909a957270dfd68e5
2023-08-29T22:52:00.807+0530	DEBUG	Missing diff ID in cache: sha256:42f6207e6da96e09c0da41bcebc5ad7709ae76199c82da3e00b53f1674230d3a
2023-08-29T22:52:00.972+0530	DEBUG	Skipping directory: dev
2023-08-29T22:52:01.439+0530	DEBUG	Missing diff ID in cache: sha256:347624136cfb9dca135c50c8e19c3ff460609d6e8a76eb89db307de29813be5b
2023-08-29T22:52:03.129+0530	DEBUG	Skipping directory: proc
2023-08-29T22:52:03.604+0530	DEBUG	Skipping directory: sys
2023-08-29T22:52:03.746+0530	DEBUG	Missing diff ID in cache: sha256:e7a13c7da179b5e3c30daea9ea8fe1808275b93889d945be38866ba71093e369
2023-08-29T22:52:03.949+0530	DEBUG	Missing diff ID in cache: sha256:1ef059b1c8775b5ca2640becb15873713926b88863c0d9c99e1b91ddca2bf7e9
2023-08-29T22:52:04.957+0530	DEBUG	Missing diff ID in cache: sha256:ef016d29d5f0f31cb5584e241ddf40c46eed4fe682a14e876181df0ca85c673c
2023-08-29T22:52:05.137+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/cat) parse error: failed to parse usr/lib/klibc/bin/cat: failed to parse usr/lib/klibc/bin/cat: EOF
2023-08-29T22:52:05.137+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/chroot) parse error: failed to parse usr/lib/klibc/bin/chroot: failed to parse usr/lib/klibc/bin/chroot: EOF
2023-08-29T22:52:05.137+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/dmesg) parse error: failed to parse usr/lib/klibc/bin/dmesg: failed to parse usr/lib/klibc/bin/dmesg: EOF
2023-08-29T22:52:05.137+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/false) parse error: failed to parse usr/lib/klibc/bin/false: failed to parse usr/lib/klibc/bin/false: EOF
2023-08-29T22:52:05.143+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/insmod) parse error: failed to parse usr/lib/klibc/bin/insmod: failed to parse usr/lib/klibc/bin/insmod: EOF
2023-08-29T22:52:05.143+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/kill) parse error: failed to parse usr/lib/klibc/bin/kill: failed to parse usr/lib/klibc/bin/kill: EOF
2023-08-29T22:52:05.153+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/ln) parse error: failed to parse usr/lib/klibc/bin/ln: failed to parse usr/lib/klibc/bin/ln: EOF
2023-08-29T22:52:05.153+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/minips) parse error: failed to parse usr/lib/klibc/bin/minips: failed to parse usr/lib/klibc/bin/minips: EOF
2023-08-29T22:52:05.153+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/losetup) parse error: failed to parse usr/lib/klibc/bin/losetup: failed to parse usr/lib/klibc/bin/losetup: EOF
2023-08-29T22:52:05.153+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/mkdir) parse error: failed to parse usr/lib/klibc/bin/mkdir: failed to parse usr/lib/klibc/bin/mkdir: EOF
2023-08-29T22:52:05.155+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/mkfifo) parse error: failed to parse usr/lib/klibc/bin/mkfifo: failed to parse usr/lib/klibc/bin/mkfifo: EOF
2023-08-29T22:52:05.155+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/mknod) parse error: failed to parse usr/lib/klibc/bin/mknod: failed to parse usr/lib/klibc/bin/mknod: EOF
2023-08-29T22:52:05.155+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/mv) parse error: failed to parse usr/lib/klibc/bin/mv: failed to parse usr/lib/klibc/bin/mv: EOF
2023-08-29T22:52:05.155+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/mount) parse error: failed to parse usr/lib/klibc/bin/mount: failed to parse usr/lib/klibc/bin/mount: EOF
2023-08-29T22:52:05.155+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/nuke) parse error: failed to parse usr/lib/klibc/bin/nuke: failed to parse usr/lib/klibc/bin/nuke: EOF
2023-08-29T22:52:05.155+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/pivot_root) parse error: failed to parse usr/lib/klibc/bin/pivot_root: failed to parse usr/lib/klibc/bin/pivot_root: EOF
2023-08-29T22:52:05.155+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/readlink) parse error: failed to parse usr/lib/klibc/bin/readlink: failed to parse usr/lib/klibc/bin/readlink: EOF
2023-08-29T22:52:05.155+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/resume) parse error: failed to parse usr/lib/klibc/bin/resume: failed to parse usr/lib/klibc/bin/resume: EOF
2023-08-29T22:52:05.160+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/sleep) parse error: failed to parse usr/lib/klibc/bin/sleep: failed to parse usr/lib/klibc/bin/sleep: EOF
2023-08-29T22:52:05.175+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/true) parse error: failed to parse usr/lib/klibc/bin/true: failed to parse usr/lib/klibc/bin/true: EOF
2023-08-29T22:52:05.175+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/sync) parse error: failed to parse usr/lib/klibc/bin/sync: failed to parse usr/lib/klibc/bin/sync: EOF
2023-08-29T22:52:05.175+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/umount) parse error: failed to parse usr/lib/klibc/bin/umount: failed to parse usr/lib/klibc/bin/umount: EOF
2023-08-29T22:52:05.175+0530	DEBUG	Analysis error: go binary (filepath: usr/lib/klibc/bin/uname) parse error: failed to parse usr/lib/klibc/bin/uname: failed to parse usr/lib/klibc/bin/uname: EOF
2023-08-29T22:52:24.123+0530	DEBUG	No secrets found in container image config
2023-08-29T22:52:24.192+0530	INFO	Detected OS: ubuntu
2023-08-29T22:52:24.192+0530	INFO	Detecting Ubuntu vulnerabilities...
2023-08-29T22:52:24.192+0530	DEBUG	ubuntu: os version: 14.04
2023-08-29T22:52:24.192+0530	DEBUG	ubuntu: the number of packages: 285
2023-08-29T22:52:24.230+0530	INFO	Number of language-specific files: 1
2023-08-29T22:52:24.230+0530	INFO	Detecting node-pkg vulnerabilities...
2023-08-29T22:52:24.230+0530	DEBUG	Detecting library vulnerabilities, type: node-pkg, path:
2023-08-29T22:52:24.284+0530	DEBUG	Secret file: /root/.npm/registry.npmjs.org/gapitoken/.cache.json
2023-08-29T22:52:24.337+0530	WARN	This OS version is no longer supported by the distribution: ubuntu 14.04
2023-08-29T22:52:24.337+0530	WARN	The vulnerability detection may be insufficient because security updates are not provided

