Table output shows no summary if no vulnerability is detected

[bgoareguer]

Description

I scan an image containing only one vulnerability with severity=HIGH.
When I allow Trivy to show all vulnerabilities, the table output shows the summary:

2022-07-19T09:25:07.775+0200    INFO    Vulnerability scanning is enabled
2022-07-19T09:25:07.775+0200    INFO    Secret scanning is enabled
2022-07-19T09:25:07.775+0200    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-19T09:25:07.775+0200    INFO    Please see also https://aquasecurity.github.io/trivy/0.30.0/docs/secret/scanning/#recommendation for faster secret detection
2022-07-19T09:25:07.780+0200    INFO    Detected OS: alpine
2022-07-19T09:25:07.781+0200    INFO    Detecting Alpine vulnerabilities...
2022-07-19T09:25:07.782+0200    INFO    Number of language-specific files: 0

alpine:3.16.1 (alpine 3.16.1)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ busybox    │ CVE-2022-30065 │ HIGH     │ 1.35.0-r15        │ 1.35.0-r17    │ busybox: A use-after-free in Busybox's awk applet leads to │
│            │                │          │                   │               │ denial of service...                                       │
│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                 │
├────────────┤                │          │                   │               │                                                            │
│ ssl_client │                │          │                   │               │                                                            │
│            │                │          │                   │               │                                                            │
│            │                │          │                   │               │                                                            │
└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

But when I filter out all vulnerabilities (with --severity=CRITICAL), the table output does not show the summary:

2022-07-19T09:24:48.522+0200    INFO    Vulnerability scanning is enabled
2022-07-19T09:24:48.522+0200    INFO    Secret scanning is enabled
2022-07-19T09:24:48.522+0200    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-19T09:24:48.522+0200    INFO    Please see also https://aquasecurity.github.io/trivy/0.30.0/docs/secret/scanning/#recommendation for faster secret detection
2022-07-19T09:24:48.528+0200    INFO    Detected OS: alpine
2022-07-19T09:24:48.531+0200    INFO    Detecting Alpine vulnerabilities...
2022-07-19T09:24:48.534+0200    INFO    Number of language-specific files: 0

What did you expect to happen?

I expected to see a summary showing 0 vulnerabilities as it did in versions prior to 0.30.0.
Here is the output I have with Trivy 0.29.2:

2022-07-19T09:24:30.905+0200    INFO    Vulnerability scanning is enabled
2022-07-19T09:24:30.910+0200    INFO    Secret scanning is enabled
2022-07-19T09:24:30.912+0200    INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-19T09:24:30.912+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.29.2/docs/secret/scanning/#recommendation for faster secret detection
2022-07-19T09:24:30.918+0200    INFO    Detected OS: alpine
2022-07-19T09:24:30.918+0200    INFO    Detecting Alpine vulnerabilities...
2022-07-19T09:24:30.920+0200    INFO    Number of language-specific files: 0

alpine:3.16.1 (alpine 3.16.1)

Total: 0 (CRITICAL: 0)

Output of trivy -v:

Version: 0.30.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-07-19 06:08:05.847478212 +0000 UTC
  NextUpdate: 2022-07-19 12:08:05.847477912 +0000 UTC
  DownloadedAt: 2022-07-19 07:02:29.52459703 +0000 UTC

Additional details (base image name, container registry info...):

The image I am scanning is alpine:3.16.1

[afdesk]

@bgoareguer thanks for your report!
I took a look at `apline:

$ docker pull alpine:3.16.1

$ docker run --rm -it --entrypoint /bin/sh alpine:3.16.1 

/ # apk list | grep busybox
busybox-1.35.0-r15 x86_64 {busybox} (GPL-2.0-only) [installed]

so I think that trivy works correctly now.

