Add full report data structure for templates

[carsongee]

I'd like to use additional types.Report data in my templates, currently available only in the JSON report. In particular, ArtifactName. It seems that template.go only renders from Results:

trivy/pkg/report/template.go

Line 75 in 79a1ba3

err := tw.Template.Execute(tw.Output, report.Results)

while JSON takes the full data structure:

trivy/pkg/report/json.go

Line 20 in 79a1ba3

output, err := json.MarshalIndent(report, "", " ")

Can we change the template.go report to include the full types.Report data? I'd happily do the work and refactor the existing contrib templates. I know this would have some backward compatibility issues, so I understand if the project prefers to keep it as is. Thanks!

[knqyf263]

Thanks for your suggestion. Yes, it brings breaking change and will be a big impact. We were not sure how many users needed metadata in templates, and wondering if it was worth causing confusion. Can we hold it for a while and see the demand from the community?

[carsongee]

Yep! I understand, and I'm comfortable with that approach. Our primary use case is collating multiple scans of artifact bundles when scanning Helm charts for example. We can continue to do that with external tooling.

Additionally, the current HTML template uses an awkward 0-index into Targets to title the report that would likely make more sense as the Artifact Name:

trivy/contrib/html.tpl

Line 85 in 914c6f0

<h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }}</h1>

. That can be fixed moving the Target into the results and having a generic report title though.

As I see it, nothing critical at this point requires it, but I see it getting harder and harder to make this type of change as the project matures if it is ever desired. Regardless, thanks for your consideration and the great project!

[nicholasdille]

I am hitting a similar bump here when using templating to create a report for SonarQube.

The existing template (https://github.com/mendhak/trivy-template-output-to-sonarqube) uses .Target to populate .issues[].primaryLocation.filePath. When the SonarQube scanner attempt to import the generated report, it fails because the file does not exists.

I patched the generated report to double-check this. Without the suffix, SonarQube accepts the report because the filename matches an existing file. The contents of .Target seem to come from pkg/scanner/ospkg/scan.go#L69.

My suggestion would be to add a new field in pkg/types/report.go#L71 holding the name of the artifact.

[fatihtokus]

Hi @carsongee , @nicholasdille

I have a trivy plugin(https://github.com/fatihtokus/scan2html) that creates a well-formated filterable/sortable html report for any scan result of trivy. The usage is very simple, please have a look:

Install the plugin: $ trivy plugin install github.com/fatihtokus/scan2html
$ trivy scan2html k8s --report=all cluster result.html

Regards!

[FideliusFalcon]

I've ended up here trying to include "artifactName" in my template, but it seems that this field is located in "types.Report" - Is there a fix for this?

[sjames-au]

Found my way here too. I was exploring trivy to replace some reports I archive for audits. I generate a report which they prefer reviewing, providing them metadata about the report is helpful making their experience auditing us positive. I'm basically using another language so I can have that meta data in the reports.

[itaysk]

while I think the original request is legitimate, I just want to add that there's an alternative solution using output plugin