Trivy does not find OS packages when scanning fs in cyclonedx format

[Bonifats]

Description

Hi!

Thank you very much for your work on Trivy development.

After upgrading to version 0.64.1 from 0.63.0, I found that when creating SBOM from a file system with a relative path (not from the root, but for example from a custom folder test-root/), Trivy does not find OS packages. The reason is how the file path is now passed filePath = path.Join(relativePath, filePath) here

trivy/pkg/fanal/artifact/local/fs.go

Line 276 in 86ee3c1

filePath = path.Join(relativePath, filePath)

// analyzeWithTraversal analyzes files by traversing the entire filesystem
func (a Artifact) analyzeWithTraversal(ctx context.Context, root, relativePath string, wg *sync.WaitGroup, limit *semaphore.Weighted,
	result *analyzer.AnalysisResult, composite *analyzer.CompositeFS, opts analyzer.AnalysisOptions) error {

	return a.walker.Walk(filepath.Join(root, relativePath), a.artifactOption.WalkerOption, func(filePath string, info os.FileInfo, opener analyzer.Opener) error {
		filePath = path.Join(relativePath, filePath)
		if err := a.analyzer.AnalyzeFile(ctx, wg, limit, result, root, filePath, info, opener, nil, opts); err != nil {
			return xerrors.Errorf("analyze file (%s): %w", filePath, err)
		}

		// Skip post analysis if the file is not required
		analyzerTypes := a.analyzer.RequiredPostAnalyzers(filePath, info)
		if len(analyzerTypes) == 0 {
			return nil
		}

		// Build filesystem for post analysis
		if err := composite.CreateLink(analyzerTypes, root, filePath, filepath.Join(root, filePath)); err != nil {
			return xerrors.Errorf("failed to create link: %w", err)
		}

		return nil
	})
}

Because of this, the a.Required() condition does not work in the methods a.analyzer.AnalyzeFile and a.analyzer.RequiredPostAnalyzers.

As I understand it, the correct way would be to do it like this:

// analyzeWithTraversal analyzes files by traversing the entire filesystem
func (a Artifact) analyzeWithTraversal(ctx context.Context, root, relativePath string, wg *sync.WaitGroup, limit *semaphore.Weighted,
	result *analyzer.AnalysisResult, composite *analyzer.CompositeFS, opts analyzer.AnalysisOptions) error {

	return a.walker.Walk(filepath.Join(root, relativePath), a.artifactOption.WalkerOption, func(filePath string, info os.FileInfo, opener analyzer.Opener) error {
		if err := a.analyzer.AnalyzeFile(ctx, wg, limit, result, root, filePath, info, opener, nil, opts); err != nil {
			return xerrors.Errorf("analyze file (%s): %w", filePath, err)
		}

		// Skip post analysis if the file is not required
		analyzerTypes := a.analyzer.RequiredPostAnalyzers(filePath, info)
		if len(analyzerTypes) == 0 {
			return nil
		}

		// Build filesystem for post analysis
		if err := composite.CreateLink(analyzerTypes, root, filePath, filepath.Join(root, relativePath, filePath)); err != nil {
			return xerrors.Errorf("failed to create link: %w", err)
		}

		return nil
	})
}

Desired Behavior

For methods a.analyzer.AnalyzeFile and a.analyzer.RequiredPostAnalyzers filePath must be like var/lib/dpkg/available

Actual Behavior

For methods a.analyzer.AnalyzeFile and a.analyzer.RequiredPostAnalyzers filePath will be like test-root/var/lib/dpkg/available

Reproduction Steps

1. Just copy files from ubuntu docker image to /Users/{{my_user}}/Downloads/test-root
2. Run trivy `trivy --format cyclonedx fs /Users/{{my_user}}/Downloads/test-root --pkg-types os -d`

