Greetings,

I was trying to run this in a container and just wanted to check if there was a way to run this without further build process, just to be clear here is the dockerfile

FROM node:14-alpine

WORKDIR /opt/trivy-vulnerability-explorer
COPY package.json .
RUN npm install
COPY . .
RUN npm run build
ENV NODE_ENV production
CMD ["node", "run", "serve"]

if you are into running images from strangers then the image is available here : rmenn/trivy-vulnerability-explorer:dev

just wanted to see if i could reduce the time for startup

Another query that i had was is it possible to send the json content to an endpoint and have it displayed instead of opening up a file ?

Thank you for the project

getting a .trivyignore generated is cool but what about the cases

I already have a .trivyignore file and I want to

• filter the findings dependend on this ignore list
• find which ignores can be removed
• merge back the new ignore file

I can think of getting s.th. like:

1. a load from project button predefined (project HTTPS URL is given, PAT can be used)
2. paste a ignore file I actually have
3. with 1): hit a button to jump back to the single file editor on gitlab with the changed file content
   btw. yes it's that easy to add &content=test1%0Atest2 to the ${GITLAB_PROJECT_URL}/-/edit/main/.trivyignore?ref_type=heads&content=test1%0Atest2 resp. creating it by /-/new/main?file_name=.trivyignore&content=test

i have try loading json file at https://dbsystel.github.io/trivy-vulnerability-explorer/
nothing is displayed.
i am using ubuntu chrome browser.

json generated by
trivy i -f json alpine:3.9.2 > alpine-3.9.2.json

First off, I'm not a developer, I may need the dummy version of instruction.

On the sample screenshot, what is the target for "Select Target" field? It'll only show TEST. I cannot get this explorer to view my Trivy report JSON stored locally. I had the Trivy report sent over by my vendor. I did not run the report myself.

Thank you!

#345 shows, that the error handling for the loading of a report is clearly problematic. If the app cannot parse the json, there is no error message whatsoever. Instead, we should clearly state that there is a problem, and ideally state the nature of the problem.

The report you can get on my gist here: https://gist.githubusercontent.com/vpereira/7ab094748cbe5cb80bfd6017744858bb/raw/22eb73d0ec7e05312807f6d6192198441bd34a8a/trivy.json

After pulling the report, the report doesn't get loaded.

Javascript console errors:

#345 shows, that it is confusing for users to understand what they need to do, if no report is uploaded. The UI should clearly state, that there is no report loaded, and the test target should be removed.

There is an interactive migration, we need to run it.
Originally posted by @renovate in #290

Description

The README has two gaps in documentation that could cause unexpected behavior or errors in the application.

1. What are the versions of Trivy that have been tested to demonstrate compatibility? Since Trivy is still in a v0 status they do not guarantee backwards compatibility and their reports/outputs may change.
2. What Trivy report types are supported?
   • The example report you have in the repo seems to be an image scan output
   • Is the Kubernetes report supported?

The tool seems great, but was just hoping to have a better understanding of the current scope of functionality!

If a user already has the trivy report on a reachable endpoint, it is cumbersome to download it and then load it into the vulnerability explorer. It would be great to directly load the report from that endpoint. Most likely, the url for the download could be passed as a query parameter to the trivy-vulnerability-explorer. This would allow another application to build a URL to the trivy-vulnerability-explorer that already contains the reference to the report. For example, a CI Pipeline could create the report, publish it at a reachable URL and link to the trivy-vulnerability-explorer that will directly display the report.

A challenge could be if the report itself is only reachable with Authentication. Let's dig into more concrete scenarios to discover, what we could do to support this.

We want to spread the news, that this project exists and is free to use.

Hello,

When following the steps outilined in the "integration with GitLab Job" the Explorer page does not work as expected.
When navigating to the URL created according the the provided example, the page shows that the "File mode" is selected rather than "URL mode" and the report section is empty.
I know that my "url=" parameter is correct as when I click on the "URL" button and paste it in the URL input, the report is displayed correctly.
Otherwise it works great. Thank you for reading.
Tostt

🚨 The automated release from the main branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you can benefit from your bug fixes and new features again.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can fix this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the main branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here are some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Cannot push to the Git repository.

semantic-release cannot push the version tag to the branch main on the remote Git repository with URL https://x-access-token:[secure]@github.com/dbsystel/trivy-vulnerability-explorer.

This can be caused by:

• a misconfiguration of the repositoryUrl option
• the repository being unavailable
• or missing push permission for the user configured via the Git credentials on your CI environment

Good luck with your project ✨

Your semantic-release bot 📦🚀

Hi,

I've an issue with this tool, I haven't any results when I push a json results of K8s trivy scan.