Operating System

macOS

Version

Version: 0.44.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-08-29 12:22:24.882272358 +0000 UTC
  NextUpdate: 2023-08-29 18:22:24.882271858 +0000 UTC
  DownloadedAt: 2023-08-29 16:04:20.111377 +0000 UTC

Checklist

Run trivy image --reset
Read the troubleshooting

Answered by DmitriyLewen

Aug 30, 2023

Hello @namandf
Thanks for your report!

Trivy finds your packages correctly:

➜ trivy image --list-all-pkgs --debug openwhisk/nodejs6action --format json | grep 'pseudomap@1.0.2\|psl@1.1.32\|protobufjs@3.8.2' -A 9 
...
          "ID": "pseudomap@1.0.2",
          "Name": "pseudomap",
          "Version": "1.0.2",
          "Licenses": [
            "ISC"
          ],
          "Layer": {
            "DiffID": "sha256:ef016d29d5f0f31cb5584e241ddf40c46eed4fe682a14e876181df0ca85c673c"
          },
          "FilePath": "root/.npm/pseudomap/1.0.2/package/package.json"
--
          "ID": "psl@1.1.32",
          "Name": "psl",
          "Version": "1.1.32",
          "Licenses": [
            "MI…

View full answer

DmitriyLewen · 2023-08-30T04:17:46Z

DmitriyLewen
Aug 30, 2023
Maintainer

Hello @namandf
Thanks for your report!

Trivy finds your packages correctly:

