feat: split aggregated pkgs

pkg/report/table/table.go

@@ -7,15 +7,18 @@ import (
 	"os"
 	"runtime"
 	"slices"
+	"sort"
 	"strings"
 
+	"github.com/aquasecurity/trivy/pkg/scanner/langpkg"
 	"github.com/fatih/color"
 	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
 	"github.com/aquasecurity/table"
 	"github.com/aquasecurity/tml"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/types"
 	xstrings "github.com/aquasecurity/trivy/pkg/x/strings"
@@ -129,7 +132,7 @@ func (tw Writer) renderSummary(report types.Report) error {
 	t.SetHeaders(headers...)
 	t.SetAlignment(alignments...)
 
-	for _, result := range report.Results {
+	for _, result := range splitAggregatedPackages(report.Results) {
 		resultType := string(result.Type)
 		if result.Class == types.ClassSecret {
 			resultType = "text"
@@ -179,6 +182,69 @@ func (tw Writer) showEmptyResultsWarning() {
 	log.WithPrefix("report").Warn(strings.Join(warnStrings, " "))
 }
 
+// splitAggregatedPackages splits aggregated packages into different results with path as target.
+// Other results will be returned as is.
+func splitAggregatedPackages(results types.Results) types.Results {
+	var newResults types.Results
+
+	for _, result := range results {
+		if !slices.Contains(ftypes.AggregatingTypes, result.Type) &&
+			// License results from applications don't have `Type`.
+			(result.Class != types.ClassLicense || !slices.Contains(lo.Values(langpkg.PkgTargets), result.Target)) {
+			newResults = append(newResults, result)
+			continue
+		}
+
+		newResults = append(newResults, splitAggregatedVulns(result)...)
+		newResults = append(newResults, splitAggregatedLicenses(result)...)
+
+	}
+	return newResults
+}
+
+func splitAggregatedVulns(result types.Result) types.Results {
+	var newResults types.Results
+
+	vulns := make(map[string][]types.DetectedVulnerability)
+	for _, vuln := range result.Vulnerabilities {
+		pkgPath := rootJarFromPath(vuln.PkgPath)
+		vulns[pkgPath] = append(vulns[pkgPath], vuln)
+	}
+	for pkgPath, v := range vulns {
+		newResult := result
+		newResult.Target = lo.Ternary(pkgPath != "", pkgPath, result.Target)
+		newResult.Vulnerabilities = v
+
+		newResults = append(newResults, newResult)
+	}
+
+	sort.Slice(newResults, func(i, j int) bool {
+		return newResults[i].Target < newResults[j].Target
+	})
+	return newResults
+}
+
+func splitAggregatedLicenses(result types.Result) types.Results {
+	var newResults types.Results
+
+	licenses := make(map[string][]types.DetectedLicense)
+	for _, license := range result.Licenses {
+		licenses[license.FilePath] = append(licenses[license.FilePath], license)
+	}
+	for filePath, l := range licenses {
+		newResult := result
+		newResult.Target = lo.Ternary(filePath != "", filePath, result.Target)
+		newResult.Licenses = l
+
+		newResults = append(newResults, newResult)
+	}
+
+	sort.Slice(newResults, func(i, j int) bool {
+		return newResults[i].Target < newResults[j].Target
+	})
+	return newResults
+}
+
 func (tw Writer) write(result types.Result) {
 	if result.IsEmpty() && result.Class != types.ClassOSPkg {
 		return

