trivy fs vs npm audit differs for carbone.io template engine

[bedla]

Description

Hi,

I found out that commands aquasec/trivy fs and npm install results into different issues detected.

I would expect similar/or-same output.

What do you think?

Thx

Ivos

Desired Behavior

Result number of vulnerabilites should be the same (or similar)

Actual Behavior

Result number of vulnerabilites is different

Reproduction Steps

1. clone repository `git clone https://github.com/carboneio/carbone.git`
2. checkout tag version `git checkout ee-3.4.0`
3. run trivy scan `docker run -v /mnt/c/dev/git/carbone:/mnt/to-scan aquasec/trivy fs /mnt/to-scan`
output

...
package-lock.json (npm)
=======================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 0)
...

4. run Nodejs build npm install (type npm audit for more details)
   output

...
17 vulnerabilities (1 moderate, 13 high, 3 critical)
...

5. Compare results

### Target

Filesystem

### Scanner

Vulnerability

### Output Format

Table

### Mode

Standalone

### Debug Output

```bash
docker run -v /mnt/c/dev/git/carbone:/mnt/to-scan aquasec/trivy fs /mnt/to-scan --debug
2025-01-23T13:21:59Z    DEBUG   No plugins loaded
2025-01-23T13:21:59Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-01-23T13:21:59Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-01-23T13:21:59Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-01-23T13:21:59Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-01-23T13:21:59Z    DEBUG   Ignore statuses statuses=[]
2025-01-23T13:21:59Z    DEBUG   [vulndb] There is no valid metadata file        err="unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory"
2025-01-23T13:21:59Z    INFO    [vulndb] Need to update DB
2025-01-23T13:21:59Z    DEBUG   [vulndb] No metadata file
2025-01-23T13:21:59Z    INFO    [vulndb] Downloading vulnerability DB...
2025-01-23T13:21:59Z    INFO    [vulndb] Downloading artifact...        repo="mirror.gcr.io/aquasec/trivy-db:2"
...
2025-01-23T13:22:03Z INFO    [vulndb] Artifact successfully downloaded       repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-01-23T13:22:03Z    DEBUG   Updating database metadata...
2025-01-23T13:22:03Z    DEBUG   DB info schema=2 updated_at=2025-01-23T12:17:04.753952794Z next_update=2025-01-24T12:17:04.753952614Z downloaded_at=2025-01-23T13:22:03.922870369Z
2025-01-23T13:22:03Z    DEBUG   [pkg] Package types     types=[os library]
2025-01-23T13:22:03Z    DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-01-23T13:22:03Z    INFO    [vuln] Vulnerability scanning is enabled
2025-01-23T13:22:03Z    INFO    [secret] Secret scanning is enabled
2025-01-23T13:22:03Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-23T13:22:03Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2025-01-23T13:22:03Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-01-23T13:22:03Z    DEBUG   Initializing scan cache...      type="memory"
2025-01-23T13:22:03Z    DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-01-23T13:22:03Z    DEBUG   Skipping path   path=".git"
2025-01-23T13:22:14Z    DEBUG   OS is not detected.
2025-01-23T13:22:14Z    INFO    Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2025-01-23T13:22:14Z    DEBUG   Detected OS: unknown
2025-01-23T13:22:14Z    INFO    Number of language-specific files       num=1
2025-01-23T13:22:14Z    INFO    [npm] Detecting vulnerabilities...
2025-01-23T13:22:14Z    DEBUG   [npm] Scanning packages for vulnerabilities     file_path="package-lock.json"
2025-01-23T13:22:14Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-01-23T13:22:14Z    DEBUG   [vex] VEX filtering is disabled

package-lock.json (npm)
=======================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 0)

...

Operating System

Windows 10 WLS

Version

Version: 0.58.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @bedla
Thanks for your report!

By default, Trivy doesn't check dev deps - https://trivy.dev/latest/docs/coverage/language/nodejs/#npm
Use --include-dev-deps flag to see similar result:

➜  carbone git:(ee-3.4.0) trivy -q fs --include-dev-deps ./package-lock.json

package-lock.json (npm)

Total: 19 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 13, CRITICAL: 3)

[bedla]

I see, thank you!