You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Even the command published on the trivy website doesn't return results, but should: "trivy repo https://github.com/aquasecurity/rust-app --debug --list-all-pkgs"
Reproduction Steps
1.trivy repo https://github.com/aquasecurity/rust-app --debug --list-all-pkgs
2.No results come back
3.
...
Target
Filesystem
Scanner
Vulnerability
Target OS
No response
Debug Output
2023-09-19T09:34:17.075-0400 DEBUG Severities: ["UNKNOWN""LOW""MEDIUM""HIGH""CRITICAL"]
2023-09-19T09:34:17.076-0400 DEBUG Ignore statuses {"statuses": null}
2023-09-19T09:34:17.114-0400 DEBUG cache dir: ...Library/Caches/trivy
2023-09-19T09:34:17.114-0400 DEBUG DB update was skipped because the local DB is the latest
2023-09-19T09:34:17.115-0400 DEBUG DB Schema: 2, UpdatedAt: 2023-09-19 12:16:05.220556166 +0000 UTC, NextUpdate: 2023-09-19 18:16:05.220555566 +0000 UTC, DownloadedAt: 2023-09-19 13:21:02.402363 +0000 UTC
2023-09-19T09:34:17.115-0400 INFO Vulnerability scanning is enabled
2023-09-19T09:34:17.115-0400 DEBUG Vulnerability type: [library]
2023-09-19T09:34:17.115-0400 INFO Secret scanning is enabled
2023-09-19T09:34:17.115-0400 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-09-19T09:34:17.115-0400 INFO Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
Enumerating objects: 6, done.
Counting objects: 100% (6/6), done.
Compressing objects: 100% (5/5), done.
Total 6 (delta 0), reused 3 (delta 0), pack-reused 0
2023-09-19T09:34:17.438-0400 DEBUG No secret config detected: trivy-secret.yaml
2023-09-19T09:34:17.438-0400 DEBUG Walk the file tree rooted at '/var/folders/..../T/trivy-remote-repo4196353208'in parallel
2023-09-19T09:34:17.456-0400 DEBUG Cargo: Cargo.toml not found
2023-09-19T09:34:17.495-0400 DEBUG OS is not detected.
2023-09-19T09:34:17.495-0400 INFO Number of language-specific files: 1
2023-09-19T09:34:17.495-0400 INFO Detecting cargo vulnerabilities...
2023-09-19T09:34:17.495-0400 DEBUG Detecting library vulnerabilities, type: cargo, path: Cargo.lock
Discussed in #5213
Originally posted by synack-security September 19, 2023
IDs
RUSTSEC-2019-0035 - CVE-2020-25576
Description
Rust scanning seems broken entirely. No matter how many vulnerable rust packages included in Cargo.lock there are never results.
Other tools find vulns like the following:
Name: rand_core, Version: 0.4.0, Path: /Cargo.lock
RUSTSEC-2019-0035, Severity: CRITICAL, Source: https://rustsec.org/advisories/RUSTSEC-2019-0035.html
CVSS score: 9.8
Even the command published on the trivy website doesn't return results, but should: "trivy repo https://github.com/aquasecurity/rust-app --debug --list-all-pkgs"
Reproduction Steps
Target
Filesystem
Scanner
Vulnerability
Target OS
No response
Debug Output
Version
I've tried 0.44, 0.45, 0.38.3Checklist
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correctThe text was updated successfully, but these errors were encountered: