Add "No OS package is detected" to template as an issue?

[jeff-cook]

Is there a way to add an issue/failure to a report template for issues in the scan such as No OS package is detected?

What I'm running into is when this happens the scan doesn't fail (exit code other than 0), and the (JUnit) report doesn't report any failures. So there is no feedback to show there is an issue.

Not being able to report on vulnerabilities is very different from not having any vulnerabilities.

How can I report this issue into my CI pipeline? I'm sure someone has solved, this but I couldn't find any docs on the issue.

Thanks

[jeff-cook]

FYI I do have the exit code set to 1.

[knqyf263]

@jeff-cook Thank you for filing the issue. A normal image won't cause that error. For example, busybox causes the error, but busybox doesn't have a package manager and Trivy can't find installed OS packages anyway. In what cases do you want to detect the error? I mean there's almost nothing you could do about vulnerability detection even if you detect it.

[jeff-cook]

Primarily I want to have someway to report it with in the CI pipeline. For me that means two options.

• Quit with non-zero exit code
• Add details about warnings in the template function, so it can be added to the JUnit template

A few other warnings I see that would be helpful in the JUnit report.
WARN This OS version is no longer supported by the distribution: alpine 3.6.2
WARN The vulnerability detection may be insufficient because security updates are not provided

This would be to warn the developer the Trivy scan had issues and was not able to provide vulnerability details.

[jeff-cook]

As a workaround I could look at wrapping Trivy in a testing framework, such as bats.

[knqyf263]

In other words, what's your next step if you detect "No OS package is detected" warning? Do you replace a base image? Actually, it's just a fact than a scanning issue.

[jeff-cook]

Possible replace the base image, or find why no packages are reported. The issue is by looking at the report all you see is there are no vulnerabilities. Which is not true.

I agree it is a fact. How can we include a fact in the output?

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.