License image scan filtering doesn't seem to work when trivyignore is specified with paths
#6117
-
DescriptionRunning a license image scan with experimental
...filtering stops working and the specified license is stll reported. (tried with I've made an additional observation that when generating lisences in
Desired BehaviorTrivy ignores licenses with specifed Actual BehaviorPresumably ignored licenses are still reported. Reproduction Steps1. Prepare trivyignore file to ignore license by id and path
2. Run trivy image scan of licenses
3. Check the generated report contents - whether ignore license is dropped
... TargetContainer Image ScannerLicense Output Formattext/json ModeNone Debug Outputtrivy image -d --scanners license --ignorefile .trivyignore.yaml [image-name]
2024-02-13T12:09:30.272Z DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-02-13T12:09:30.273Z DEBUG Ignore statuses {"statuses": null}
2024-02-13T12:09:30.285Z DEBUG cache dir: /root/.cache/trivy
2024-02-13T12:09:30.285Z INFO License scanning is enabled
2024-02-13T12:09:30.285Z DEBUG Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-13T12:09:30.287Z DEBUG The nuget packages directory couldn't be found. License search disabled
2024-02-13T12:09:30.287Z DEBUG Image ID: sha256:421c13b65d869107b222d38e0ede8188d33f222f38f103be8585a92de2b0ab64
2024-02-13T12:09:30.287Z DEBUG Diff IDs: [sha256:736824c1529a1a5622eed3c3846f7fd2011c41de5ec77bf20d79405a311de762 sha256:e2c933539dd579125554b6d37e375ee9f70ae66c91628082660811796d5990d4 sha256:edfffbf281f2896ae6be0081ab093f322ee1b983e35a2b04f93d9daa838ed747 sha256:f807029a78ec7972170f91727f8c5fdb5b2e08213fbfb245cdd6751f323057f1 sha256:a5f35ab8139fd7eb09d5031e325a73e09961ad7e688fb1572d9f079e20e3cd61 sha256:a2dfce0c2e9cc7f5e58da2159afddce4522fb67b19b761b5b07b3452421a6f3e sha256:6dae3bd3793873e277902b774f3d4b1eafd368f48c080731f287c4373789fb90 sha256:0bba366450806b8d1a9cca7542d8d879ffccdfc7e42d41f4079839f4f27d0c1b sha256:e3953651da899e7e6df283daeae29c8465e37599386ba1e1715f5b214c44b422 sha256:f44e4361244c804cd244d7ed14c8fa84b7d0c9970fb307e74efb5f4e0794be44 sha256:bee957516be1fa1b5320fbfb7368198e43a0af6cf87cb42d623ee4a0ec3d42bd]
2024-02-13T12:09:30.287Z DEBUG Base Layers: []
2024-02-13T12:09:30.292Z DEBUG Found an ignore yaml: .trivyignore.yaml
OS Packages (license)
Total: 76 (UNKNOWN: 17, LOW: 36, MEDIUM: 5, HIGH: 18, CRITICAL: 0)
...
Python (license)
Total: 96 (UNKNOWN: 60, LOW: 34, MEDIUM: 1, HIGH: 1, CRITICAL: 0)
... Operating SystemUbuntu/Alpine VersionVersion: 0.49.0 Checklist
|
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 2 replies
-
You are right. We currently don't fill There is #5211. We can add filepath to license file into new Struct. |
Beta Was this translation helpful? Give feedback.
-
Then this section in docs is misleading: https://aquasecurity.github.io/trivy/v0.49/docs/configuration/filtering/
There's no exception for |
Beta Was this translation helpful? Give feedback.
-
Trivy currently doesn't support So I think we can close this Discussion. Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
You are right. We currently don't fill
filepath
for os/language package licenses.So you can't ignore packages licenses by
path
.There is problem with filePath entry for languange package:
in some case we find licenses not from lock file (e.g. we check
package.json
files foryarn.lock
,package-lock.json
, etc. files).But right now we don't have a field to save the file path for the license.
There is #5211. We can add filepath to license file into new Struct.
@knqyf263 wdyt?