License image scan filtering doesn't seem to work when trivyignore is specified with paths

[dus7eh]

Description

Running a license image scan with experimental .trivyignore.yaml works well for python with particulat id: [license-name] definition. Then all desired licenses with license-name are filtered out as expected.
However when paths key is defined additionally, for example:

licenses:
  - id: MIT
    paths:
      - "usr/lib/python3.11/site-packages/markdown2-2.4.12.dist-info/METADATA"

...filtering stops working and the specified license is stll reported. (tried with /usr/ and usr/... paths)
Sample command I run: trivy image --scanners license --ignorefile .trivyignore.yaml [image-name]

I've made an additional observation that when generating lisences in json format the FilePath key has an empty value which might be related with this issue.

...
       {
          "Severity": "LOW",
          "Category": "notice",
          "PkgName": "markdown2",
          "FilePath": "",
          "Name": "MIT",
          "Confidence": 1,
          "Link": ""
        },
...

Desired Behavior

Trivy ignores licenses with specifed id under defined paths when ignorefile is passed.

Actual Behavior

Presumably ignored licenses are still reported.

Reproduction Steps

1. Prepare trivyignore file to ignore license by id and path
2. Run trivy image scan of licenses
3. Check the generated report contents - whether ignore license is dropped
...

Target

Container Image

Scanner

License

Output Format

text/json

Mode

None

Debug Output

trivy image -d --scanners license --ignorefile .trivyignore.yaml   [image-name]
2024-02-13T12:09:30.272Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-02-13T12:09:30.273Z	DEBUG	Ignore statuses	{"statuses": null}
2024-02-13T12:09:30.285Z	DEBUG	cache dir:  /root/.cache/trivy
2024-02-13T12:09:30.285Z	INFO	License scanning is enabled
2024-02-13T12:09:30.285Z	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-13T12:09:30.287Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-02-13T12:09:30.287Z	DEBUG	Image ID: sha256:421c13b65d869107b222d38e0ede8188d33f222f38f103be8585a92de2b0ab64
2024-02-13T12:09:30.287Z	DEBUG	Diff IDs: [sha256:736824c1529a1a5622eed3c3846f7fd2011c41de5ec77bf20d79405a311de762 sha256:e2c933539dd579125554b6d37e375ee9f70ae66c91628082660811796d5990d4 sha256:edfffbf281f2896ae6be0081ab093f322ee1b983e35a2b04f93d9daa838ed747 sha256:f807029a78ec7972170f91727f8c5fdb5b2e08213fbfb245cdd6751f323057f1 sha256:a5f35ab8139fd7eb09d5031e325a73e09961ad7e688fb1572d9f079e20e3cd61 sha256:a2dfce0c2e9cc7f5e58da2159afddce4522fb67b19b761b5b07b3452421a6f3e sha256:6dae3bd3793873e277902b774f3d4b1eafd368f48c080731f287c4373789fb90 sha256:0bba366450806b8d1a9cca7542d8d879ffccdfc7e42d41f4079839f4f27d0c1b sha256:e3953651da899e7e6df283daeae29c8465e37599386ba1e1715f5b214c44b422 sha256:f44e4361244c804cd244d7ed14c8fa84b7d0c9970fb307e74efb5f4e0794be44 sha256:bee957516be1fa1b5320fbfb7368198e43a0af6cf87cb42d623ee4a0ec3d42bd]
2024-02-13T12:09:30.287Z	DEBUG	Base Layers: []
2024-02-13T12:09:30.292Z	DEBUG	Found an ignore yaml: .trivyignore.yaml

OS Packages (license)

Total: 76 (UNKNOWN: 17, LOW: 36, MEDIUM: 5, HIGH: 18, CRITICAL: 0)
...
Python (license)

Total: 96 (UNKNOWN: 60, LOW: 34, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
...

Operating System

Ubuntu/Alpine

Version

Version: 0.49.0

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

I've made an additional observation that when generating lisences in json format the FilePath key has an empty value which might be related with this issue.

You are right. We currently don't fill filepath for os/language package licenses.
So you can't ignore packages licenses by path.
There is problem with filePath entry for languange package:
in some case we find licenses not from lock file (e.g. we check package.json files for yarn.lock, package-lock.json, etc. files).
But right now we don't have a field to save the file path for the license.

---

There is #5211. We can add filepath to license file into new Struct.
@knqyf263 wdyt?

[knqyf263]

Yes, it makes sense to add filepath for licenses.

[dus7eh]

You are right. We currently don't fill filepath for os/language package licenses.
So you can't ignore packages licenses by path.

Then this section in docs is misleading: https://aquasecurity.github.io/trivy/v0.49/docs/configuration/filtering/

For the .trivyignore.yaml file, you can set ignored IDs separately for vulnerabilities, misconfigurations, secrets, or licenses1.

There's no exception for licenses other than the remark that license name is used for ID.
There's even an example for licenses definition with path:

[DmitriyLewen]

Thanks @dus7eh
You are right.
Created #6145.

[DmitriyLewen]

Trivy currently doesn't support path field for package licenses.
I add info about this in #6145.
Also we will work on adding this functionality in #5211.

So I think we can close this Discussion.
Feel free to reopen this, if you still have questions.

Regards, Dmitriy