Comments (8)
@krol3 I've also experienced this issue. I first noticed a large difference between yarn dependency vulnerabilities reported by Snyk and Trivy, and determined this to be the cause. Snyk solves the issue by scanning package.json as well, and has a --dev flag, off by default to control this behavior. See here: https://support.snyk.io/hc/en-us/articles/360004712477-Snyk-for-JavaScript
Including a similar feature in Trivy would add significant value to node.js reports imo.
from trivy.
As far as I know, yarn.lock
doesn't have information regarding the package type. In other words, we cannot identify whether the package is devDependency or not. As @aroes said, we might address the issue if we take package.json
together.
from trivy.
A workaround for this that I've used is to run
yarn install --production
since this can prune the yarn.lock
Somewhat awkward in situations where you don't really want to touch the yarn.lock file (e.g. in a build pipeline), but helps if you don't want to get overwhelmed by development vulnerabilities.
Anyone that understands yarn well could correct me here if I'm wrong but one could do something like:
yarn install --frozen-lockfile
yarn install --production
The first one will do your normal check to see if nothing happens to your lockfile while the second one can prune development dependencies.
Like I said, someone that understands yarn better - feel free to tell why this is a bad idea! :)
from trivy.
@pnu-s still happening the issue?
from trivy.
Looking at the docs, it looks like this is intended behaviour: https://aquasecurity.github.io/trivy/dev/vulnerability/detection/language/. They explicitly state that devDependencies are included in vulnerability scans for yarn.lock
. However, they're not included in package-lock.json
. I'm quite curious as for why these have been implemented differently. Perhaps a limitation due to the way yarn.lock
is structured? Either way, if there is a way to exclude devDeps for yarn.lock
, that would be more than welcome :)
from trivy.
As far as I know,
yarn.lock
doesn't have information regarding the package type. In other words, we cannot identify whether the package is devDependency or not. As @aroes said, we might address the issue if we takepackage.json
together.
I really dont think this is true. If we humans can know it why can trivy not ? You would simply have to check all dependencies in yarn.lock file and see why they are there (eg referenced by other packages, etc) - so a dependency is either there because you referenced it directly in devDependencies or dependencies or because its a dependency of the former. I think this is just a bit of tree traversion to find out if its a dev or not ...
EDIT: I should have read this more closely. You said that its possible when information additionaly is pulled from package.json.
Sorry for the noise :)
from trivy.
I am not an expert Node, but maybe this repository help to understand more about devDependencies.
- https://github.com/snyk/nodejs-lockfile-parser
- https://github.com/snyk/nodejs-lockfile-parser/blob/master/lib/parsers/index.ts#L114
from trivy.
Its a bad idea as you don't want to have to modify yarn.lock to remove devDependencies. You need to keep those in the lock file for development usage of the code.
e.g in Typescript/angular projects yarn.lock defines a lot about your build environment and you don't want that changing just because you decide to do a production build for deployment.
In addition to that yarn install --production leaves the lock file alone. All it does is actually stops yarn from installing dev dependencies. They are still referenced in the lock file.
from trivy.
Related Issues (20)
- feat(pom.xml): parse `maven-metadata.xml` files for snapshot repositories.
- feat(pnpm): add support of Lockfile v9 HOT 3
- bug(misconf): eval_conflict_error in AVD-DS-0017 HOT 7
- fix(misconf): split docker commands by semicolon
- bug(misconf) Terraform module: "Failed to load module "improper constraint:"
- The InstalledFile of dpkg package should exclude directories HOT 1
- feat(misconf): Support symlinks inside of tar archives
- perf(misconf): High memory usage (9.5 GB) and long scan time (45 min) on some repos HOT 6
- --node-collector-namespace: Do not delete existing namespace HOT 1
- feat(conda): detect dependencies from environment.yml
- feat(conda): detect licenses for environment.yml
- Dependency tree HOT 2
- "Multiple types of OS packages in SBOM are not supported (["rpm" "deb"])" HOT 1
- node-collector: collect multi platform and multi cis-specs Node information
- bug(misconf): terraform local cache is ignored
- bug: Image scanning panics when using certain combination of options HOT 3
- feat(checks): Add support for deprecating checks HOT 1
- Trivy 0.51.0 rootfs scan throwing FATAL during vuln scan on root directory
- --image-config-scanners documentation parameter is incorrect
- feat: plugin Index HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trivy.