Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(server): licenses are missing on package metadata on client/server mode #4996

Closed
2 tasks
nikpivkin opened this issue Aug 16, 2023 Discussed in #4995 · 4 comments · Fixed by #5382
Closed
2 tasks

fix(server): licenses are missing on package metadata on client/server mode #4996

nikpivkin opened this issue Aug 16, 2023 Discussed in #4995 · 4 comments · Fixed by #5382
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/license Issues relating to license scanning

Comments

@nikpivkin
Copy link
Contributor

The licenses field is missing in the BlobInfo message.

Discussed in #4995

Originally posted by roi-orca August 16, 2023

Description

When running trivy on client/server mode, the licenses are missing from package metadata
Example output for trivy/server mode:

...
 "Results": [
    {
      "Target": "redis:5 (debian 11.5)",
      "Class": "os-pkgs",
      "Type": "debian",
      "Packages": [
        {
          "ID": "adduser@3.118",
          "Name": "adduser",
          "Version": "3.118",
          "Arch": "all",
          "SrcName": "adduser",
          "SrcVersion": "3.118",
          "DependsOn": [
            "debconf@1.5.77",
            "passwd@1:4.8.1-1"
          ],
          "Layer": {
            "DiffID": "sha256:acef1b1c001e7f34ee6701a5bec3c73c5f0661ecdb6415b295a9aa426a5fdec0"
          }
        },
...

Example for output in local mode

...
 "Results": [
    {
      "Target": "redis:5 (debian 11.5)",
      "Class": "os-pkgs",
      "Type": "debian",
      "Packages": [
        {
          "ID": "adduser@3.118",
          "Name": "adduser",
          "Version": "3.118",
          "Arch": "all",
          "SrcName": "adduser",
          "SrcVersion": "3.118",
          "Licenses": [
            "GPL-2.0"
          ],
          "Maintainer": "Debian Adduser Developers \u003cadduser@packages.debian.org\u003e",
          "DependsOn": [
            "debconf@1.5.77",
            "passwd@1:4.8.1-1"
          ],
          "Layer": {
            "DiffID": "sha256:acef1b1c001e7f34ee6701a5bec3c73c5f0661ecdb6415b295a9aa426a5fdec0"
          }
        },
...

We can see the licenses are missing -

          "Licenses": [
            "GPL-2.0"
          ],

Desired Behavior

Trivy in client/server mode should have licenses as well in the output

Actual Behavior

Trivy in client/server mode don't have licenses in the output

Reproduction Steps

trivy image redis:5 --quiet --list-all-pkgs --scanners vuln -f json -o vulns.json --no-progress  --server http://127.0.0.1:9000 --token xxx --token-header yyy

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Client/Server

Debug Output

2023-08-16T12:10:00.587+0300    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-08-16T12:10:00.588+0300    DEBUG   Ignore statuses {"statuses": null}
2023-08-16T12:10:00.588+0300    INFO    Vulnerability scanning is enabled
2023-08-16T12:10:00.588+0300    DEBUG   Vulnerability type:  [os library]
2023-08-16T12:10:00.598+0300    DEBUG   Image ID: sha256:91a41e72601705ce57ec663f2c6f0a0bcf9e78eff059c91b0164c6b7bf399ba7
2023-08-16T12:10:00.598+0300    DEBUG   Diff IDs: [sha256:acef1b1c001e7f34ee6701a5bec3c73c5f0661ecdb6415b295a9aa426a5fdec0 sha256:5790dd8ba6de4bde6b8c26c7fb6915a0ada95bc8c0d91f9508d6d1a4d9fb0d7b sha256:7284e9e927cf746e2205b1ab2677d985a511c887c75d36882040e7105e27ba61 sha256:adaef20a0fbf4f348f5cd8df02b35e4aca8e6e4956b19bab99e64e55ef7ee3e8 sha256:4d8ff933869e4efafde32abc3bc2ff19e4bc6081995c9f365c361e79a0c871f2 sha256:34aad8ada5395eb101534e378784dca1f4abe6a70fa7d150eaf3b3d425388ad2]
2023-08-16T12:10:00.598+0300    DEBUG   Base Layers: [sha256:acef1b1c001e7f34ee6701a5bec3c73c5f0661ecdb6415b295a9aa426a5fdec0]


### Operating System

macOS Ventura

### Version

```bash
Version: 0.44.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-08-16 06:11:13.379298966 +0000 UTC
  NextUpdate: 2023-08-16 12:11:13.379298466 +0000 UTC
  DownloadedAt: 2023-08-16 08:51:59.240496 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-08-14 00:51:51.065398906 +0000 UTC
  NextUpdate: 2023-08-17 00:51:51.065398106 +0000 UTC
  DownloadedAt: 2023-08-14 14:21:46.067438 +0000 UTC

Checklist
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/license Issues relating to license scanning labels Aug 16, 2023
@roi-orca
Copy link
Contributor

roi-orca commented Sep 3, 2023

@nikpivkin is this pr related to this issue? if so, we can close this issue?

@nikpivkin
Copy link
Contributor Author

@roi-orca No, this PR does not relate to this issue.

@roi-orca
Copy link
Contributor

@nikpivkin any update on this issue?

@nikpivkin nikpivkin mentioned this issue Oct 16, 2023
Merged
6 tasks
@nikpivkin
Copy link
Contributor Author

Hi @roi-orca !

Track #5382.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/license Issues relating to license scanning
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(server): add licenses to BlobInfo message nikpivkin/trivy
2 participants
@roi-orca @nikpivkin