Replies: 2 comments 3 replies
-
Trivy doesn't scan There is problem with scanning We can't correcntly detect versions for dependencies with version range. Trivy supports the following files - https://aquasecurity.github.io/trivy/v0.52/docs/coverage/language/dotnet/ Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
-
Thanks for response. My use case involves scanning projects that I didn't create and know absolutely nothing about. "Choose a different file" as a prerequisite for running a scan seems backwards to me. I need a tool that will tell me what's in the build. A tool that only works after I've changed the build is not very useful. I realize that not knowing exact versions of dependencies is fairly useless for security scanning, but it's much less important for license scanning, which is my top concern. If the scanner finds a BOM file that it can't read, I want it to warn me, so I can investigate. And if it can sort-of-read it, I want it to warn me that results are not complete, AND show me the information it did find. In particular, the license scan should still work even if the security scan isn't much use. I need to be able to tell clients "just run this tool and send me the output." If there's ANY technical steps involved beyond that, it makes my life vastly more difficult. I might be able to ask my clients to create packages.lock.json (that sounds harmless to their build) but it's decidedly sub-optimal. I realize you can't be expected support every weird build system that's out there. But this is a very normal method of building .Net projects, and shouldn't be passed over in silence. Pull #121 is a couple of years old now, I don't know if it's still valid, but it looks like it was stopped only for fear of giving users false confidence. @knqyf263 any chance of revisiting that decision? To me it's worse, in terms of false confidence, to completely ignore a valid BOM file. The scan result gave me no warning about that, I only got suspicious when the number of packages seemed low. |
Beta Was this translation helpful? Give feedback.
-
Description
A client of mine ran a trivy scan on a .Net project and didn't see output (vulns, licenses) for dependencies I know the project is using.
If I read the documentation correctly, Trivy looks at packages.config or (preferably) packages.lock.json to tell it what dependencies are included in a .Net project. But this project uses PackageReference tags inside a .csproject file instead (example in attached screenshot).
Desired Behavior
Trivy should detect all listed project dependencies, even if they are listed as PackageReferences in the .csproject file and not packages.config
(I am told that PackageReference will be the default for .Net projects:
"This project targets .NET8 for Android which is the current/future LTS version for Microsoft (with .NET6 going end-of-life for support in November).
By default, .NET Core uses the PackageReference system, so going forward I would expect most Visual Studio projects would look this way." )
Actual Behavior
No output reflecting those dependencies - I'm pretty sure Trivy never looked at them (I suppose maybe they're all vuln-free and none has any license metadata, but that seems unlikely. It's not just one project or the few files in the screenshot.)
Reproduction Steps
Target
Filesystem
Scanner
Vulnerability
Output Format
Table
Mode
Standalone
Debug Output
Operating System
Windows
Version
Checklist
trivy clean --all
Beta Was this translation helpful? Give feedback.
All reactions