Bun support?

[SrBrahma]

Description

Hi!

https://aquasecurity.github.io/trivy/v0.48/docs/coverage/language/nodejs/

It supports npm, yarn and pnpm. Any plans to support bun?

Thanks!

Target

None

Scanner

None

[nikpivkin]

Hi @SrBrahma !

Bun can generate yarn.lock, which is supported by Trivy.

For this example, I installed the vulnerable vite package:

bun install vite@5.0.11
bun add v1.0.25 (a8ff7be6)

 installed vite@5.0.11 with binaries:
  - vite

warn: esbuild's postinstall script took 1.4s

 11 packages installed [4.29s]

Generate yarn.lock:

bun install --yarn
bun install v1.0.25 (a8ff7be6)

Checked 23 installs across 58 packages (no changes) [6.00ms]

Run Trivy:

trivy fs .
2024-01-25T02:06:09.418+0700    INFO    Vulnerability scanning is enabled
2024-01-25T02:06:09.418+0700    INFO    Secret scanning is enabled
2024-01-25T02:06:09.418+0700    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-25T02:06:09.418+0700    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-25T02:06:09.425+0700    WARN    Unable to parse "package.json" to remove dev dependencies: unable to walk dependencies: unable to match version for @types/bun
2024-01-25T02:06:09.436+0700    INFO    Number of language-specific files: 1
2024-01-25T02:06:09.436+0700    INFO    Detecting yarn vulnerabilities...

yarn.lock (yarn)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ vite    │ CVE-2024-23331 │ HIGH     │ fixed  │ 5.0.11            │ 2.9.17, 3.2.8, 4.5.2, 5.0.12 │ Vite dev server option `server.fs.deny` can be bypassed when │
│         │                │          │        │                   │                              │ hosted on case-insensitive...                                │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-23331                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴─────────────────────────────────

[knqyf263]

@nikpivkin Can you please add Bun to our doc with the note? Trivy works with bun install --yarn.

[SrBrahma]

@nikpivkin Many thanks!

I have a question as I don't know much about this:

This would require changing my bun's setup to also generated the yarn.lock. This is possible via the bunfig.toml file so I don't need to --yarn all the time, but I ain't sure if this is a good decision. By normally using the yarn.lock, this would for example, cause the famous big diffs in PRs due to the lock file. I can gitignore it, but not sure if it's good to just keep it being generated in the local machine. Actually I can't git ignore it, as if it isn't there, it won't be checked.

Trivy runs on its own container/dedicated job, so I don't see how to only do this yarn.lock generation only there. And even if I manage to do it, would all the data in both lock files be equivalent / 100% safe to be used?

[schewara]

I would also like to see bun support in trivy.

In addition I also created oven-sh/bun#8483, as SBOM support seems to be the preferred and best solution for integrations between tools.

I was just wondering what these custom properties, which are mentioned in the documentation are.

Passing SBOMs generated by tool other than Trivy may result in inaccurate detection because Trivy relies on custom properties in SBOM for accurate scanning.

Where could one find documentation about these?

[knqyf263]

Bun can generate yarn.lock from bun.lockb. You can generate it only when scanning your project and then delete it.
https://twitter.com/jarredsumner/status/1577356694476050432

Ideally, Trivy scans bun.lockb, but it is a binary format. It might be challenging to parse the file in Go.
oven-sh/bun#409

The official document also mentions yarn.lock generation to inspect Bun's lockfile. It is not that bad workaround for now.
https://bun.sh/docs/install/lockfile