Skip to content

bug: trivy convert always filters non-failures #8670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 of 2 tasks
simar7 opened this issue Apr 2, 2025 Discussed in #8420 · 0 comments · May be fixed by #8679
Open
1 of 2 tasks

bug: trivy convert always filters non-failures #8670

simar7 opened this issue Apr 2, 2025 Discussed in #8420 · 0 comments · May be fixed by #8679
Assignees
@nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone
v0.62.0

Comments

@simar7
Copy link
Member

simar7 commented Apr 2, 2025

Discussed in #8420

Originally posted by martinclaus February 19, 2025

Description

In an CI Job, I am creating a single trivy misconfiguration scan report in JSON Format and then convert this report into different formats using the trivy convert command. The original JSON report is configured to contain also non-failures, however, the reports resulting from conversion do not contain any non-failures.

This is behavior disadvantageous, if you generate a JUnit Report, since the CI, which is capable of integrating theses reports in the pipeline UI, will not show the checks that has been passed. And it is particularly confusing if all checks have been passed but none are displayed.

Desired Behavior

I expect that

trivy filesystem --scanners misconfig --include-non-failures --format json --output "report.json" .
trivy convert --format template --template "@contrib/junit.tpl" --output "report.junit.xml" "report.json"

and

trivy filesystem --scanners misconfig --include-non-failures --format template --template "@contrib/junit.tpl" --output "report.junit.xml" .

Produce identical files report.junit.xml.

Actual Behavior

Reports of a Dockerfile containing only FROM alpine:latest share the failed but lack the passed test cases:

--- desired_report.junit.xml
+++ test_report.junit.xml
@@ -18,55 +18,5 @@
         <testcase classname="Dockerfile Security Check" name="[LOW] DS026" time="">
             <failure message="No HEALTHCHECK defined" type="description">You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.</failure>
         </testcase>
-        <testcase classname="Dockerfile Security Check" name="[MEDIUM] DS004" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[LOW] DS005" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS006" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS007" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS008" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[HIGH] DS009" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS010" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS011" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS012" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[MEDIUM] DS013" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[LOW] DS014" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[HIGH] DS015" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[HIGH] DS016" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[HIGH] DS017" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[HIGH] DS019" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[HIGH] DS020" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[HIGH] DS021" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[HIGH] DS022" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[MEDIUM] DS023" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[HIGH] DS024" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[HIGH] DS025" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[HIGH] DS027" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[HIGH] DS029" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[HIGH] DS030" time="">
-        </testcase>
-        <testcase classname="Dockerfile Security Check" name="[CRITICAL] DS031" time="">
-        </testcase>
     </testsuite>
 </testsuites>

Reproduction Steps

1. echo "FROM alpine:latest" > Dockerfile
2. trivy filesystem --scanners misconfig --include-non-failures --format template --template "@contrib/junit.tpl" --output "desired_report.junit.xml" .
3. trivy filesystem --scanners misconfig --include-non-failures --format json --output "report.json" .
4. trivy convert --format template --template "@contrib/junit.tpl" --output "test_report.junit.xml" "report.json"
5. diff desired_report.junit.xml test_report.junit.xml

Target

Filesystem

Scanner

Misconfiguration

Output Format

Template

Mode

Standalone

Debug Output

`trivy convert --format template --template "@contrib/junit.tpl" --output "test_report.junit.xml" "report.json" --debug`

2025-02-19T15:59:51Z    DEBUG   No plugins loaded
2025-02-19T15:59:51Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-19T15:59:51Z    DEBUG   Cache dir       dir="/trivy/.cache/trivy"
2025-02-19T15:59:51Z    DEBUG   Cache dir       dir="/trivy/.cache/trivy"
2025-02-19T15:59:51Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-19T15:59:51Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-02-19T15:59:51Z    DEBUG   [vex] VEX filtering is disabled
2025-02-19T15:59:51Z    DEBUG   Writing report to output...

Operating System

Linux

Version

Version: 0.59.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-02-19 06:16:52.057053042 +0000 UTC
  NextUpdate: 2025-02-20 06:16:52.057052812 +0000 UTC
  DownloadedAt: 2025-02-19 10:40:57.960950223 +0000 UTC
Check Bundle:
  Digest: sha256:ac89e7d82ab5feeabc055a454066bc182f9248e96b8ecb1ca5810cd59c659800
  DownloadedAt: 2025-02-19 10:42:49.863396592 +0000 UTC

Checklist
@simar7 simar7 added the kind/bug Categorizes issue or PR as related to a bug. label Apr 2, 2025
@simar7 simar7 added this to the v0.62.0 milestone Apr 2, 2025
@nikpivkin nikpivkin linked a pull request Apr 3, 2025 that will close this issue
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
Trivy Roadmap
Status: No status
Milestone
v0.62.0
Development

Successfully merging a pull request may close this issue.

fix: enable include-non-failures by default in report conversion nikpivkin/trivy
2 participants
@simar7 @nikpivkin