Generating a Single Interactive Report and Loading multiple Trivy JSON Reports in 'scan2html'

[rajeev-cs]

Hi Team,

I am currently using the scan2html plugin in my GitLab CI/CD pipeline.

The script iterates over the scan targets (config, image, fs) and formats (json, cyclonedx, spdx, template), running Trivy scans and generating reports.
Generates SBOM reports with trivy sbom and uses the scan2html plugin to create HTML reports.
Artifacts are saved for review, to generate SBOM reports in HTML format. The plugin works well, but I have a few feature requests that would greatly enhance its functionality.

1. Single Interactive Report:

It would be beneficial to have an option to generate a single interactive report that consolidates all scans (vulnerabilities, misconfigurations, licenses) into one view, making it easier to navigate and review the results.

2. Loading multiple Trivy JSON Reports:

Currently, I can see there is an option to load only 1 JSON report. The SBOM HTML report generated by scan2html could be improved by adding an option to load a multiple Trivy JSON reports. This feature would allow users to display all vulnerabilities, misconfigurations, and secrets within the interactive HTML report.
These features would streamline the reporting process and make it easier for teams to analyze scan results comprehensively.

Thank you for considering these enhancements!

[fatihtokus]

Hi @rajeev-cs ,

I am glad to hear that you are using the plugin. There was a request for your first point which we addressed couple of months ago(#56).
Basically, you can do your scans and create the json reports via trivy. Then you can pass all the reports as URL parameters to an empty scan2html.html report i.e. scan2html-empty-report.html?reportUrls=https://fatih.tokus.gitlab.io/-/scan2html-test/-/jobs/7043916517/artifacts/vulns.json&reportUrls=https://fatih.tokus.gitlab.io/-/scan2html-test/-/jobs/7043916517/artifacts/secrets.json

Give it a try and let us know what you think.

2. We can consider allowing uploading of multiple reports. But as you expect it will not be saved anywhere, so the report will be emptied when the browser is refreshed. Ideal solution would be having the report/ui as a web app and storing all the reports to some environments (a repo, file system, database). What do you think guys, @rajeev-cs , @yreddy-CS?

[stealthrabbi]

It would be very beneficial if the report could be sourced from multiple trivy scans. I want to do a file system scan, an image vulnerability scan, and a SBOM generation. The report output seems to indicate that multiple data are supported, but it seems like it can only support one. I understand that this includes multiple trivy scans, but having a way to import multiple json files as input would make this report much more useful than providing multiple small reports where only 1 tab is filled out.

[stealthrabbi]

That would be excellent, @fatihtokus . I will anxiously await the update!

[yreddy-CS]

ok, we will add a new feature that allows generating a single unified report from multiple trivy json reports. Something like below:

trivy scan2html generate single_unified_report.html from sbom.json k8s.json ...

@stealthrabbi , @rajeev-cs , @MirekSz will this satisfy your need?

This is excellent. Thank you for considering it for development as a feature

[fatihtokus]

@stealthrabbi , @rajeev-cs , @MirekSz, good news for you guys. this feature is released. Please try and let me know what you think.

The usage: trivy scan2html generate single_unified_report.html from sbom.json k8s.json ...

[yreddy-CS]

@fatihtokus Thank you for adding this as a feature.
Just a clarification needed.
This new feature supports only json(or files of same format) or can there be a mix of formats(Ex: trivy scan2html generate single_unified_report.html from sbom.spdx k8s.json)

[fatihtokus]

all the reports must be in JSON format, will update readme.

[stealthrabbi]

Thank you for adding this feature.

I tried generating a single report from a cyclonedx json file and a JSON image scan json, and the resulting HTML only has the vulnerabilities, and not the SBOM content

[stealthrabbi]

Oh I see, I had to generate the spdx sbom in spdx-json format specifically, e.g.

trivy image --format spdx-json [image] sbom.sbdx.json

[stealthrabbi]

I would suggest updating the readme to include how to use this new feature. It's great!

[fatihtokus]

all the reports must be in JSON format, will update readme