Target

Filesystem

Scanner

None

Output Format

CycloneDX

Mode

Standalone

Debug Output

2025-07-23T00:36:33+04:00	DEBUG	No plugins loaded
2025-07-23T00:36:33+04:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-07-23T00:36:33+04:00	DEBUG	Cache dir	dir="/Users/{{my_user}}/Library/Caches/trivy"
2025-07-23T00:36:33+04:00	DEBUG	Cache dir	dir="/Users/{{my_user}}/Library/Caches/trivy"
2025-07-23T00:36:33+04:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-07-23T00:36:33+04:00	DEBUG	Ignore statuses	statuses=[]
2025-07-23T00:36:33+04:00	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2025-07-23T00:36:33+04:00	DEBUG	[pkg] Package types	types=[os]
2025-07-23T00:36:33+04:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-07-23T00:36:33+04:00	DEBUG	[notification] Running version check
2025-07-23T00:36:33+04:00	DEBUG	Initializing scan cache...	type="memory"
2025-07-23T00:36:33+04:00	DEBUG	[fs] Analyzing...	root="/Users/{{my_user}}/Downloads/test-root"
2025-07-23T00:36:33+04:00	DEBUG	Skipping path	path="dev"
2025-07-23T00:36:33+04:00	DEBUG	Skipping path	path="proc"
2025-07-23T00:36:33+04:00	DEBUG	Skipping path	path="run"
2025-07-23T00:36:33+04:00	DEBUG	Skipping path	path="sys"
2025-07-23T00:36:33+04:00	DEBUG	[notification] Version check completed	latest_version="0.64.1"
2025-07-23T00:36:33+04:00	DEBUG	OS is not detected.
2025-07-23T00:36:33+04:00	DEBUG	Detected OS: unknown
2025-07-23T00:36:33+04:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-07-23T00:36:33+04:00	DEBUG	[vex] VEX filtering is disabled
{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:6256e6f5-66e4-4cd5-ab15-e789b160fe07",
  "version": 1,
  "metadata": {
    "timestamp": "2025-07-22T20:36:33+00:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "manufacturer": {
            "name": "Aqua Security Software Ltd."
          },
          "group": "aquasecurity",
          "name": "trivy",
          "version": "0.64.1"
        }
      ]
    },
    "component": {
      "bom-ref": "efce83c5-6cc1-40e9-881f-045f393b5dc0",
      "type": "application",
      "name": "d08c916774c5",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ]
    }
  },
  "components": [],
  "dependencies": [
    {
      "ref": "efce83c5-6cc1-40e9-881f-045f393b5dc0",
      "dependsOn": []
    }
  ],
  "vulnerabilities": []
}

Operating System

macOS 15.5 (24F74)

Version

0.64.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @Bonifats
Thanks for your report!

Perhaps your test-root dir contains extra nested dirs?
It works for me:

➜ tree
.
└── test
    └── var
        └── lib
            └── dpkg
                └── status

5 directories, 1 file
➜ trivy -q fs ./test -f cyclonedx | jq '.components[1]'
{
  "bom-ref": "38e8cc49-5053-4aee-8f01-722434ec8f09",
  "type": "operating-system",
  "name": "none",
  "properties": [
    {
      "name": "aquasecurity:trivy:Class",
      "value": "os-pkgs"
    },
    {
      "name": "aquasecurity:trivy:Type",
      "value": "none"
    }
  ]
}

[Bonifats]

Hello @DmitriyLewen

Thanks for reply!

I used the docker cp command to copy the entire file structure of the ubuntu 24.04 container to my computer and ran Trivy with the path to the folder I copied it to /Users/{{my_user}}/Downloads/test-root

Can the result depend on the format in which the path is passed? Full path I mean.

[DmitriyLewen]

