Scanning gradle.lockfile in image

[marko-majcenic]

Question

I'm wondering, is it possible to also scan the gradle.lockfile that is located in Docker image?

For example, I have a gradle.lockfile with simple content:

# This is a Gradle generated file for dependency locking.
# Manual edits can break the build and are not advised.
# This file is expected to be part of source control.
org.apache.commons:commons-compress:1.12=compileClasspath,nativeImageClasspath,runtimeClasspath

When I run trivy fs gradle.lockfile, it correctly finds vulnerabilities.

But, when I copy lockfile to an image, using Dockerfile (docker build -t myimg:latest .), for example:

FROM scratch
COPY gradle.lockfile /gradle.lockfile

and run trivy image myimg:latest, no vulnerabilities are found.

For context, what am I doing is that I am actually building a GraalVM native image, but I would like to have Trivy scans in CI/CD pipeline also scan app for vulnerabilities, so I am also adding gradle.lockfile to the image, for that purpose. I also tried using CycloneDX JSON file, but also had no luck. This actually works with JAR-s, so JAR scanning works, but in this case, there is no JAR archive.

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

None

Operating System

No response

Version

Version: 0.58.0

[DmitriyLewen]

Hello @marko-majcenic
Trivy scans gradle files only in fs/repo modes.
Read more in https://trivy.dev/latest/docs/coverage/language/#supported-languages

Regards, Dmitriy