Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(report): don't panic when report contains vulns, but doesn't contain packages for table format #8549

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix(report): don't panic when report contains vulns, but doesn't contain packages for table format #8549

wants to merge 3 commits into from

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Mar 14, 2025
edited
Loading

Description

When using Trivy as a library, there may be cases where the Result with vulnerabilities does not contain any packages.
Trivy panics in these cases.
To avoid panic and return at least some information, for such cases we use Vulnerabilities instead of Packages to separate aggregated packages.

Related discussions

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen
fix(table): don't panic for splitAggregatedVulns
a80410c 
- don't use pointer for `resultMap`
- use packages from vulnerabilities if Packages is empty
- add warning about this case
@DmitriyLewen
test(unit): add unit test
17b9580 
- add test for case when result contains vulns, but doesn't contain Packages
@DmitriyLewen
chore(logs): add target for warning
34a2588
@DmitriyLewen DmitriyLewen self-assigned this Mar 14, 2025
@DmitriyLewen DmitriyLewen requested a review from knqyf263 as a code owner March 14, 2025 05:31
@DmitriyLewen DmitriyLewen changed the title fix(table): don't panic when report contains vulns, but doesn't contain packages fix(report): don't panic when report contains vulns, but doesn't contain packages for table format Mar 14, 2025
simar7
simar7 approved these changes Mar 27, 2025
View reviewed changes
Copy link
Member

@simar7 simar7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, @DmitriyLewen should we include it in this release?

@DmitriyLewen
Copy link
Contributor Author

for convert mode - it's not big deal because we ask users to always use --list-all-pkgs for the base json file.
for client/server mode I still couldn't reproduce the bug

so we haven't decided yet what the right solution for this problem will be (see #8537 (reply in thread))

so I think we can leave it out of the release until we reproduce the bug

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 simar7 approved these changes

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug(report): Trivy panics when converting json report without Packages to table report with summary table
2 participants
@DmitriyLewen @simar7