Trivy is not working properly with yarn workspaces

[afdesk]

Discussed in #4632

^{Originally posted by nikpivkin June 14, 2023}

Description

I scanned the project with yarn workspaces, but Trivy does not find vulnerabilities and dependencies. I created a repository to make it easier to reproduce.

trivy repository https://github.com/nikpivkin/yarn-workspace-test -d --skip-dirs .yarn --list-all-pkgs --format json
2023-06-14T16:42:06.184+0600	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-06-14T16:42:06.193+0600	DEBUG	cache dir:  /Users/tososomaru/Library/Caches/trivy
2023-06-14T16:42:06.193+0600	DEBUG	DB update was skipped because the local DB is the latest
2023-06-14T16:42:06.193+0600	DEBUG	DB Schema: 2, UpdatedAt: 2023-06-14 06:07:58.924834649 +0000 UTC, NextUpdate: 2023-06-14 12:07:58.924834249 +0000 UTC, DownloadedAt: 2023-06-14 07:32:46.162077 +0000 UTC
2023-06-14T16:42:06.193+0600	INFO	Vulnerability scanning is enabled
2023-06-14T16:42:06.193+0600	DEBUG	Vulnerability type:  [library]
2023-06-14T16:42:06.193+0600	INFO	Secret scanning is enabled
2023-06-14T16:42:06.193+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-14T16:42:06.193+0600	INFO	Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
Enumerating objects: 43, done.
Counting objects: 100% (43/43), done.
Compressing objects: 100% (33/33), done.
Total 43 (delta 1), reused 43 (delta 1), pack-reused 0
2023-06-14T16:42:07.700+0600	DEBUG	No secret config detected: trivy-secret.yaml
2023-06-14T16:42:07.700+0600	DEBUG	Walk the file tree rooted at '/var/folders/08/9jn5k93x207g509y9zqk2b5m0000gn/T/fanal-remote972612926' in parallel
2023-06-14T16:42:07.723+0600	DEBUG	OS is not detected.
2023-06-14T16:42:07.723+0600	INFO	Number of language-specific files: 1
{
  "SchemaVersion": 2,
  "ArtifactName": "https://github.com/nikpivkin/yarn-workspace-test",
  "ArtifactType": "repository",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  }
}

When using workspaces, yarn creates yarn.lock only in the root of the monorepository. And since the package.json does not contain information about dependencies in workspaces, they are skipped.

If I skip package.json when scanning, then everything will be ok.

trivy repository https://github.com/nikpivkin/yarn-workspace-test -d --skip-dirs .yarn --list-all-pkgs --format json --skip-files package.json
2023-06-14T17:01:01.705+0600    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-06-14T17:01:01.713+0600    DEBUG   cache dir:  /Users/tososomaru/Library/Caches/trivy
2023-06-14T17:01:01.713+0600    DEBUG   DB update was skipped because the local DB is the latest
2023-06-14T17:01:01.713+0600    DEBUG   DB Schema: 2, UpdatedAt: 2023-06-14 06:07:58.924834649 +0000 UTC, NextUpdate: 2023-06-14 12:07:58.924834249 +0000 UTC, DownloadedAt: 2023-06-14 07:32:46.162077 +0000 UTC
2023-06-14T17:01:01.713+0600    INFO    Vulnerability scanning is enabled
2023-06-14T17:01:01.713+0600    DEBUG   Vulnerability type:  [library]
2023-06-14T17:01:01.713+0600    INFO    Secret scanning is enabled
2023-06-14T17:01:01.713+0600    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-14T17:01:01.713+0600    INFO    Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
Enumerating objects: 43, done.
Counting objects: 100% (43/43), done.
Compressing objects: 100% (33/33), done.
Total 43 (delta 1), reused 43 (delta 1), pack-reused 0
2023-06-14T17:01:03.268+0600    DEBUG   No secret config detected: trivy-secret.yaml
2023-06-14T17:01:03.268+0600    DEBUG   Walk the file tree rooted at '/var/folders/08/9jn5k93x207g509y9zqk2b5m0000gn/T/fanal-remote3630830649' in parallel
2023-06-14T17:01:03.268+0600    DEBUG   Skipping file: package.json
2023-06-14T17:01:03.276+0600    DEBUG   Yarn: package.json not found
2023-06-14T17:01:03.290+0600    DEBUG   OS is not detected.
2023-06-14T17:01:03.290+0600    INFO    Number of language-specific files: 1
2023-06-14T17:01:03.290+0600    INFO    Detecting yarn vulnerabilities...
2023-06-14T17:01:03.290+0600    DEBUG   Detecting library vulnerabilities, type: yarn, path: yarn.lock
{
  "SchemaVersion": 2,
  "ArtifactName": "https://github.com/nikpivkin/yarn-workspace-test",
  "ArtifactType": "repository",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "yarn.lock",
      "Class": "lang-pkgs",
      "Type": "yarn",
      "Packages": [
....

Desired Behavior

Dependencies will be detected

Actual Behavior

No dependencies found

Reproduction Steps

1. trivy repository https://github.com/nikpivkin/yarn-workspace-test -d --skip-dirs .yarn --list-all-pkgs --format json

Target

None

Scanner

None

Output Format

None

Mode

Standalone

Debug Output

See description

Operating System

macos

Version

trivy -v
Version: 0.42.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-06-14 06:07:58.924834649 +0000 UTC
  NextUpdate: 2023-06-14 12:07:58.924834249 +0000 UTC
  DownloadedAt: 2023-06-14 07:32:46.162077 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-06-13 00:57:25.356863883 +0000 UTC
  NextUpdate: 2023-06-16 00:57:25.356862983 +0000 UTC
  DownloadedAt: 2023-06-13 11:16:42.931853383 +0000 UTC
Policy Bundle:
  Digest: sha256:c38f14ef04a03dfa0cc25a587c7bf17482914233f26c8523a676a5dda633e6de
  DownloadedAt: 2023-04-30 15:22:30.964122 +0000 UTC

Checklist

• Run trivy --reset
• Read the troubleshooting

[afdesk]

@nikpivkin could you try to fix it?

[nikpivkin]

@afdesk Yes, I'll try