pnpm license scanning does not work? #7890
-
DescriptionHi, I try to use the license scanning feature of trivy for pnpm lock files in one of my projects. However I cannot get it working. It always says even though the node_modules folder is present. Desired BehaviorIt should add license information. Actual BehaviorSkips it because of missing node_modules folder even though its present. Reproduction Steps1. mkdir /tmp/foo && cd /tmp/foo
2. npm init -f
3. pnpm add react
4. trivy fs --scanners license pnpm-lock.yaml
I tried a many different ways but I cannot get any license information out of this.TargetFilesystem ScannerLicense Output FormatTable ModeStandalone Debug Output2024-11-07T13:29:49+01:00 DEBUG No plugins loaded
2024-11-07T13:29:49+01:00 DEBUG Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-07T13:29:49+01:00 DEBUG Cache dir dir="/Users/user/Library/Caches/trivy"
2024-11-07T13:29:49+01:00 DEBUG Cache dir dir="/Users/user/Library/Caches/trivy"
2024-11-07T13:29:49+01:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-11-07T13:29:49+01:00 DEBUG Ignore statuses statuses=[]
2024-11-07T13:29:49+01:00 INFO [license] License scanning is enabled
2024-11-07T13:29:49+01:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-11-07T13:29:49+01:00 DEBUG Initializing scan cache... type="memory"
2024-11-07T13:29:49+01:00 INFO [pnpm] To collect the license information of packages, "pnpm install" needs to be performed beforehand dir="node_modules"
2024-11-07T13:29:49+01:00 DEBUG OS is not detected.
2024-11-07T13:29:49+01:00 DEBUG [vex] VEX filtering is disabledOperating SystemmacOS Sequoia Version0.57.0Checklist
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Hello @otbe We use root@9e124ec6440e:/tmp/foo# trivy -q fs . --scanners license
pnpm-lock.yaml (license)
Total: 3 (UNKNOWN: 0, LOW: 3, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
┌──────────────┬─────────┬────────────────┬──────────┐
│ Package │ License │ Classification │ Severity │
├──────────────┼─────────┼────────────────┼──────────┤
│ react │ MIT │ Notice │ LOW │
├──────────────┤ │ │ │
│ js-tokens │ │ │ │
├──────────────┤ │ │ │
│ loose-envify │ │ │ │
└──────────────┴─────────┴────────────────┴──────────┘ |
Beta Was this translation helpful? Give feedback.
-
|
That makes sense! Is there a way with "fs ." to limit it stil to only specific files like |
Beta Was this translation helpful? Give feedback.
-
|
you can use |
Beta Was this translation helpful? Give feedback.
-
|
Thank you very much :) |
Beta Was this translation helpful? Give feedback.
Hello @otbe
Thanks for your report!
We use
PostAnalyzerlogic and virtual filesystem forfsmode.In your case Trivy "sees" only
pnpm-lock.yamlfiles (trivy fs pnpm-lock.yaml)To detect licenses you need that
PATHincludesnode_modulesdir:e.g.:
root@9e124ec6440e:/tmp/foo# trivy -q fs . --scanners license pnpm-lock.yaml (license) Total: 3 (UNKNOWN: 0, LOW: 3, MEDIUM: 0, HIGH: 0, CRITICAL: 0) ┌──────────────┬─────────┬────────────────┬──────────┐ │ Package │ License │ Classification │ Severity │ ├──────────────┼─────────┼────────────────┼──────────┤ │ react │ MIT │ Notice │ LOW │ ├──────────────┤ │ │ │ │ js-tokens │ …