license scanner not possible via action?

[erzz]

It seems to me that the action is limited to only the scanners os and library?

Passing other valid types such as license is not possible.

Not sure if this is because you want to ensure that all the possible combinations of scan type and scanners would work?

- name: Trivy Image Scan
   uses: aquasecurity/[email protected]
   with:
     image-ref: ${{ needs.build-image.outputs.image-name }}:${{ needs.build-image.outputs.image-tag }}
     vuln-type: os,library,license

results in 2023-03-10T10:37:29.230Z WARN unknown vulnerability type: license

[PeterBurner]

Hey

I have a similar problem with license scanning. @erzz I think license should be passed to the scanners parameter and not vuln-type.
If I run Trivy locally with trivy rootfs --scanners license . or trivy rootfs --config licence.yaml . it works. But if I use the same configuration with the GitHub Action, Trivy scans for vulnerabilities instead. It also ignores the config file. There seems to be a bug.

Local output:

trivy rootfs --config licence.yaml .
2023-04-19T10:09:29.877+0200    INFO    Loaded licence.yaml
2023-04-19T10:09:29.888+0200    INFO    Full license scanning is enabled

Node.js (license)
...

Action output:

Run aquasecurity/[email protected]
  with:
    format: table
    output: licenses.md
    exit-code: 1
    scan-type: rootfs
    scanners: license
    trivy-config: license.yaml
    scan-ref: .
    ignore-unfixed: false
    vuln-type: os,library
    severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
    list-all-pkgs: false
/usr/bin/docker run --name c04421f3d067f4aca45ff8d3252abb2922638_be1bc0 --label 6c0442 --workdir /github/workspace --rm -e "INPUT_FORMAT" -e "INPUT_OUTPUT" -e "INPUT_EXIT-CODE" -e "INPUT_SCAN-TYPE" -e "INPUT_SCANNERS" -e "INPUT_TRIVY-CONFIG" -e "INPUT_IMAGE-REF" -e "INPUT_INPUT" -e "INPUT_SCAN-REF" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_VULN-TYPE" -e "INPUT_SEVERITY" -e "INPUT_TEMPLATE" -e "INPUT_SKIP-DIRS" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_TIMEOUT" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_GITHUB-PAT" -e "INPUT_LIMIT-SEVERITIES-FOR-SARIF" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_ID_TOKEN_REQUEST_URL" -e "ACTIONS_ID_TOKEN_REQUEST_TOKEN" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/backend/backend":"/github/workspace" 6c0442:1f3d067f4aca45ff8d3252abb2922638  "-a rootfs" "-b table" "-c " "-d 1" "-e false" "-f os,library" "-g UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" "-h licenses.md" "-i " "-j ." "-k " "-l " "-m " "-n " "-o " "-p " "-q " "-r false" "-s license" "-t " "-u " "-v license.yaml" "-z "
Running Trivy with trivy.yaml config from:  license.yaml
2023-04-19T08:01:00.052Z	INFO	Need to update DB
2023-04-19T08:01:00.052Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-04-19T08:01:00.052Z	INFO	Downloading DB...
20.73 MiB / 36.59 MiB [---------------------------------->__________________________] 56.66% ? p/s ?36.59 MiB / 36.59 MiB [----------------------------------------------------------->] 100.00% ? p/s ?36.59 MiB / 36.59 MiB [----------------------------------------------------------->] 100.00% ? p/s ?36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 26.42 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 26.42 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 26.42 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 24.72 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 24.72 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [---------------------------------------------->] 100.00% 24.72 MiB p/s ETA 0s36.59 MiB / 36.59 MiB [-------------------------------------------------] 100.00% 21.68 MiB p/s 1.9s2023-04-19T08:01:02.522Z	INFO	Vulnerability scanning is enabled
2023-04-19T08:01:02.522Z	INFO	Secret scanning is enabled
2023-04-19T08:01:02.522Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-04-19T08:01:02.522Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.38/docs/secret/scanning/#recommendation for faster secret detection
2023-04-19T08:01:13.008Z	INFO	Number of language-specific files: 45
2023-04-19T08:01:13.008Z	INFO	Detecting gobinary vulnerabilities...
2023-04-19T08:01:13.008Z	INFO	Detecting gomod vulnerabilities...
2023-04-19T08:01:13.256Z	INFO	Detecting node-pkg vulnerabilities...
...