It's perfectly work with OS trivy scan.

Is it normal ?

Thanks

Robs

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

• chore(deps): update actions/checkout action to v4.1.7
• chore(deps): update dependency eslint-plugin-cypress to v2.15.2
• chore(deps): update dependency sass to v1.77.8
• chore(deps): update jamesives/github-pages-deploy-action action to v4.6.3
• fix(deps): update dependency core-js to v3.38.1
• chore(deps): update dependency @vue/eslint-config-typescript to v13
• chore(deps): update dependency cypress to v13
• chore(deps): update dependency eslint to v9
• chore(deps): update dependency eslint-config-prettier to v9
• chore(deps): update dependency eslint-plugin-cypress to v3
• chore(deps): update dependency husky to v9
• chore(deps): update dependency prettier to v3
• chore(deps): update dependency pretty-quick to v4
• chore(deps): update dependency sass-loader to v16
• chore(deps): update node.js to v20
• chore(deps): update semantic-release monorepo (major) (@semantic-release/github, semantic-release)
• chore(deps): update typescript-eslint monorepo to v8 (major) (@typescript-eslint/eslint-plugin, @typescript-eslint/parser)
• 🔐 Create all rate-limited PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update dependency typescript to v4.9.5
• chore(deps): update dependency vuetify-loader to v1.9.2
• fix(deps): update vue monorepo to v2.7.16 (vue, vue-template-compiler)
• chore(deps): update actions/setup-node action to v4
• chore(deps): update dependency eslint-plugin-vue to v9
• chore(deps): update dependency typescript to v5
• chore(deps): update vue-cli monorepo to v5 (major) (@vue/cli-plugin-babel, @vue/cli-plugin-router, @vue/cli-plugin-typescript, @vue/cli-service)
• fix(deps): update dependency vue to v3
• fix(deps): update dependency vue-router to v4
• fix(deps): update dependency vuetify to v3
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

GitLab, at least with its current version, doesn't send a correct Content-Type any more if one tries to fetch the result from e.g. https://git.tech.rz.db.de/api/v4/projects/146691/jobs/artifacts/master/raw/trivy-results.json?job=scan_oci_image_trivy. Instead, it sends a Content-Type: text/plain now, which will not be parsed by the explorer.

We use GitLab CI, and it stores the artifacts during a pipeline job. In order to retrieve the trivy-result.json directly from GitLab CI, the browser needs to include a token header.

To support different scenarios, the authorization header should be generic. And it should be stored in the localStorage, so that the user does not need to retype it everytime the application is opened.

Hi,

by developing the PR in #157 we tried to think whether this will introduce a security problem. During the discussion we noticed the authorization header will be added to every url - to any host.

So what happens when I send a link https://dbsystel.github.io/trivy-vulnerability-explorer/?url=<my-evil-site-where-i-capture-the-auth-headers> to a browser with saved authorization headers? Havn't tried yet but from the code it could work...

A solution might be to also configure a server or domain name for the authorization header - and only add the header when the host / domain of the url matches the configuration.

It might be i'm missed something - then just drop this issue. When this is real - sorry for the bad timing :-/

Bye,
Chris

To keep this tool maintainable and up2date, we want to receive automatic dependency updates, that can be merged automatically, unless they are major updates (which should be checked by a maintainer before the merge).

Hi there,

my name is Anais Urlichs, I work on Trivy as part of the Aqua Security Open Source team.

Thank you for creating the trivy-vulnerability-explorer. We will add it to our ecosystem page in the Trivy documentation so more people can find it.

I was wondering whether you could add yourself in the Trivy discussion section under adopters (there is a very quick-to-fill-out discussion template) -- you can reference the vulnerability explorer there and anything else you would like to share about your use case. It would be very valuable to the community to see you using Trivy :)

Please let me/us know if you have any questions, we are happy to help.

https://github.com/aquasecurity/trivy/discussions/categories/adopters

Thank you & have a great week!

