pkg-types Property Not Working as Expected in Config File

[shivam-security]

Description

I’ve encountered an issue with the pkg-types property in the configuration file. When I define pkg-types in the config file, it does not work as expected. However, the same property works correctly when specified via the command flag.

Desired Behavior

The pkg-types property defined in the configuration file should be correctly applied, similar to how it functions when specified via the command flag.

Actual Behavior

The pkg-types property defined in the configuration file is ignored, whereas specifying it with the command flag works as intended.

Reproduction Steps

1. Define the pkg-types property in the configuration file with the value os. Example: `pkg-types: os`
2. Run the following command with the configuration file: `trivy fs . -c config.yaml`
3. In the output, observe that the pkg-types setting seems to be ignored and does not affect the results as expected. The output will still return results related to the library if vulnerabilities exist in your project, regardless of the pkg-types setting in the configuration file.
4. Now, run the same command but specify the pkg-types using the command flag: `trivy fs . --pkg-types os`
5. Observe that the pkg-types setting works as expected when provided via the command flag. The command will correctly filter and return results related to the specified package type (os) if vulnerabilities exist.

Target

Filesystem

Scanner

None

Output Format

None

Mode

None

Debug Output

2024/08/21 17:32:49 INFO Loaded file_path=.trivy.yaml
2024-08-21T17:32:49+05:30	DEBUG	Cache dir	dir="/home/xyz/.cache/trivy"
2024-08-21T17:32:49+05:30	WARN	'vulnerability.type' in config file is deprecated. Use 'pkg.types' instead.
2024-08-21T17:32:49+05:30	DEBUG	Parsed severities	severities=[HIGH CRITICAL]
2024-08-21T17:32:49+05:30	DEBUG	Ignore statuses	statuses=[]
2024-08-21T17:32:49+05:30	DEBUG	DB update was skipped because the local DB is the latest
2024-08-21T17:32:49+05:30	DEBUG	DB info	schema=2 updated_at=2024-08-21T06:12:27.541965062Z next_update=2024-08-21T12:12:27.541964471Z downloaded_at=2024-08-21T07:22:40.938671178Z
2024-08-21T17:32:49+05:30	DEBUG	[pkg] Package types	types=[library]
2024-08-21T17:32:49+05:30	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-08-21T17:32:49+05:30	INFO	[vuln] Vulnerability scanning is enabled
2024-08-21T17:32:49+05:30	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-21T17:32:49+05:30	DEBUG	[misconfig] Policies successfully loaded from disk
2024-08-21T17:32:49+05:30	INFO	[secret] Secret scanning is enabled
2024-08-21T17:32:49+05:30	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-21T17:32:49+05:30	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-21T17:32:49+05:30	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-08-21T17:32:49+05:30	DEBUG	Initializing scan cache...	type="memory"
2024-08-21T17:32:49+05:30	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-08-21T17:32:49+05:30	DEBUG	Skipping path	path=".git"
2024-08-21T17:32:49+05:30	DEBUG	Skipping path	path="node_modules"
2024-08-21T17:32:49+05:30	DEBUG	Skipping path	path="trivy_scans"
2024-08-21T17:32:49+05:30	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="node_modules"
2024-08-21T17:32:49+05:30	DEBUG	Scanning files for misconfigurations...	scanner="Helm"
2024-08-21T17:32:49+05:30	DEBUG	[misconf] 32:49.517794817 helm.scanner.rego                Overriding filesystem for checks!
2024-08-21T17:32:49+05:30	DEBUG	[misconf] 32:49.518982860 helm.scanner.rego                Loaded 3 embedded libraries.
2024-08-21T17:32:49+05:30	DEBUG	[misconf] 32:49.586404562 helm.scanner.rego                Loaded 192 embedded policies.
2024-08-21T17:32:49+05:30	DEBUG	[misconf] 32:49.673613875 helm.scanner.rego                Loaded 195 checks from disk.
2024-08-21T17:32:49+05:30	DEBUG	[misconf] 32:49.674062150 helm.scanner.rego                Overriding filesystem for data!
2024-08-21T17:32:50+05:30	DEBUG	OS is not detected.
2024-08-21T17:32:50+05:30	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2024-08-21T17:32:50+05:30	INFO	Number of language-specific files	num=1
2024-08-21T17:32:50+05:30	INFO	[npm] Detecting vulnerabilities...
2024-08-21T17:32:50+05:30	DEBUG	[npm] Scanning packages for vulnerabilities	file_path="package-lock.json"
2024-08-21T17:32:50+05:30	INFO	Detected config files	num=0
2024-08-21T17:32:50+05:30	DEBUG	Found an ignore yaml	file_path=".trivyignore.yaml"
2024-08-21T17:32:50+05:30	DEBUG	[vex] VEX filtering is disabled

Operating System

linux

Version

./trivy:0.54.1 --version
Version: 0.54.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-08-21 06:12:27.541965062 +0000 UTC
  NextUpdate: 2024-08-21 12:12:27.541964471 +0000 UTC
  DownloadedAt: 2024-08-21 07:22:40.938671178 +0000 UTC
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-08-20 13:40:15.109330632 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @shivam-security
Thanks for your report!

Looks like we didn't update docs.
Use the following struct:

pkg:
  types: os

example:

➜ cat config.yaml 
pkg:
  types: library

➜ trivy fs . -c config.yaml -d
2024/08/22 11:09:33 INFO Loaded file_path=config.yaml
...
2024-08-22T11:09:33+06:00	DEBUG	[pkg] Package types	types=[library]
...

➜ cat config.yaml             
pkg:
  types: os
➜ trivy fs . -c config.yaml -d
2024/08/22 11:09:43 INFO Loaded file_path=config.yaml
...
2024-08-22T11:09:43+06:00	DEBUG	[pkg] Package types	types=[os]
...

Regards, Dmitriy

[DmitriyLewen]

Created #7369