Repository scans via trivy repo don't honor all options when run against local repositories

[therealpxc]

Description

While the help output for trivy repo lists giving a local filesystem path as an example of how to invoke it, when run that way, trivy doesn't actually honor repository-specific commands like --commit and instead scans the worktree as though doing a filesystem scan.

Desired Behavior

When a repo is checked out to a commit that introduces a new vulnerable dependency to a repo that previously had none,

trivy repository --commit $(git log HEAD~1 -1 --format='%H') .

should not report any vulnerabilities, because it scanned the requested commit rather than the worktree.

Actual Behavior

When a repo is checked out to a commit that introduces a new vulnerable dependency to a repo that previously had none,

trivy repository --commit $(git log HEAD~1 -1 --format='%H') .

reports the vulnerable dependency added in the later commit even though it is not present in the specified commit, because Trivy scanned the worktree rather than the specified commit.

The same thing happens if you remove a lockfile containing the vulnerable dependency and run the scan against the commit that added it: trivy scans the worktree instead of the desired commit, and reports the vulnerability.

Reproduction Steps

1. Create an empty repo with git init.
2. Create a nodejs project with npm init.
3. Commit the repo as-is.
4. Add a known vulnerable dependency, e.g., with npm add phin@3.7.0.
5. Commit the changes to package.json and package-lock.json.
6. Run Trivy against the non-vulnerable initial commit with trivy repository --scanners vuln --commit $(git log HEAD~1 -1 --format='%H') .

...

Note that there is a workaround: make the reference to the local repository look like a URI by prefixing it with file://; just run as above with file://. in place of ..

Target

None

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

# there are two commits
❯ git log HEAD --format='%H'
b8070db1a06a0ff0396cd38feac63efe43318490
de578759e4f10827054d4293e0f8099148c921a1

# the earlier one does not contain a package-lock.json file at all
❯ git show de578759e4f10827054d4293e0f8099148c921a1 -- package-lock.json

# the later one contains a package-lock.json file with a vulnerable dependency
❯ git show b8070db1a06a0ff0396cd38feac63efe43318490 package-lock.json | grep modules/phin -A1
+    "node_modules/phin": {
+      "version": "3.7.0",

# as does the working tree
❯ grep modules/phin -A1 package-lock.json 
    "node_modules/phin": {
      "version": "3.7.0",

# `trivy repo` pointed to file://. shows git-related activity and correctly finds no vulnerability
❯ trivy repository --commit de578759e4f10827054d4293e0f8099148c921a1 --scanners vuln file://. --debug
2024-09-18T13:18:37-07:00	DEBUG	No plugins loaded
2024-09-18T13:18:37-07:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-09-18T13:18:37-07:00	DEBUG	Cache dir	dir="/Users/patcal04/Library/Caches/trivy"
2024-09-18T13:18:37-07:00	DEBUG	Cache dir	dir="/Users/patcal04/Library/Caches/trivy"
2024-09-18T13:18:37-07:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-09-18T13:18:37-07:00	DEBUG	Ignore statuses	statuses=[]
2024-09-18T13:18:37-07:00	DEBUG	DB update was skipped because the local DB is the latest
2024-09-18T13:18:37-07:00	DEBUG	DB info	schema=2 updated_at=2024-09-18T18:13:21.187484554Z next_update=2024-09-19T00:13:21.187484163Z downloaded_at=2024-09-18T20:06:46.043128Z
2024-09-18T13:18:37-07:00	DEBUG	[pkg] Package types	types=[library]
2024-09-18T13:18:37-07:00	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-09-18T13:18:37-07:00	INFO	[vuln] Vulnerability scanning is enabled
2024-09-18T13:18:37-07:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-18T13:18:37-07:00	DEBUG	Initializing scan cache...	type="memory"
Enumerating objects: 18, done.
Counting objects: 100% (18/18), done.
Compressing objects: 100% (18/18), done.
Total 18 (delta 8), reused 0 (delta 0), pack-reused 0 (from 0)
2024-09-18T13:18:38-07:00	DEBUG	Skipping path	path=".git"
2024-09-18T13:18:38-07:00	DEBUG	OS is not detected.
2024-09-18T13:18:38-07:00	INFO	Number of language-specific files	num=0
2024-09-18T13:18:38-07:00	DEBUG	[vex] VEX filtering is disabled

