Not sure if my scan is working

[rstaylor]

Question

I ran a scan of a java jar file using the following command:

trivy rootfs -d --scanners vuln pdfbox-app-1_7_1.jar

I cannot tell if this even ran successfully or if there were just no vulnerabilities. Here is the output generated from the command:

2025-02-19T14:52:02-05:00 DEBUG No plugins loaded
2025-02-19T14:52:02-05:00 DEBUG Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-19T14:52:02-05:00 DEBUG Cache dir dir="/home/xxxx/.cache/trivy"
2025-02-19T14:52:02-05:00 DEBUG Cache dir dir="/home/xxxx/.cache/trivy"
2025-02-19T14:52:02-05:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-19T14:52:02-05:00 DEBUG Ignore statuses statuses=[]
2025-02-19T14:52:02-05:00 DEBUG DB update was skipped because the local DB is the latest
2025-02-19T14:52:02-05:00 DEBUG DB info schema=2 updated_at=2025-02-19T18:16:45.973719789Z next_update=2025-02-20T18:16:45.973718878Z downloaded_at=2025-02-19T19:32:16.42234678Z
2025-02-19T14:52:02-05:00 DEBUG [pkg] Package types types=[os library]
2025-02-19T14:52:02-05:00 DEBUG [pkg] Package relationships relationships=[unknown root workspace direct indirect]
2025-02-19T14:52:02-05:00 INFO [vuln] Vulnerability scanning is enabled
2025-02-19T14:52:02-05:00 DEBUG Initializing scan cache... type="memory"
2025-02-19T14:52:02-05:00 DEBUG [fs] Analyzing... root="pdfbox-app-1_7_1.jar"
2025-02-19T14:52:02-05:00 DEBUG [fs] Random cache key will be used err="failed to open git repository: stat /home/xxxx/yyyy/zzzz/pdfbox-app-1_7_1.jar/.git: not a directory"
2025-02-19T14:52:02-05:00 DEBUG [javadb] Java DB update was skipped because the local Java DB was downloaded during the last day
2025-02-19T14:52:02-05:00 DEBUG [jar] Parsing Java artifacts... file_path="pdfbox-app-1_7_1.jar"
2025-02-19T14:52:02-05:00 DEBUG [jar] No such POM in the central repositories file="pdfbox-app-1_7_1.jar"
2025-02-19T14:52:02-05:00 DEBUG OS is not detected.
2025-02-19T14:52:02-05:00 DEBUG Detected OS: unknown
2025-02-19T14:52:02-05:00 INFO Number of language-specific files num=1
2025-02-19T14:52:02-05:00 INFO [jar] Detecting vulnerabilities...
2025-02-19T14:52:02-05:00 DEBUG [jar] Scanning packages for vulnerabilities file_path=""
2025-02-19T14:52:02-05:00 DEBUG Specified ignore file does not exist file=".trivyignore"
2025-02-19T14:52:02-05:00 DEBUG [vex] VEX filtering is disabled

Target

Filesystem

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Operating System

Ubuntu 24.04

Version

Version: 0.59.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-02-19 18:16:45.973719789 +0000 UTC
  NextUpdate: 2025-02-20 18:16:45.973718878 +0000 UTC
  DownloadedAt: 2025-02-19 19:32:16.42234678 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-02-14 02:24:51.921228254 +0000 UTC
  NextUpdate: 2025-02-17 02:24:51.921228094 +0000 UTC
  DownloadedAt: 2025-02-19 19:45:48.831551444 +0000 UTC

[DmitriyLewen]

Hello @rstaylor
Thanks for your interest to Trivy.

You can see all found packages using -f json --list-all-pkgs flags.

For table format we want to add summary table - #8177

Regards, Dmitriy