Vulnerabilities of JAR file found if scanning docker image, nothing found if scanning the very same JAR on local filesystem

[KoenDG]

Description

The title says it all. The jar is inside a nodejs project, a few levels down the node_modules directory.

Desired Behavior

I would expect scanning the local filesystem would generate the exact report, for the exact same object

Actual Behavior

Only when scanning the docker image do the JAR vulnerabilities get reported.

Reproduction Steps

Sorry, cannot share the jar or docker image, as it is proprietary.

Target

Filesystem

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

$ ~/Download/TRIVY/0.56.1/trivy fs --scanners vuln --include-dev-deps --list-all-pkgs --no-progress -f json --offline-scan --debug node_modules/<REDACTED>/<REDACTED>.jar 
2024-10-07T16:39:19+02:00	DEBUG	No plugins loaded
2024-10-07T16:39:19+02:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-10-07T16:39:19+02:00	DEBUG	Cache dir	dir="/home/<REDACTED>/.cache/trivy"
2024-10-07T16:39:19+02:00	DEBUG	Cache dir	dir="/home/<REDACTED>/.cache/trivy"
2024-10-07T16:39:19+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-10-07T16:39:19+02:00	DEBUG	Ignore statuses	statuses=[]
2024-10-07T16:39:19+02:00	DEBUG	[vulndb] There is no valid metadata file	err="unable to open a file: open /home/<REDACTED>/.cache/trivy/db/metadata.json: no such file or directory"
2024-10-07T16:39:19+02:00	INFO	[vulndb] Need to update DB
2024-10-07T16:39:19+02:00	DEBUG	[vulndb] No metadata file
2024-10-07T16:39:19+02:00	INFO	[vulndb] Downloading vulnerability DB...
2024-10-07T16:39:19+02:00	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-07T16:39:28+02:00	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-07T16:39:28+02:00	DEBUG	Updating database metadata...
2024-10-07T16:39:28+02:00	DEBUG	DB info	schema=2 updated_at=2024-10-07T12:19:16.165498736Z next_update=2024-10-08T12:19:16.165498586Z downloaded_at=2024-10-07T14:39:28.894396566Z
2024-10-07T16:39:28+02:00	DEBUG	[pkg] Package types	types=[os library]
2024-10-07T16:39:28+02:00	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-10-07T16:39:28+02:00	INFO	[vuln] Vulnerability scanning is enabled
2024-10-07T16:39:28+02:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-10-07T16:39:28+02:00	DEBUG	Initializing scan cache...	type="memory"
2024-10-07T16:39:28+02:00	DEBUG	OS is not detected.
2024-10-07T16:39:28+02:00	DEBUG	Detected OS: unknown
2024-10-07T16:39:28+02:00	INFO	Number of language-specific files	num=0
2024-10-07T16:39:28+02:00	DEBUG	[vex] VEX filtering is disabled
{
  "SchemaVersion": 2,
  "CreatedAt": "2024-10-07T16:39:28.896088879+02:00",
  "ArtifactName": "node_modules/<REDACTED>/<REDACTED>.jar",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  }
}

Operating System

Ubuntu 20.04

Version

Version: 0.56.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-10-07 12:19:16.165498736 +0000 UTC
  NextUpdate: 2024-10-08 12:19:16.165498586 +0000 UTC
  DownloadedAt: 2024-10-07 13:48:44.351380032 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-10-07 02:38:48.923974312 +0000 UTC
  NextUpdate: 2024-10-10 02:38:48.923974011 +0000 UTC
  DownloadedAt: 2024-10-07 13:52:18.40297823 +0000 UTC
Check Bundle:
  Digest: sha256:ae151c4eecf35c507d8f866121ddfbf46540b041bc7bca7cdd8d9f70ceb6f12c
  DownloadedAt: 2024-10-07 14:13:50.470223961 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

Trivy scans different things depending on the target. You can reference the document.