Vulnerability database version isn't outputted by default during scanning operations

[chrisnovakovic]

Description

Trivy only outputs the version of the database used in a scan when the --debug option is given. Compare:

2024-03-04T15:39:51.036Z        INFO    Vulnerability scanning is enabled
2024-03-04T15:39:51.036Z        INFO    Secret scanning is enabled
2024-03-04T15:39:51.036Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-04T15:39:51.036Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-03-04T15:39:53.326Z        INFO    Detected OS: ubuntu
2024-03-04T15:39:53.326Z        INFO    Detecting Ubuntu vulnerabilities...
2024-03-04T15:39:53.327Z        INFO    Number of language-specific files: 0

ubuntu:latest (ubuntu 22.04)

Total: 39 (UNKNOWN: 0, LOW: 26, MEDIUM: 13, HIGH: 0, CRITICAL: 0)

[...]

with:

2024-03-04T15:41:06.747Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]                                      2024-03-04T15:41:06.747Z        DEBUG   Ignore statuses {"statuses": null}
2024-03-04T15:41:06.760Z        DEBUG   cache dir:  /home/csn/.cache/trivy
2024-03-04T15:41:06.760Z        DEBUG   DB update was skipped because the local DB is the latest
2024-03-04T15:41:06.760Z        DEBUG   DB Schema: 2, UpdatedAt: 2024-03-04 12:19:30.391554259 +0000 UTC, NextUpdate: 2024-03-04 18:19:30.391553979 +0000 UTC, DownloadedAt: 2024-03-04 14:39:06.739482815 +0000 UTC
2024-03-04T15:41:06.760Z        INFO    Vulnerability scanning is enabled
2024-03-04T15:41:06.760Z        DEBUG   Vulnerability type:  [os library]
2024-03-04T15:41:06.760Z        INFO    Secret scanning is enabled
2024-03-04T15:41:06.760Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-04T15:41:06.760Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-03-04T15:41:06.760Z        DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-03-04T15:41:07.541Z        DEBUG   No secret config detected: trivy-secret.yaml
2024-03-04T15:41:07.541Z        DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-03-04T15:41:07.541Z        DEBUG   No secret config detected: trivy-secret.yaml
2024-03-04T15:41:07.671Z        DEBUG   Image ID: sha256:3db8720ecbf5f5927d409cc61f9b4f7ffe23283917caaa992f847c4d83338cc1
2024-03-04T15:41:07.671Z        DEBUG   Diff IDs: [sha256:d101c9453715a978a2a520f553588e77dfb4236762175eba61c5c264a449c75d]
2024-03-04T15:41:07.671Z        DEBUG   Base Layers: []
2024-03-04T15:41:07.676Z        INFO    Detected OS: ubuntu
2024-03-04T15:41:07.676Z        INFO    Detecting Ubuntu vulnerabilities...
2024-03-04T15:41:07.676Z        DEBUG   ubuntu: os version: 22.04
2024-03-04T15:41:07.676Z        DEBUG   ubuntu: the number of packages: 101
2024-03-04T15:41:07.677Z        INFO    Number of language-specific files: 0

ubuntu:latest (ubuntu 22.04)

Total: 39 (UNKNOWN: 0, LOW: 26, MEDIUM: 13, HIGH: 0, CRITICAL: 0)

[...]

It's useful to know which version of the database is being used in a scan, especially if Trivy is run as part of an automated process whose logs are collected and saved (e.g. a GitHub action), because the database version and the results Trivy provides are intrinsically connected. However, it feels excessive to have to opt in to everything else at the DEBUG log level to get this information. (It's also worth noting that the Java DB download messages are logged at INFO level, and are therefore outputted by default.)

Desired Behavior

By default, Trivy logs the version of the database that was used to perform scanning operations. Something like:

2024-03-04T15:39:51.036Z        INFO    DB update was skipped because the local DB is the latest
2024-03-04T15:39:51.036Z        INFO    DB Schema: 2, UpdatedAt: 2024-03-04 12:19:30.391554259 +0000 UTC, NextUpdate: 2024-03-04 18:19:30.391553979 +0000 UTC, DownloadedAt: 2024-03-04 14:39:06.739482815 +0000 UTC
2024-03-04T15:39:51.036Z        INFO    Vulnerability scanning is enabled
2024-03-04T15:39:51.036Z        INFO    Secret scanning is enabled
2024-03-04T15:39:51.036Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-04T15:39:51.036Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-03-04T15:39:53.326Z        INFO    Detected OS: ubuntu
2024-03-04T15:39:53.326Z        INFO    Detecting Ubuntu vulnerabilities...
2024-03-04T15:39:53.327Z        INFO    Number of language-specific files: 0

ubuntu:latest (ubuntu 22.04)

Total: 39 (UNKNOWN: 0, LOW: 26, MEDIUM: 13, HIGH: 0, CRITICAL: 0)

[...]

Actual Behavior

It is necessary to specify --debug when running Trivy to display the version of the database that was used to perform scanning operations, although this also produces many other messages that aren't useful most of the time.

Reproduction Steps

1. `trivy i ubuntu:latest` (and `trivy i ubuntu:latest --debug`)

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

See description.

Operating System

Ubuntu 22.04

Version

Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-04 12:19:30.391554259 +0000 UTC
  NextUpdate: 2024-03-04 18:19:30.391553979 +0000 UTC
  DownloadedAt: 2024-03-04 14:39:06.739482815 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-10-05 00:54:53.57111501 +0000 UTC
  NextUpdate: 2023-10-08 00:54:53.57111451 +0000 UTC
  DownloadedAt: 2023-10-05 15:40:25.059495872 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @chrisnovakovic
Thanks for your report!

@knqyf263 what do you think about moving info about trivy-db from debug to info log?

[knqyf263]

trivy -v shows the database information. I feel like it is enough.

$ trivy -v
Version: dev
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-23 00:14:48.102665047 +0000 UTC
  NextUpdate: 2024-02-23 06:14:48.102664466 +0000 UTC
  DownloadedAt: 2024-02-23 07:14:20.559846 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-02-08 00:44:40.65834125 +0000 UTC
  NextUpdate: 2024-02-11 00:44:40.65834107 +0000 UTC
  DownloadedAt: 2024-02-08 15:46:25.059961 +0000 UTC
Policy Bundle:
  Digest: sha256:f21e8e92a7b3f6042ef7acfd3b799afc1648536dc4111c4d5458bc16396f8332
  DownloadedAt: 2024-01-22 07:39:00.960377 +0000 UTC