Help identifying vuln path in generic software languages

[rungitringit]

Hello,
Thank you so much for scan2html! It's excellent.

I'm using Trivy, with this plugin, to create scheduled HTML reports for Developers on their Linux workstations. The goal is so Developers will catch vulnerabilities in dependencies they use and update any utilities (binaries) they use.

While I prefer the output from scan2html, I am mainly using rather than html.tpl because it shows a "target" column, which usually details file paths from rootfs scans.

Unfortunately many trivy rootfs scans identify vulnerabilities in "Python" or "Go" without a path to the vulnerable file. Without this the Developers have to hunt through the json reports to try to identify which local copy of python or go is affected.

I wonder if someone could please help by contributing to a discussion I've started on this topic with Trivy please? See aquasecurity/trivy#10027

Thank you very much!

[rungitringit]

I've not had an answer from anyone at Trivy yet, but it seems the problem is that the "Target" field contains no path. This seems to be because trivy consolidates vulnerabilities from rootfs and image scans by source/package name rather than by file path.

There's usually (but not always!) a PkgPath field available. Could you please consider adding logic similar to the jq statement I put in the linked trivy discussion in to scan2html itself?

[fatihtokus]

Hi @rungitringit ,

Thanks for using the plugin.
I think you are right. Trivy is oddly consolidating the vulnerabilities, which hides the source. It should give an option not to merge, but to return the full path. I will add my comment to the Trivy ticket too. Meanwhile, we will try to add some logic similar to your jq statement to pull the path.

Regards,
Fatih