html.tpl doesn't show path of golang binaries

[adcharre]

Description

When scanning an image with the table output the path to the binary along with the type is displayed, for example:

usr/bin/yq (gobinary)

However when using the contrib/html.tpl only gobinary is displayed making it more difficult to determine which binary might be the one with the vulnerability.

The fix is relatively simple and I'm willing to raise a PR.

Desired Behavior

The html template should behaviour like the table format and display the path to the binary along with the type.

Actual Behavior

Only the type of package/binary is displayed with no details as to which binary in the image has the vulnerability.

Reproduction Steps

trivy image image_with_vulnerable_gobinary --format template -t @/contrib/html.tpl -o report.html

### Target

Container Image

### Scanner

Vulnerability

### Output Format

Template

### Mode

Standalone

### Debug Output

```bash
2024-07-29T17:43:22+01:00	DEBUG	Cache dir	dir="/Users/adcharre/Library/Caches/trivy"
2024-07-29T17:43:22+01:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-07-29T17:43:22+01:00	DEBUG	Ignore statuses	statuses=[]
2024-07-29T17:43:22+01:00	DEBUG	DB update was skipped because the local DB is the latest
2024-07-29T17:43:22+01:00	DEBUG	DB info	schema=2 updated_at=2024-07-29T12:14:14.37314329Z next_update=2024-07-29T18:14:14.373143149Z downloaded_at=2024-07-29T14:33:34.610325Z
2024-07-29T17:43:22+01:00	INFO	Vulnerability scanning is enabled
2024-07-29T17:43:22+01:00	DEBUG	Vulnerability type	type=[os library]
2024-07-29T17:43:22+01:00	INFO	Secret scanning is enabled
2024-07-29T17:43:22+01:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-29T17:43:22+01:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-29T17:43:22+01:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-07-29T17:43:22+01:00	DEBUG	Initializing scan cache...	type="fs"
2024-07-29T17:43:23+01:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-07-29T17:43:23+01:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-07-29T17:43:23+01:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-07-29T17:43:23+01:00	DEBUG	[image] Detected image ID	image_id="sha256:edc0782b3167d506393b3a1df3a790e9dfe0d4c39480dda07a60ae5cf3263217"
2024-07-29T17:43:23+01:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:5535fda0356bb3eff348b2f618314a47946d7ccfbeb880b3fc910dd7375ae140 sha256:38fb2f7c6c828945e2513d0710e84ab7193ba3c4f39dcd38bb46d58d2110fe75 sha256:d8898ad21fd83de4fd54f1aec5719d5ca05d8b7a3fe90b56881e0ed096e49328 sha256:34304da85e86bb76f150da1c1200e5b5d22aceabfcfbbd658e77e70dd744be3e]
2024-07-29T17:43:23+01:00	DEBUG	[image] Detected base layers	diff_ids=[sha256:5535fda0356bb3eff348b2f618314a47946d7ccfbeb880b3fc910dd7375ae140]
2024-07-29T17:43:23+01:00	INFO	Detected OS	family="alpine" version="3.16.9"
2024-07-29T17:43:23+01:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.16" repository="3.16" pkg_num=94
2024-07-29T17:43:23+01:00	INFO	Number of language-specific files	num=1
2024-07-29T17:43:23+01:00	INFO	[gobinary] Detecting vulnerabilities...
2024-07-29T17:43:23+01:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/bin/yq"
2024-07-29T17:43:23+01:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/mikefarah/yq/v4"
2024-07-29T17:43:23+01:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.53/docs/scanner/vulnerability#severity-selection for details.
2024-07-29T17:43:23+01:00	WARN	This OS version is no longer supported by the distribution	family="alpine" version="3.16.9"
2024-07-29T17:43:23+01:00	WARN	The vulnerability detection may be insufficient because security updates are not provided

Operating System

linux, mac os

Version

Version: 0.53.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-07-29 12:14:14.37314329 +0000 UTC
  NextUpdate: 2024-07-29 18:14:14.373143149 +0000 UTC
  DownloadedAt: 2024-07-29 14:33:34.610325 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-01-31 00:45:18.677215008 +0000 UTC
  NextUpdate: 2024-02-03 00:45:18.677214887 +0000 UTC
  DownloadedAt: 2024-01-31 10:58:29.676135 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[fatihtokus]

Hi @adcharre ,

I have good news for you. There is a trivy plugin out there and it addresses your requirement. If you are interested give it a try:

trivy plugin install scan2html
trivy scan2html image alpine:3.15 interactive_report.html