[afdesk]

also I tested v0.29.2, it works correctly too:

$ trivy-29-2 i alpine:3.16.1
2022-07-19T18:52:30.862+0600	INFO	Vulnerability scanning is enabled
2022-07-19T18:52:30.862+0600	INFO	Secret scanning is enabled
2022-07-19T18:52:30.863+0600	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-07-19T18:52:30.863+0600	INFO	Please see also https://aquasecurity.github.io/trivy/v0.29.2/docs/secret/scanning/#recommendation for faster secret detection
2022-07-19T18:52:30.867+0600	INFO	Detected OS: alpine
2022-07-19T18:52:30.867+0600	INFO	Detecting Alpine vulnerabilities...
2022-07-19T18:52:30.868+0600	INFO	Number of language-specific files: 0

alpine:3.16.1 (alpine 3.16.1)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ busybox    │ CVE-2022-30065 │ HIGH     │ 1.35.0-r15        │ 1.35.0-r17    │ busybox: A use-after-free in Busybox's awk applet leads to │
│            │                │          │                   │               │ denial of service...                                       │
│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30065                 │
├────────────┤                │          │                   │               │                                                            │
│ ssl_client │                │          │                   │               │                                                            │
│            │                │          │                   │               │                                                            │
│            │                │          │                   │               │                                                            │
└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

[afdesk]

please, feel free reopen this issue, if the issue still exists

[bgoareguer]

@afdesk the problem was not about detecting the vulnerability but simply not showing the summary:
Total: 0 (CRITICAL: 0)

[afdesk]

@afdesk the problem was not about detecting the vulnerability but simply not showing the summary: Total: 0 (CRITICAL: 0)

oh, yes, i understood it now. thanks

[knqyf263]

We probably removed it by mistake. @afdesk Could you revert it?

[afdesk]

yes, sure. I'll do it today.

[afdesk]

FYI, alpine linux security db was updated yesterday, and now CVE-2022-30065 doesn't affect on busybox-1.35.0-r15

[KDMichaelis]

@knqyf263 @afdesk I'm on trivy v0.30.3 and I still see no summary with trivy fs for my poetry.lock file. I saw in this comment that it was decided to not output an empty table for language-specific packages: #2548 (comment)
I do agree that an empty table is not necessary but I would still expect a summary confirming that no vulnerabilities were found. From the current output it is just not obvious if the scan actually ran successfully:

2022-07-26T17:41:05.070+0200	INFO	Vulnerability scanning is enabled
2022-07-26T17:41:05.085+0200	INFO	Number of language-specific files: 1
2022-07-26T17:41:05.085+0200	INFO	Detecting poetry vulnerabilities...

This way it would be much more reassuring:

2022-07-26T17:41:05.070+0200	INFO	Vulnerability scanning is enabled
2022-07-26T17:41:05.085+0200	INFO	Number of language-specific files: 1
2022-07-26T17:41:05.085+0200	INFO	Detecting poetry vulnerabilities...

poetry.lock (poetry)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Would you consider reopening and adding this?

[afdesk]

@KDMichaelis thanks for your report
I'll retest it again

[lizduke]

I have this as well in 0.30.4 - would be really useful to get a summary showing no issues with an image.

[bgoareguer]

Still present in Trivy 0.38.3 (for trivy fs only, not for trivy image)

[obobrova]

Currently on trivy 0.45.0 and running a scan of IaC files with no issues generates an empty table with no summary. Like @KDMichaelis has pointed out, seeing no output makes it not obvious that the scan actually ran any config checks at all.

$ trivy config ./
2023-09-18T15:15:26.134-0700	INFO	Misconfiguration scanning is enabled
2023-09-18T15:15:26.598-0700	INFO	Detected config files: 2

[JerryBaboona]

On trivy 0.56.2 and trivy fs scan does not print anything if no results are found - as others have said this is frustrating because it's not clear if the scan was run at all.

[DotNetVato]

On version 0.57.0 with trivy fs the output does not print anything if no results are found just like others have said this is frustrating because it's not clear if the scan was run at all. prefer to see the results indicating there arent any vulns