Add support for npm package-lock.json version 3 #3777

leventyalcin · 2023-03-06T17:18:28Z

Description

NPM dependecy file is ignored on filesystem scans.

What did you expect to happen?

Trivy to scan dependencies in the package-lock.json.

What happened instead?

It doesn't recognise the file.

Output of run with `-debug`:

$ trivy --debug fs .
2023-03-06T17:08:10.805Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-03-06T17:08:10.848Z	DEBUG	cache dir:  /Users/user/Library/Caches/trivy
2023-03-06T17:08:10.848Z	DEBUG	DB update was skipped because the local DB is the latest
2023-03-06T17:08:10.848Z	DEBUG	DB Schema: 2, UpdatedAt: 2023-03-06 12:07:32.180603674 +0000 UTC, NextUpdate: 2023-03-06 18:07:32.180603274 +0000 UTC, DownloadedAt: 2023-03-06 16:46:15.443699 +0000 UTC
2023-03-06T17:08:10.849Z	INFO	Vulnerability scanning is enabled
2023-03-06T17:08:10.849Z	DEBUG	Vulnerability type:  [os library]
2023-03-06T17:08:10.849Z	INFO	Secret scanning is enabled
2023-03-06T17:08:10.849Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-03-06T17:08:10.849Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.38/docs/secret/scanning/#recommendation for faster secret detection
2023-03-06T17:08:10.849Z	DEBUG	No secret config detected: trivy-secret.yaml
2023-03-06T17:08:10.849Z	DEBUG	Walk the file tree rooted at '.' in parallel
2023-03-06T17:08:10.906Z	DEBUG	OS is not detected.
2023-03-06T17:08:10.906Z	DEBUG	Detected OS: unknown
2023-03-06T17:08:10.906Z	INFO	Number of language-specific files: 0

Output of `trivy -v`:

Version: 0.38.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-03-06 12:07:32.180603674 +0000 UTC
  NextUpdate: 2023-03-06 18:07:32.180603274 +0000 UTC
  DownloadedAt: 2023-03-06 16:46:15.443699 +0000 UTC
Policy Bundle:
  Digest: sha256:19a017cdc798631ad42f6f4dce823d77b2989128f0e1a7f9bc83ae3c59024edd
  DownloadedAt: 2023-03-06 16:48:51.041239 +0000 UTC

Additional details (base image name, container registry info...):

The package-lock.json is definitely there and is not malformed.

$ if test -r package-lock.json; then echo 'exists'; else echo 'not here'; fi
exists

$ jq .lockfileVersion package-lock.json
3

The text was updated successfully, but these errors were encountered:

leventyalcin added the kind/bug Categorizes issue or PR as related to a bug. label Mar 6, 2023

knqyf263 changed the title ~~trivy ignore nodejs dependencies on filesystem scan~~ Add support for npm package-lock.json version 3 Mar 7, 2023

knqyf263 added kind/feature Categorizes issue or PR as related to a new feature. priority/backlog Higher priority than priority/awaiting-more-evidence. scan/vulnerability Issues relating to vulnerability scanning and removed kind/bug Categorizes issue or PR as related to a bug. labels Mar 7, 2023

knqyf263 added this to the v0.39.0 milestone Mar 7, 2023

knqyf263 assigned DmitriyLewen Mar 7, 2023

DmitriyLewen mentioned this issue Mar 13, 2023

feat(nodejs): Add v3 npm lock file support #3826

Merged

7 tasks

knqyf263 closed this as completed in #3826 Mar 15, 2023

leventyalcin mentioned this issue Apr 13, 2023

npm dependecy checks is failing on parsing package.json with the image scanning #4054

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for npm package-lock.json version 3 #3777

Add support for npm package-lock.json version 3 #3777

leventyalcin commented Mar 6, 2023

Add support for npm package-lock.json version 3 #3777

Add support for npm package-lock.json version 3 #3777

Comments

leventyalcin commented Mar 6, 2023

Description

What did you expect to happen?

What happened instead?

Output of run with -debug:

Output of trivy -v:

Additional details (base image name, container registry info...):

Output of run with `-debug`:

Output of `trivy -v`: