We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When setting format to cyclondex the output SBOM didn't include the license data:
format
cyclondex
- name: Run Trivy vulnerability scanner uses: aquasecurity/[email protected] env: TRIVY_LICENSE_FULL: "true" with: format: "cyclonedx" output: "cyclonedx.sbom.json" scan-type: fs scan-ref: '.'
If change format back to table the license is detected.
table
Running Trivy with options: trivy fs . 2025-01-15T09:43:23Z INFO [vuln] Vulnerability scanning is enabled 2025-01-15T09:43:23Z INFO [secret] Secret scanning is enabled 2025-01-15T09:43:23Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2025-01-15T09:43:23Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection 2025-01-15T09:43:23Z INFO [license] Full license scanning is enabled 2025-01-15T09:43:26Z INFO [npm] To collect the license information of packages, "npm install" needs to be performed beforehand dir="node_modules" 2025-01-15T09:43:27Z INFO Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag. 2025-01-15T09:43:27Z INFO Number of language-specific files num=4 2025-01-15T09:43:27Z INFO [gomod] Detecting vulnerabilities... 2025-01-15T09:43:27Z INFO [pip] Detecting vulnerabilities... 2025-01-15T09:43:27Z INFO [poetry] Detecting vulnerabilities... # ... Loose File License(s) (license) =============================== Total: 163 (UNKNOWN: 1, LOW: 155, MEDIUM: 7, HIGH: 0, CRITICAL: 0) ┌────────────────┬──────────┬──────────────┬──────────────────────────────────────────────────────────────┐ │ Classification │ Severity │ License │ File Location │ ├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤ │ reciprocal │ MEDIUM │ MPL-2.0 │ functions/vendor/github.com/hashicorp/go-immutable-radix/LI- │ │ │ │ │ CENSE │ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ │ │ functions/vendor/github.com/hashicorp/go-memdb/LICENSE │ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ │ │ functions/vendor/github.com/hashicorp/go-secure-stdlib/pars- │ │ │ │ │ eutil/LICENSE │ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ │ │ functions/vendor/github.com/hashicorp/go-secure-stdlib/stru- │ │ │ │ │ til/LICENSE │ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ │ │ functions/vendor/github.com/hashicorp/go-sockaddr/LICENSE │ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ │ │ functions/vendor/github.com/hashicorp/golang-lru/LICENSE │ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ │ │ functions/vendor/github.com/shoenig/go-m1cpu/LICENSE │ ├────────────────┼──────────┼──────────────┼──────────────────────────────────────────────────────────────┤
If I run the trivy in the local machine output SBOM is 196K but the GitHub Action is only 13.6K.
trivy
There are no trivy config files and the repository is mixed Python and Golang.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
When setting
formattocyclondexthe output SBOM didn't include the license data:If change
formatback totablethe license is detected.If I run the
trivyin the local machine output SBOM is 196K but the GitHub Action is only 13.6K.There are no trivy config files and the repository is mixed Python and Golang.
The text was updated successfully, but these errors were encountered: