Support gradle checks for multi project repos. #4660
-
DescriptionWe are looking to add trivy to our multi project repository. Desired BehaviorGradle lockfiles are scanned even when the are not named gradle.lockfile Actual BehaviorGradle multi project lockfiles are not being scanned since they are not named gradle.lockfile Reproduction Steps1. Download https://github.com/atlassian/infrastructure
2. run trivy `trivy fs . --debug`
3. Look for references to gradle lockfiles being checked. TargetFilesystem ScannerVulnerability Output FormatTable ModeStandalone Debug Outputtrivy fs . --debug
C:\workspace\infrastructure [master ≡]> trivy fs . --debug
2023-06-16T19:44:01.742-0700 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-06-16T19:44:01.763-0700 DEBUG cache dir: C:\Users\me\AppData\Local\trivy
2023-06-16T19:44:01.771-0700 INFO Need to update DB
2023-06-16T19:44:01.771-0700 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-06-16T19:44:01.771-0700 INFO Downloading DB...
37.75 MiB / 37.75 MiB [---------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 3.35 MiB p/s 11s
2023-06-16T19:44:15.348-0700 DEBUG Updating database metadata...
2023-06-16T19:44:15.366-0700 DEBUG DB Schema: 2, UpdatedAt: 2023-06-17 00:11:11.682568085 +0000 UTC, NextUpdate: 2023-06-17 06:11:11.682567685 +0000 UTC, DownloadedAt: 2023-06-17 02:44:15.3507978 +0000 UTC
2023-06-16T19:44:15.368-0700 INFO Vulnerability scanning is enabled
2023-06-16T19:44:15.368-0700 DEBUG Vulnerability type: [os library]
2023-06-16T19:44:15.368-0700 INFO Secret scanning is enabled
2023-06-16T19:44:15.368-0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-16T19:44:15.368-0700 INFO Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-06-16T19:44:15.369-0700 DEBUG No secret config detected: trivy-secret.yaml
2023-06-16T19:44:15.370-0700 DEBUG Walk the file tree rooted at '.' in parallel
2023-06-16T19:44:15.898-0700 DEBUG OS is not detected.
2023-06-16T19:44:15.898-0700 DEBUG Detected OS: unknown
2023-06-16T19:44:15.898-0700 INFO Number of language-specific files: 0 Operating SystemWindows VersionVersion: 0.42.0
Vulnerability DB:
Version: 2
UpdatedAt: 2023-06-17 00:11:11.682568085 +0000 UTC
NextUpdate: 2023-06-17 06:11:11.682567685 +0000 UTC
DownloadedAt: 2023-06-17 02:44:15.3507978 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2023-06-16 00:51:43.297351753 +0000 UTC
NextUpdate: 2023-06-19 00:51:43.297350953 +0000 UTC
DownloadedAt: 2023-06-16 16:02:32.9392626 +0000 UTC Checklist
|
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 3 replies
-
|
Beta Was this translation helpful? Give feedback.
-
Thank you for that suggestion. |
Beta Was this translation helpful? Give feedback.
-
Would it make sense to add these patterns to the code as well (if I can figure out the go code), or its not something that would work with the tools. |
Beta Was this translation helpful? Give feedback.
-
I wanted to have a single lockfile for all
Scanning the single file with trivy is easy: |
Beta Was this translation helpful? Give feedback.
--file-patttens
helps.https://aquasecurity.github.io/trivy/v0.42/docs/configuration/skipping/#file-patterns