➜ docker ps
CONTAINER ID   IMAGE          COMMAND       CREATED          STATUS          PORTS     NAMES
adcfa4fb99f5   ubuntu:24.04   "/bin/bash"   17 seconds ago   Up 16 seconds             nifty_bassi
➜ docker cp adcfa4fb99f5:/ ./ubuntu/
Successfully copied 103MB to /Users/dmitriy/work/tmp/9238/ubuntu/
➜ ls -ahl ./ubuntu
total 0
drwxr-xr-x@ 21 dmitriy  staff   672B 25 июл 14:53 .
drwxr-xr-x@  4 dmitriy  staff   128B 25 июл 14:52 ..
-rwxr-xr-x@  1 dmitriy  staff     0B 25 июл 14:52 .dockerenv
lrwxr-xr-x@  1 dmitriy  staff     7B 25 июл 14:53 bin -> usr/bin
drwxr-xr-x@  2 dmitriy  staff    64B 22 апр  2024 boot
drwxr-xr-x@  5 dmitriy  staff   160B 25 июл 14:52 dev
drwxr-xr-x@ 77 dmitriy  staff   2,4K 25 июл 14:52 etc
drwxr-xr-x@  3 dmitriy  staff    96B 14 июл 20:11 home
lrwxr-xr-x@  1 dmitriy  staff     7B 25 июл 14:53 lib -> usr/lib
drwxr-xr-x@  2 dmitriy  staff    64B 14 июл 20:04 media
drwxr-xr-x@  2 dmitriy  staff    64B 14 июл 20:04 mnt
drwxr-xr-x@  2 dmitriy  staff    64B 14 июл 20:04 opt
drwxr-xr-x@  2 dmitriy  staff    64B 22 апр  2024 proc
drwx------@  4 dmitriy  staff   128B 14 июл 20:11 root
drwxr-xr-x@  4 dmitriy  staff   128B 14 июл 20:11 run
lrwxr-xr-x@  1 dmitriy  staff     8B 25 июл 14:53 sbin -> usr/sbin
drwxr-xr-x@  2 dmitriy  staff    64B 14 июл 20:04 srv
drwxr-xr-x@  2 dmitriy  staff    64B 22 апр  2024 sys
drwxrwxrwt@  2 dmitriy  staff    64B 14 июл 20:11 tmp
drwxr-xr-x@ 11 dmitriy  staff   352B 14 июл 20:04 usr
drwxr-xr-x@ 13 dmitriy  staff   416B 14 июл 20:11 var
➜ trivy -q fs ./ubuntu -f cyclonedx | jq '.components[1]'  
{
  "bom-ref": "pkg:deb/ubuntu/[email protected]?arch=arm64&distro=ubuntu-24.04",
  "type": "library",
  "supplier": {
    "name": "Ubuntu Developers <[email protected]>"
  },
  "name": "apt",
  "version": "2.8.3",
  "licenses": [
    {
      "license": {
        "name": "GPL-2.0-or-later"
      }
    },
    {
      "license": {
        "name": "GPL-2.0-only"
      }
    },
    {
      "license": {
        "name": "BSD-3-Clause"
      }
    },
    {
      "license": {
        "name": "MIT"
      }
    }
  ],
  "purl": "pkg:deb/ubuntu/[email protected]?arch=arm64&distro=ubuntu-24.04",
  "properties": [
    {
      "name": "aquasecurity:trivy:PkgID",
      "value": "[email protected]"
    },
    {
      "name": "aquasecurity:trivy:PkgType",
      "value": "ubuntu"
    },
    {
      "name": "aquasecurity:trivy:SrcName",
      "value": "apt"
    },
    {
      "name": "aquasecurity:trivy:SrcVersion",
      "value": "2.8.3"
    }
  ]
}

[Bonifats]

Could you please try trivy -q fs /Users/dmitriy/work/tmp/9238/ubuntu/ -f cyclonedx --pkg-types os -d?

[DmitriyLewen]

➜ trivy -q fs /Users/dmitriy/work/tmp/9238/ubuntu/ -f cyclonedx --pkg-types os --scanners vuln | jq '.components[1]'
{
  "bom-ref": "pkg:deb/ubuntu/[email protected]?arch=arm64&distro=ubuntu-24.04",
  "type": "library",
  "supplier": {
    "name": "Ubuntu Developers <[email protected]>"
  },
  "name": "apt",
  "version": "2.8.3",
  "licenses": [
    {
      "license": {
        "name": "GPL-2.0-or-later"
      }
    },
    {
      "license": {
        "name": "GPL-2.0-only"
      }
    },
    {
      "license": {
        "name": "BSD-3-Clause"
      }
    },
    {
      "license": {
        "name": "MIT"
      }
    }
  ],
  "purl": "pkg:deb/ubuntu/[email protected]?arch=arm64&distro=ubuntu-24.04",
  "properties": [
    {
      "name": "aquasecurity:trivy:PkgID",
      "value": "[email protected]"
    },
    {
      "name": "aquasecurity:trivy:PkgType",
      "value": "ubuntu"
    },
    {
      "name": "aquasecurity:trivy:SrcName",
      "value": "apt"
    },
    {
      "name": "aquasecurity:trivy:SrcVersion",
      "value": "2.8.3"
    }
  ]
}

[Bonifats]

Ok, I figured it out. Sorry for the bug, my mistake.