gitgithubgitlabtrivy

Why trivy not report same output?


I run trivy command both root and jenkins user like below; but The results are not the same. I found 7 vulnerabilities with root user but 4 vulnerabilities with jenkins user. I checked the permisions, trivy config but not found any things.

root@yyy:~/var/lib/jenkins/jobs/xxx/branches/development/workspace# trivy fs /var/lib/jenkins/jobs/xxx/branches/development/workspace
2024-03-12T17:43:43.527+0300    INFO    Vulnerability scanning is enabled
2024-03-12T17:43:43.527+0300    INFO    Secret scanning is enabled
2024-03-12T17:43:43.527+0300    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-12T17:43:43.527+0300    INFO    Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2024-03-12T17:43:44.634+0300    INFO    Number of language-specific files: 1
2024-03-12T17:43:44.634+0300    INFO    Detecting pom vulnerabilities...

pom.xml (pom)

Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 2, CRITICAL: 0)
....

jenkins@yyy:~/var/lib/jenkins/jobs/xxx/branches/development/workspace# trivy fs /var/lib/jenkins/jobs/xxx/branches/development/workspace
2024-03-12T17:43:53.616+0300    INFO    Vulnerability scanning is enabled
2024-03-12T17:43:53.616+0300    INFO    Secret scanning is enabled
2024-03-12T17:43:53.616+0300    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-12T17:43:53.616+0300    INFO    Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2024-03-12T17:43:54.112+0300    INFO    Number of language-specific files: 1
2024-03-12T17:43:54.112+0300    INFO    Detecting pom vulnerabilities...

pom.xml (pom)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)
...

trivy --version output:

Version: 0.42.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-12 12:11:09.459246831 +0000 UTC
  NextUpdate: 2024-03-12 18:11:09.459246471 +0000 UTC
  DownloadedAt: 2024-03-12 14:41:57.090100001 +0000 UTC

Solution

  • I asked to this question to: I found the solution at github.