Trivy is not scanning standalone java / nodejs / PHP binaries #1064
Comments
laurentdelosieresmano
added
the
kind/feature
knqyf263
added
the
triage/needs-information
|
What is a Java binary? If you are talking about a Java archive, Trivy can detect it. |
|
Hi knqyf263, I was referring to java / PHP / node.js binaries that are shipped to the Docker images via tarballs and not OS packages. One example is openjdk:11.0.11-jre-buster which downloads and extracts the tarball [1]. Trivy is not scanning the "Java" binary issued from those tarballs. Same applies to nodejs / php / etc. Let me know if this clarifies your doubt. [1] github.com/AdoptOpenJDK/openjdk11-upstream-binaries/releases/download/jdk-11.0.11%2B9/OpenJDK11U-jre_x64_linux_11.0.11_9.tar.gz Best, |
|
This issue is stale because it has been labeled with inactivity. |
github-actions
bot
added
the
lifecycle/stale
|
I think this is the same issue I faced while writing #6457. After doing more research, I found that it seems like standalone binaries for PHP/Python interpreters (description is in the discussion, where I show an example case with a Python docker image) are not getting detected and put into the SBOMs generated. Is this something which is still not supported? |
|
If anyone is actually interested in such feature outside of the maintainers of the project, feel free to use my fork: |
Hello AquaSecurity Team,
Trivy is not detecting / scanning standalone versions of java / nodejs / PHP / etc binaries. Is this something that you are planning to support ?
Best,
Laurent
The text was updated successfully, but these errors were encountered: