Replies: 3 comments 2 replies
-
@aquasecurity/trivy @DmitriyLewen @nikpivkin Please let me know if you have any feedback. |
Beta Was this translation helpful? Give feedback.
-
Nice! I like it but since we are talking on broader terms, how about we extend this discussion to make the same argument for other scanners? I can also see the misconfiguration scanner showing similar output. The same argument if "Trivy has actually scanned something or not" is present in misconfiguration scanner as well, especially when people have mixed IaC codebases. |
Beta Was this translation helpful? Give feedback.
-
I'm thinking about packet aggregation again. We may also need to use our logic to aggregate package for this table. The rest looks great. |
Beta Was this translation helpful? Give feedback.
-
Description
Initially, Trivy was developed with the goal of being a very small tool, adhering to the Unix philosophy. Following the principle that silence is golden, especially when no vulnerabilities were found, Trivy didn't output anything. However, this approach led many users to feel anxious, wondering if the scanning process was being performed correctly.
To address this concern, we made a change to display the results for OS packages even when there were zero vulnerabilities. Unfortunately, this decision caused further confusion due to the differences between OS packages and language-specific packages. The reason behind this decision was that language-specific packages could potentially generate a large amount of output. Displaying a separate table for each file, even if there were zero vulnerabilities, would result in an overwhelming amount of output.
Therefore, what if introducing a summary table at the beginning of all the tables, like the one shown below? In this summary table, we would display the results even when there are zero vulnerabilities, while keeping the individual tables hidden as before.
In the above example, separate tables are shown only for
debian:11
,app1/package-lock.json
andpython3.8/site-packages/bar-1.1.1.dist-info/METADATA
. Others are hidden.Target
None
Scanner
Vulnerability
Beta Was this translation helpful? Give feedback.
All reactions