# but `trivy repo` pointed at just . shows no git activity, and erroneously reports a vulnerability not present at the specified commit
❯ trivy repository --commit de578759e4f10827054d4293e0f8099148c921a1 --scanners vuln . --debug
2024-09-18T13:18:26-07:00	DEBUG	No plugins loaded
2024-09-18T13:18:26-07:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-09-18T13:18:26-07:00	DEBUG	Cache dir	dir="/Users/patcal04/Library/Caches/trivy"
2024-09-18T13:18:26-07:00	DEBUG	Cache dir	dir="/Users/patcal04/Library/Caches/trivy"
2024-09-18T13:18:26-07:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-09-18T13:18:26-07:00	DEBUG	Ignore statuses	statuses=[]
2024-09-18T13:18:26-07:00	DEBUG	DB update was skipped because the local DB is the latest
2024-09-18T13:18:26-07:00	DEBUG	DB info	schema=2 updated_at=2024-09-18T18:13:21.187484554Z next_update=2024-09-19T00:13:21.187484163Z downloaded_at=2024-09-18T20:06:46.043128Z
2024-09-18T13:18:26-07:00	DEBUG	[pkg] Package types	types=[library]
2024-09-18T13:18:26-07:00	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-09-18T13:18:26-07:00	INFO	[vuln] Vulnerability scanning is enabled
2024-09-18T13:18:26-07:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-18T13:18:26-07:00	DEBUG	Initializing scan cache...	type="memory"
2024-09-18T13:18:26-07:00	DEBUG	Skipping path	path=".git"
2024-09-18T13:18:26-07:00	DEBUG	OS is not detected.
2024-09-18T13:18:26-07:00	INFO	Number of language-specific files	num=1
2024-09-18T13:18:26-07:00	INFO	[npm] Detecting vulnerabilities...
2024-09-18T13:18:26-07:00	DEBUG	[npm] Scanning packages for vulnerabilities	file_path="package-lock.json"
2024-09-18T13:18:26-07:00	DEBUG	[vex] VEX filtering is disabled

package-lock.json (npm)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│ Library │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├─────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ phin    │ GHSA-x565-32qp-m3vf │ MEDIUM   │ fixed  │ 3.7.0             │ 3.7.1         │ phin may include sensitive headers in subsequent requests │
│         │                     │          │        │                   │               │ after redirect                                            │
│         │                     │          │        │                   │               │ https://github.com/advisories/GHSA-x565-32qp-m3vf         │
└─────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Operating System

macOS Sonoma, Amazon Linux 2023

Version

❯ trivy --version
Version: dev
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-09-18 18:13:21.187484554 +0000 UTC
  NextUpdate: 2024-09-19 00:13:21.187484163 +0000 UTC
  DownloadedAt: 2024-09-18 20:06:46.043128 +0000 UTC

For whatever reason, the Trivy packages from Nixpkgs don't have a correct version string, but the version is still embedded in the store path so we can recover it there:

❯ realpath (which trivy)
/nix/store/mc5bi1hfvlldbbfrj6ha03bqlr247dxv-trivy-0.55.1/bin/trivy

Checklist

• Run trivy clean --all
• Read the troubleshooting

[therealpxc]

This bug is related to some open issues:

• Scan git diff for vulnerabilities #2603
  • this issue addresses the same use case as the one that prompted me to discover this bug: I want to see if a change introduces a new vulnerability, so I perform two trivy scans with the same settings. From the first, I generate an ignorefile, which I pass into a second run of trivy, this time against the most recent commit in the changeset/pull request/merge request/whatever
• Migration of trivy fs to trivy repo #4887

  • trivy fs only supports local repositories and trivy repo only supports remote repositories, which is not aligned with the other commands

  • Implementation: When the argument passed to trivy repo is HTTP/HTTPS protocol, it will scan remotely. If not, it will assume it is a local file path and perform the scan

  • it seems like this is what has been implemented, although this issue is still open, and is the source of this bug: when a local file path is passed as a repository, it is not scanned as a repository, and repository-specific options are silently ignored :(