Scanning repository for license via docker

[NikolayPopovDev]

Question

I want to scan repositories for licenses.

I installed Trivy locally with Brew and ran:
trivy -f json --scanners license repo https://github.com/aquasecurity/trivy

I received JSON output with license for each package.

Then I tried to use docker. I ran:
docker run aquasec/trivy:latest -f json --scanners license repo https://github.com/aquasecurity/trivy

I received JSON output with a license for each package. But in that case JSON output is much smaller than previous. For some repositories docker version didn't have any output(e.g. https://github.com/projectdiscovery/nuclei).

Is it a bug? Can I scan repositories for licenses via docker?

Target

Git Repository

Scanner

License

Output Format

JSON

Mode

Client/Server

Operating System

macOS Monterey

Version

Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-13 06:10:47.882543858 +0000 UTC
  NextUpdate: 2024-03-13 12:10:47.882543548 +0000 UTC
  DownloadedAt: 2024-03-13 08:27:31.979966 +0000 UTC

[DmitriyLewen]

Hello @NikolayPopovDev
Thanks for your interest to Trivy!

We use Go cache dir to detect licenses for Go packages - https://aquasecurity.github.io/trivy/v0.49/docs/coverage/language/golang/#go-modules

Therefore, when you use docker image, Trivy may skip licenses for dependencies because cache directory doesn't contain those dependencies.

Regards, Dmitriy

[NikolayPopovDev]

Hey @DmitriyLewen
Thanks for reply, it really helpful.

According to the documentation - https://aquasecurity.github.io/trivy/v0.50/docs/scanner/license/
the standard license scanning doesn't support repository scanning. But I have results of license scanning.

Is it documentation outdated or license scanning has some issues for repository scanning?

[DmitriyLewen]

Looks like when we added this table - Trivy only supported license detection for files scanned in image/rootfs modes (see https://aquasecurity.github.io/trivy/v0.50/docs/coverage/language/#supported-languages).

But currently we can detect licenses from go.mod, pom.xml, yarn.lock, etc. files.
So we need to update this table.

I will create PR for this.

Thanks for pointing this out.

[itaysk]

@DmitriyLewen did you update the table after all? if not, should we create a tracking issue?

[DmitriyLewen]

Hello @itaysk
We merged #6381