Replies: 3 comments 5 replies
-
Hello @spank79
I don't see any vulnerabilities for Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
-
Ok, sorry I misread the database and was not focusing on the package. Is there a way to filter for packages? Our Prisma Scan showed this one but I can see now that it is coming from the Prisma database. But I can also give you another example where the package actually has a high vulnerability but still is not listed, which is package "setuptools" This one should be listed, shouldn't it? |
Beta Was this translation helpful? Give feedback.
-
Explenation for not finding anything was given. Implementation on our side looks ok and no problem had existed. Only misunderstanding of how to use trivy |
Beta Was this translation helpful? Give feedback.
-
Description
Hi,
in our current environment we are using the docker image to initiate trivy scans for our projects. It does work with the process for Angular, C# and yields findings. But for our Python projects it's not finding anything although we know there are critical CVE's found with e.g. twistcli that we have used before.
Our DOCKERFILE looks like this (with other code around for the original build):
We then in our build pipeline execute like this:
docker build . -t <imagename>-trivy --no-cache --progress=plain --target trivy
In our attached requirements.installed.txt there is cPython==0.0.6
requirements.installed.txt
which has a critical vulnerability which also listed in the database as you can see here https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip+cpython
But the output of the build does not show anything.
Also even if it does not find anything, why is it not printing the line with nothing found. For all our languages it just is not putting out anything. I would expect something like:
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Kind regards
Desired Behavior
#16 18.63 2024-08-23T12:17:13Z INFO Number of language-specific files num=1
#16 18.63 2024-08-23T12:17:13Z INFO [pip] Detecting vulnerabilities...
#16 DONE 18.8s
#16 19.67
#16 19.67 ==================
#16 19.67 Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1)
#16 19.67
=> Table listing at least the one critical measure
Actual Behavior
#16 18.62 2024-08-23T12:17:13Z WARN [pip] Unable to find python
site-packages
directory. License detection is skipped. err="unable to find path to Python executable"#16 18.63 2024-08-23T12:17:13Z INFO Number of language-specific files num=1
#16 18.63 2024-08-23T12:17:13Z INFO [pip] Detecting vulnerabilities...
#16 DONE 18.8s
Reproduction Steps
1. Create small python project referencing cPython==0.0.6 2. Create Dockerfile to create sbom.json and scan for vulnerabilities 3. Check results
Target
SBOM
Scanner
Vulnerability
Output Format
CycloneDX
Mode
Standalone
Debug Output
Operating System
Docker Container provided by Trivy
Version
Checklist
trivy clean --all
Beta Was this translation helpful? Give feedback.
All reactions