Trivy dependency tree shows flat tree since v0.38.0

[assaf-orca]

using trivy with the flag --dependency-tree, shows just the vulnerable package instead of the full tree.
steps for reproduce:
created npm lock file with the pacakge cra-append-sw@2.7.0 installed using the commands

npm install cra-append-sw@2.7.0  --package-lock-only

and execute trivy with on the package directory using the command:

trivy fs  ./ --dependency-tree

on version v0.37.0 I got the output: (Expected)

package-lock.json (npm)

Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                   Title                    │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ glob-parent │ CVE-2020-28469 │ UNKNOWN  │ 3.1.0             │ 5.1.2         │ https://avd.aquasec.com/nvd/cve-2020-28469 │
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

Dependency Origin Tree (Reversed)
=================================
package-lock.json
└── glob-parent@3.1.0, (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
    └── chokidar@2.1.8
        └── watchpack-chokidar2@2.0.1
            └── watchpack@1.7.5
                └── webpack@4.46.0
                    └── cra-append-sw@2.7.0

on version v0.38.X I got the output: (Actual)

package-lock.json (npm)

Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                   Title                    │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ glob-parent │ CVE-2020-28469 │ UNKNOWN  │ 3.1.0             │ 5.1.2         │ https://avd.aquasec.com/nvd/cve-2020-28469 │
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

Dependency Origin Tree (Reversed)
=================================
package-lock.json
└── glob-parent@3.1.0, (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

output of the versions:

trivy -v
Version: 0.37.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-03-12 06:07:19.471066064 +0000 UTC
  NextUpdate: 2023-03-12 12:07:19.471065664 +0000 UTC
  DownloadedAt: 2023-03-12 09:05:42.916782 +0000 UTC

trivy -v
Version: 0.38.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-03-12 06:07:19.471066064 +0000 UTC
  NextUpdate: 2023-03-12 12:07:19.471065664 +0000 UTC
  DownloadedAt: 2023-03-12 09:05:42.916782 +0000 UTC

[DmitriyLewen]

Hello @assaf-orca
Thanks for your report!

Dependency trees can be large.
Therefore, we omit some intermediate packages.
Usually languages have tools to create full graph.
for exmample for you - npm ls glob-parent.

But i am confused that you don't have main package.
I tried to reproduce problem according to your instruction, but i got correct result:

Dependency Origin Tree (Reversed)
=================================
package-lock.json
├── glob-parent@3.1.0, (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
│   └── ...(omitted)...
│       └── cra-append-sw@2.7.0
└── json5@0.5.1, (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
    └── ...(omitted)...
        └── cra-append-sw@2.7.0

can you send your package-lock.json file for investigation?

Regards, Dmitriy

[assaf-orca]

package-lock.json.txt
attached package-lock.json
moreover:

npm -v
6.14.18

I notice that the degradation came from revision:
00daebc161ea1837e5b60f28be7b0ada9510a70b
@knqyf263 it's your commit, maybe you can shade some light here?

Thanks,
Assaf

[DmitriyLewen]

Hello @assaf-orca
Thanks for information!

Problem with "lockfileVersion": 1
v1 doesn't have information about direct dependencies.

We will try to fix this problem.

You can update you npm to v7(or newer) and use lockfileVersion v2/v3. These versions of npm don't have this problem.

[assaf-orca]

v3 doesn't supported either
package-lock.json.txt
output:

➜  ./trivy fs  ./ --dependency-tree
2023-03-16T10:22:10.842+0200	INFO	"--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports "package-lock.json", "Cargo.lock" and OS packages. Please see the document for the detail.
2023-03-16T10:22:10.886+0200	INFO	Vulnerability scanning is enabled
2023-03-16T10:22:10.886+0200	INFO	Secret scanning is enabled
2023-03-16T10:22:10.886+0200	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-03-16T10:22:10.886+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
2023-03-16T10:22:10.950+0200	INFO	Number of language-specific files: 0

[DmitriyLewen]

Sorry I forgot we didn't release a new version after v3 support was added (#3826)
Before new release you can try to use canary build.

[assaf-orca]

@DmitriyLewen thanks for your help!

I tried again to execute it another npm version:

➜ npm -v
7.24.2
➜ trivy -v
Version: 0.38.3-3-g09e13022c
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-03-16 06:06:56.928415362 +0000 UTC
  NextUpdate: 2023-03-16 12:06:56.928414862 +0000 UTC
  DownloadedAt: 2023-03-16 07:41:50.249138 +0000 UTC

➜ npm install cra-append-sw@2.7.0  --package-lock-only

up to date, audited 622 packages in 1s

67 packages are looking for funding
  run `npm fund` for details

9 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
➜  trivy fs . --dependency-tree --format table --list-all-pkgs
2023-03-16T12:34:33.420+0200	WARN	"--list-all-pkgs" cannot be used with "--format table". Try "--format json" or other formats.
2023-03-16T12:34:33.420+0200	INFO	"--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
2023-03-16T12:34:33.487+0200	INFO	Vulnerability scanning is enabled
2023-03-16T12:34:33.487+0200	INFO	Secret scanning is enabled
2023-03-16T12:34:33.487+0200	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-03-16T12:34:33.487+0200	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2023-03-16T12:34:33.622+0200	INFO	To collect the license information of packages in "package-lock.json", "npm install" needs to be performed beforehand
2023-03-16T12:34:33.714+0200	INFO	Number of language-specific files: 1
2023-03-16T12:34:33.714+0200	INFO	Detecting npm vulnerabilities...

package-lock.json (npm)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ glob-parent │ CVE-2020-28469 │ HIGH     │ 3.1.0             │ 5.1.2         │ nodejs-glob-parent: Regular expression denial of service │
│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-28469               │
├─────────────┼────────────────┤          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ json5       │ CVE-2022-46175 │          │ 0.5.1             │ 1.0.2, 2.2.2  │ json5: Prototype Pollution in JSON5 via Parse Method     │
│             │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-46175               │
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

Dependency Origin Tree (Reversed)
=================================
package-lock.json
├── glob-parent@3.1.0, (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
└── json5@0.5.1, (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

I tried to built the tree my self using the json output and saw that I have a partial data on the "DependsOn" field.

output from:

trivy fs . --dependency-tree --format json --list-all-pkgs -o output.json

output.json.txt

and the updated lock file
package-lock.json.txt
it's "lockfileVersion": 2

[DmitriyLewen]

Hello @assaf-orca
Thanks for this information.

I found some wrong cases with our new v2-v3 parsing logic.
I created #196 to fix them.

Also there is #3852 to build dependency tree for languages without information about Direct deps.

Looks like v0.38.3 should create correct graph.