Vulnerabity scan produces report without summary and for json without "Results/Vulnerabities" node

[dus7eh]

Description

There are actually two probably related things both related to running vuln scan of non-recognizable os

• when using json format, the reports is missing "Results" node
• when using table format scanning summary isn't printed

Sample image to verify reports: otel/opentelemetry-collector-contrib:0.96.0

EDIT:
I've done some checks with different image json reports and conversion to table format to see when proper summary is reported even if os in unknown

• When Results node with any CVE is in place - OK

"Results": [
    {
      "Target": "bin/promtool",
      "Class": "lang-pkgs",
      "Type": "gobinary",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2024-24557",
          "PkgName": "github.com/docker/docker",
          "PkgIdentifier": {
            "PURL": "pkg:golang/github.com/docker/docker@v25.0.0%2Bincompatible"
          }
        }
      ]
    }
  ]

• When os is detected and no CVEs are in place - OK (summary present)

"Results": [
    {
      "Target": "prom/prometheus:v2.50.1 (alpine 3.19.1)",
      "Class": "os-pkgs",
      "Type": "alpine"
    }
  ]

• When os is not detected and no language specific CVEs are found - NOK

"Results": [
    {
      "Target": "bin/promtool",
      "Class": "lang-pkgs",
      "Type": "gobinary"
    }
  ]

For table report format this results in no summary.

Desired Behavior

Proper reports with summary (table) is produced

Actual Behavior

Missing summary when using table format and missing "Results" nodes in json format

Reproduction Steps

1. trivy image --scanners vuln -f table/json otel/opentelemetry-collector-contrib:0.96.0
2. verify output

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

2024-04-12T08:54:47.662Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-12T08:54:47.663Z	DEBUG	Ignore statuses	{"statuses": null}
2024-04-12T08:54:47.674Z	DEBUG	cache dir:  /root/.cache/trivy
2024-04-12T08:54:47.674Z	DEBUG	DB update was skipped because the local DB is the latest
2024-04-12T08:54:47.674Z	DEBUG	DB Schema: 2, UpdatedAt: 2024-04-12 06:11:04.117882312 +0000 UTC, NextUpdate: 2024-04-12 12:11:04.117881932 +0000 UTC, DownloadedAt: 2024-04-12 07:57:41.24651202 +0000 UTC
2024-04-12T08:54:47.674Z	INFO	Vulnerability scanning is enabled
2024-04-12T08:54:47.674Z	DEBUG	Vulnerability type:  [os library]
2024-04-12T08:54:47.674Z	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-04-12T08:54:47.676Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-04-12T08:54:47.676Z	DEBUG	Image ID: sha256:06a3f5e73fed71ed20fcf9ea7ad90889b237116740c459984f239a857db11241
2024-04-12T08:54:47.676Z	DEBUG	Diff IDs: [sha256:e3e09cb8741289fd2a410a1b9afa0d7591e893c68a7b16d855df9bb2d31d3c42 sha256:843d3cc377fc782da1ba16718bc1122a3bb547a7a9fb91419d0e0d3e1cb0541b sha256:15fdf611ce1541c652fc7ae1dda41b8e3240fb3ea83c98be9300b0055f9e44d9]
2024-04-12T08:54:47.676Z	DEBUG	Base Layers: []
2024-04-12T08:54:47.676Z	DEBUG	OS is not detected.
2024-04-12T08:54:47.676Z	DEBUG	Detected OS: unknown
2024-04-12T08:54:47.676Z	INFO	Number of language-specific files: 0

Operating System

Ubuntu

Version

Version: 0.50.1

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @dus7eh

I am not sure that understand you correctly - do you mean that we don't show empty table (Result for json format) for packages when no OS detected?
If yes, then we cannot select advisory database for these packages. Therefore we can't detect vulnerabilities and skip found packages.

I'm not sure I understood you correctly - do you mean that we don't show an empty table (result for json format) for packages when no OS is detected?
If yes, then we cannot select the advisory database for these packages. Therefore, we cannot detect vulnerabilities and skip the packets found.
in other words, it makes no sense to add a table (result) because vulnerabilities will never be found.

Please correct me if I missed something.

Regards, Dmitriy

[dus7eh]

This may be user experience issue. Let me show you two cases:
trivy image --scanners vuln -f table otel/opentelemetry-collector-contrib:0.97.0 -d
trivy-otel-0.97.txt
trivy-otel-0.97.json
and
trivy image --scanners vuln -f table otel/opentelemetry-collector-contrib:0.98.0 -d
trivy-otel-0.98.txt
trivy-otel-0.98.json

If you compare the .txt files in both cases OS is not detected and 1 language specific file is analyzed. However in one case we get a summary with target and vuln table info but in another case there's nothing. Which may make a user wonder if the analyzis even happened.
If you analyze an image without vulns but the OS is detected you get a report stating that nothing was found, like here:
trivy-wolfi.txt

So basically it's a matter of consistency in the output reports whether OS or packages are analyzed and nothing is found.

[DmitriyLewen]

You can list all packages/dependencies found using the --list-all-pkgs flag (it only works for json format) or use the SBOM format.

Currently we only show empty tables for packages (dpkg, apt, etc.).

We are discussing adding a pivot table - #6501.
I think this should solve your problem.