How to reproduce:

kubectl -n default run nginx --image=nginx:latest --port=80

trivy k8s -n default all --format json -o nginx_1.json 
trivy image nginx:latest --format json -o nginx_2.json

Open file nginx_1.json:

Console screen in my browser (firefox):

Open file nginx_2.json:

Trivy version:

➜  ~ trivy -v
Version: 0.38.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-04-03 06:07:03.052991494 +0000 UTC
  NextUpdate: 2023-04-03 12:07:03.052991094 +0000 UTC
  DownloadedAt: 2023-04-03 08:22:47.072403 +0000 UTC
Policy Bundle:
  Digest: sha256:2f95caeff50df1f00efdf5cb619c3b5488bbbb9bb08ef0890f52352464d35c79
  DownloadedAt: 2023-04-03 08:22:48.363111 +0000 UTC

cat nginx_1.json

{
  "ClusterName": "dev",
  "Vulnerabilities": [
    {
      "Namespace": "default",
      "Kind": "Pod",
      "Name": "nginx",
      "Results": [
        {
          "Target": "nginx:latest (debian 11.6)",
          "Class": "os-pkgs",
          "Type": "debian",
          "Vulnerabilities": [
            {
              "VulnerabilityID": "CVE-2011-3374",
              "PkgID": "[email protected]",
              "PkgName": "apt",
              "InstalledVersion": "2.2.4",
              "Layer": {
                "Digest": "sha256:f1f26f5702560b7e591bef5c4d840f76a232bf13fd5aefc4e22077a1ae4440c7",
                "DiffID": "sha256:3af14c9a24c941c626553628cf1942dcd94d40729777f2fcfbcd3b8a3dfccdd6"
              },

cat nginx_2.json:

{
  "SchemaVersion": 2,
  "ArtifactName": "nginx:latest",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "debian",
      "Name": "11.6"
    },
    "ImageID": "sha256:080ed0ed8312deca92e9a769b518cdfa20f5278359bd156f3469dd8fa532db6b",
    "DiffIDs": [
      "sha256:3af14c9a24c941c626553628cf1942dcd94d40729777f2fcfbcd3b8a3dfccdd6",
      "sha256:af29ec691175380d67613953dfb815a47cbcdc5a10221ab1047668cda2efc9ee",
      "sha256:a0b795906dc1f8bb47568da6335c0b5e5049aefc9b0bf3bfe6a9a90e55e8ca36",
      "sha256:95457f8a16fd7d0e872c8ccd8ffa84b79b8aa56a39ca5a84bf54c1fab9bac712",
      "sha256:4d0bf5b5e17b1bf57a06893ca4cdb58189efcf348b817d33850aa04ab403e4f1",
      "sha256:ff4557f62768fd99a55c9596bcc2ade44045c47a089a898a14d73b50a306c74d"
    ],
    "RepoTags": [
      "nginx:latest"
    ],
    "RepoDigests": [
      "nginx@sha256:2ab30d6ac53580a6db8b657abf0f68d75360ff5cc1670a85acb5bd85ba1b19c0"
    ],
    "ImageConfig": {
      "architecture": "amd64",
      "container": "2e6cfff5afd6bd5a85faf12b14aa18cc04ed32b06732965bb133022ef85ba5c2",
      "created": "2023-03-28T22:20:09.76950724Z",
      "docker_version": "20.10.23",
      "history": [
        {
          "created": "2023-03-23T01:30:27.508854764Z",
          "created_by": "/bin/sh -c #(nop) ADD file:60911afdacfdc216e44115addb5f3cc07f4166e8a4adf7be94a58aacc327ad63 in / "
        },

In order to make the deployment of the trivy-vulnerability-explorer easier for other folks, I would like to provide a container image on withing the ghcr.io registry.

vue.config.js allows partial overriding of base URL through REPOSITORY_NAME env but always puts a leading slash on the front preventing the explorer from being deployed at a relative path, e.g. when integrated into a CI/CD platform as static assets.

Forked workaround for me was to remove the leading '/' in the above file and set REPOSITORY_NAME to "." meaning index.html is at the base of install and rest of files js/ etc are deployed underneath.

Would be nice to support a relative install out of the box. Simply changing your build to remove the leading slash, and setting REPOSITORY_NAME to "/<whatever it needs to be" would allow the relative install option.

See aquasecurity/trivy#1050 for details. We can test this by specifying TRIVY_NEW_JSON_SCHEMA=true while doing a scan. We should support both schema versions for the time beeing.
Also see aquasecurity/trivy#1110

We would want to have at least a minimum of automated tests, so that we can have automated dependency updates by something like dependabot.

Trivy Enterprise reports have a different schema, it would be helpful if the vulnerability explorer could parse them as well.

Additional features could be:

• show and filter acknowledgements
• acknowledgement via aqua api

It is about time to update the project to vue 3. Even vuetify is not quite there yet, there seems to be a stable enough beta.

I would like to change to vite on my way to vue 3.