Config file:

format: table
exit-code: 1
license:
  full: true
scan:
  scanners:
    - license

[erzz]

@PeterBurner thanks! You are right and it feels like something is working a little better by combining the two config methods (I am also using a later version v0.11.2)

Currently I am trying:

- name: Trivy License Scan
  uses: aquasecurity/[email protected]
  with:
    image-ref: ''
    scan-type: rootfs
    scanners: license
    exit-code: 1
    trivy-config: ospo.yml
    scan-ref: ${{ inputs.scan-directory }}
    severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
    format: table

WITH the additional config file found here https://github.com/erzz/configs/blob/main/configs/trivy-ospo-licenses.yml

The success part is that I do get it to scan for licenses:

Run aquasecurity/[email protected]
  with:
    scan-type: rootfs
    scanners: license
    exit-code: 1
    trivy-config: ospo.yml
    scan-ref: ./
    ignore-unfixed: false
    vuln-type: library
    severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
    format: table
    list-all-pkgs: false

resulting in (shortened):

Node.js (license)
=================
Total: 1396 (UNKNOWN: 17, LOW: 1376, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌──────────────────────────────────────────────────────────────┬─────────────────────────────────────┬────────────────┬──────────┐
│                           Package                            │               License               │ Classification │ Severity │
├──────────────────────────────────────────────────────────────┼─────────────────────────────────────┼────────────────┼──────────┤
│ commondir                                                    │ MIT                                 │ notice         │ LOW      │
├──────────────────────────────────────────────────────────────┼─────────────────────────────────────┤                │          │
│ filesize                                                     │ BSD-3-Clause                        │                │          │
├──────────────────────────────────────────────────────────────┤                                     │                │          │
│ rtl-detect                                                   │                                     │                │          │
├──────────────────────────────────────────────────────────────┼─────────────────────────────────────┤                │          │
│ classnames                                                   │ MIT                                 │                │          │
├──────────────────────────────────────────────────────────────┤                                     │                │          │
│ postcss-selector-parser                                      │                                     │                │          │
├──────────────────────────────────────────────────────────────┤                                     │                │          │
│ regexpu-core                                                 │                                     │                │          │

So that is progress!

The issues are that:

• image-ref: is a mandatory input 😆 so I need to set it to ''
• exit-code: doesn't work - it always returns zero. In the example above it should be failing on the 3 MEDIUM licenses but it doesnt
• likewise, the SARIF output in a second iteration of the job to try and integrate with GHAS is empty and thus those are findings are not in integrated

So thats like 3 separate bugs I see that need to be fixed. I guess both exit code and the reporting are not considering license findings

[erzz]

Stillllll messy but it seems like there is some conflicts between the action and the config. Use of a config file seems to cause the action to ignore any inputs and thus default values are passed through instead for many things (like exit code) but not others (like format).

The thing is we need to pass a config for a long custom license list

So reducing the inputs to the bare minimum:

with:
  image-ref: ''
  scan-type: rootfs
  trivy-config: ospo.yml
  scan-ref: ${{ inputs.scan-directory }}

and throwing everything else into a trivy.yaml mentioned in the previous post, seems to at least get the job to fail when it should.

For the SARIF issue - its not supported but there is an open PR for it in trivy project aquasecurity/trivy#4866

[cbandy]

This may be resolved by the recent change to a composite action: #399

[erzz]

This may be resolved by the recent change to a composite action: #399

Thanks @cbandy

I think there is perhaps a related regression too - cross-posting here for visibility aquasecurity/trivy#7701