➜ trivy image --list-all-pkgs --debug openwhisk/nodejs6action --format json | grep 'pseudomap@1.0.2\|psl@1.1.32\|protobufjs@3.8.2' -A 9 
...
          "ID": "pseudomap@1.0.2",
          "Name": "pseudomap",
          "Version": "1.0.2",
          "Licenses": [
            "ISC"
          ],
          "Layer": {
            "DiffID": "sha256:ef016d29d5f0f31cb5584e241ddf40c46eed4fe682a14e876181df0ca85c673c"
          },
          "FilePath": "root/.npm/pseudomap/1.0.2/package/package.json"
--
          "ID": "psl@1.1.32",
          "Name": "psl",
          "Version": "1.1.32",
          "Licenses": [
            "MIT"
          ],
          "Layer": {
            "DiffID": "sha256:ef016d29d5f0f31cb5584e241ddf40c46eed4fe682a14e876181df0ca85c673c"
          },
          "FilePath": "root/.npm/psl/1.1.32/package/package.json"
--
          "ID": "protobufjs@3.8.2",
          "Name": "protobufjs",
          "Version": "3.8.2",
          "Licenses": [
            "Apache-2.0"
          ],
          "Layer": {
            "DiffID": "sha256:ef016d29d5f0f31cb5584e241ddf40c46eed4fe682a14e876181df0ca85c673c"
          },
          "FilePath": "root/.npm/protobufjs/3.8.2/package/package.json"
--
          "ID": "pseudomap@1.0.2",
          "Name": "pseudomap",
          "Version": "1.0.2",
          "Licenses": [
            "ISC"
          ],
          "Layer": {
            "DiffID": "sha256:ef016d29d5f0f31cb5584e241ddf40c46eed4fe682a14e876181df0ca85c673c"
          },
          "FilePath": "node_modules/pseudomap/package.json"
--
          "ID": "psl@1.1.32",
          "Name": "psl",
          "Version": "1.1.32",
          "Licenses": [
            "MIT"
          ],
          "Layer": {
            "DiffID": "sha256:ef016d29d5f0f31cb5584e241ddf40c46eed4fe682a14e876181df0ca85c673c"
          },
          "FilePath": "node_modules/psl/package.json"
--
          "ID": "protobufjs@3.8.2",
          "Name": "protobufjs",
          "Version": "3.8.2",
          "Licenses": [
            "Apache-2.0"
          ],
          "Layer": {
            "DiffID": "sha256:ef016d29d5f0f31cb5584e241ddf40c46eed4fe682a14e876181df0ca85c673c"
          },
          "FilePath": "node_modules/protobufjs/package.json"

About dependencies - we don't parse dependencies in package.json fileы, because package.json uses versions range and we can't get correct dependency version - https://aquasecurity.github.io/trivy/v0.44/docs/scanner/vulnerability/language/nodejs/#packagejson
You can find dependencies in other package.json files (if installed by node (e.g. optional dependencies can be omitted)) - usually in node_modules folder.

{{pseudomap@1.0.2 pseudomap 1.0.2 false false ISC [] [] []} map[] map[] map[tap:^2.3.1] []}

We use these deps/optional deps/dev deps to revome dev deps from yarn and npm lock files - https://aquasecurity.github.io/trivy/v0.44/docs/scanner/vulnerability/language/nodejs/#yarn

Regards, Dmitriy

0 replies

namandf · 2023-08-30T04:34:06Z

namandf
Aug 30, 2023
Author

Didn't get then why the log says Number of language-specific files: 1 in the response

12 replies

namandf Aug 30, 2023
Author

Got it. Thank you.

vikasdf Sep 1, 2023

@DmitriyLewen I know this is a debatable, but if we are saying we are providing SBOM for a container image, shouldn't we report everything we find in the container? For example, OS packages are installed by the vendor but we include them in the SBOM. If a package is installed via apk and has vulnerabilities, and we don't report it under SBOM/SCA findings, aren't we creating blindspots in our reports.

knqyf263 Sep 1, 2023
Maintainer

No, Dmitriy means SBOM records that as an apk package.

namandf Sep 5, 2023
Author

@knqyf263 didn't get you. What do you mean by SBOM records that as an apk package.?

DmitriyLewen Sep 18, 2023
Maintainer

He meant that apk package (if i understand correctly - hello-server in your last image) contains missed package.json files.
In result (same for SBOM) we only include this apk package.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Node language packages not detected in case of trivy image scans #5063

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments 12 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Node language packages not detected in case of trivy image scans #5063

Uh oh!

Uh oh!

namandf Aug 29, 2023

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments · 12 replies

Uh oh!

DmitriyLewen Aug 30, 2023 Maintainer

Uh oh!

namandf Aug 30, 2023 Author

Uh oh!

namandf Aug 30, 2023 Author

Uh oh!

vikasdf Sep 1, 2023

Uh oh!

Uh oh!

knqyf263 Sep 1, 2023 Maintainer

Uh oh!

namandf Sep 5, 2023 Author

Uh oh!

DmitriyLewen Sep 18, 2023 Maintainer

namandf
Aug 29, 2023

Replies: 2 comments 12 replies

DmitriyLewen
Aug 30, 2023
Maintainer

namandf
Aug 30, 2023
Author

namandf Aug 30, 2023
Author

knqyf263 Sep 1, 2023
Maintainer

namandf Sep 5, 2023
Author

DmitriyLewen Sep 18, 2023
Maintainer