pkg/report/table/table_private_test.go

@@ -28,7 +28,7 @@ var (
 			},
 		},
 	}
-	jarVuln = types.Result{
+	jarVulns = types.Result{
 		Target: "Java",
 		Class:  types.ClassLangPkg,
 		Type:   ftypes.Jar,
@@ -41,7 +41,35 @@ var (
 			{
 				VulnerabilityID: "CVE-2021-44832",
 				PkgName:         "org.apache.logging.log4j:log4j-core",
-				PkgPath:         "app/log4j-core-2.17.0.jar",
+				PkgPath:         "app/jackson-databind-2.13.4.1.jar/nested/app2/log4j-core-2.17.0.jar",
+			},
+		},
+	}
+
+	npmVulns = types.Result{
+		Target: "Node.js",
+		Class:  types.ClassLangPkg,
+		Type:   ftypes.NodePkg,
+		Vulnerabilities: []types.DetectedVulnerability{
+			{
+				VulnerabilityID: "CVE-2022-37601",
+				PkgName:         "loader-utils",
+				PkgPath:         "loader-utils/package.json",
+			},
+			{
+				VulnerabilityID: "CVE-2022-37599",
+				PkgName:         "loader-utils",
+				PkgPath:         "loader-utils/package.json",
+			},
+			{
+				VulnerabilityID: "CVE-2021-23566",
+				PkgName:         "nanoid",
+				PkgPath:         "nanoid/package.json",
+			},
+			{
+				VulnerabilityID: "CVE-2024-55565",
+				PkgName:         "nanoid",
+				PkgPath:         "nanoid/package.json",
 			},
 		},
 	}
@@ -88,6 +116,24 @@ var (
 		Target: "Java",
 		Class:  types.ClassLicense,
 	}
+
+	npmLicenses = types.Result{
+		Target: "Node.js",
+		Class:  types.ClassLicense,
+		Licenses: []types.DetectedLicense{
+			{
+				Name:     "MIT",
+				FilePath: "loader-utils/package.json",
+				Category: "notice",
+			},
+			{
+				Name:     "MIT",
+				FilePath: "nanoid/package.json",
+				Category: "notice",
+			},
+		},
+	}
+
 	fileLicense = types.Result{
 		Target: "Loose File License(s)",
 		Class:  types.ClassLicenseFile,
@@ -118,11 +164,13 @@ func Test_renderSummary(t *testing.T) {
 			report: types.Report{
 				Results: []types.Result{
 					osVuln,
-					jarVuln,
+					jarVulns,
+					npmVulns,
 					dockerfileMisconfig,
 					secret,
 					osLicense,
 					jarLicense,
+					npmLicenses,
 					fileLicense,
 				},
 			},
@@ -132,23 +180,29 @@ Report Summary
 Legend:
 - '-': Not scanned
 - '0': Clean (no security findings detected)
-┌───────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┬──────────┐
-│        Target         │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │ Licenses │
-├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
-│ test (alpine 3.20.3)  │   alpine   │        2        │         -         │    -    │    -     │
-├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
-│ Java                  │    jar     │        2        │         -         │    -    │    -     │
-├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
-│ app/Dockerfile        │ dockerfile │        -        │         2         │    -    │    -     │
-├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
-│ requirements.txt      │    text    │        -        │         -         │    1    │    -     │
-├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
-│ OS Packages           │     -      │        -        │         -         │    -    │    1     │
-├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
-│ Java                  │     -      │        -        │         -         │    -    │    0     │
-├───────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
-│ Loose File License(s) │     -      │        -        │         -         │    -    │    1     │
-└───────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┴──────────┘
+┌───────────────────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┬──────────┐
+│              Target               │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │ Licenses │
+├───────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ test (alpine 3.20.3)              │   alpine   │        2        │         -         │    -    │    -     │
+├───────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ app/jackson-databind-2.13.4.1.jar │    jar     │        2        │         -         │    -    │    -     │
+├───────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ loader-utils/package.json         │  node-pkg  │        2        │         -         │    -    │    -     │
+├───────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ nanoid/package.json               │  node-pkg  │        2        │         -         │    -    │    -     │
+├───────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ app/Dockerfile                    │ dockerfile │        -        │         2         │    -    │    -     │
+├───────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ requirements.txt                  │    text    │        -        │         -         │    1    │    -     │
+├───────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ OS Packages                       │     -      │        -        │         -         │    -    │    1     │
+├───────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ loader-utils/package.json         │     -      │        -        │         -         │    -    │    1     │
+├───────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ nanoid/package.json               │     -      │        -        │         -         │    -    │    1     │
+├───────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┼──────────┤
+│ Loose File License(s)             │     -      │        -        │         -         │    -    │    1     │
+└───────────────────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┴──────────┘
 `,
 		},
 		{
@@ -159,7 +213,7 @@ Legend:
 			report: types.Report{
 				Results: []types.Result{
 					osVuln,
-					jarVuln,
+					jarVulns,
 				},
 			},
 			want: `
@@ -168,13 +222,13 @@ Report Summary
 Legend:
 - '-': Not scanned
 - '0': Clean (no security findings detected)
-┌──────────────────────┬────────┬─────────────────┐
-│        Target        │  Type  │ Vulnerabilities │
-├──────────────────────┼────────┼─────────────────┤
-│ test (alpine 3.20.3) │ alpine │        2        │
-├──────────────────────┼────────┼─────────────────┤
-│ Java                 │  jar   │        2        │
-└──────────────────────┴────────┴─────────────────┘
+┌───────────────────────────────────┬────────┬─────────────────┐
+│              Target               │  Type  │ Vulnerabilities │
+├───────────────────────────────────┼────────┼─────────────────┤
+│ test (alpine 3.20.3)              │ alpine │        2        │
+├───────────────────────────────────┼────────┼─────────────────┤
+│ app/jackson-databind-2.13.4.1.jar │  jar   │        2        │
+└───────────────────────────────────┴────────┴─────────────────┘
 `,
 		},
 		{

pkg/report/table/table_test.go

@@ -58,6 +58,9 @@ func TestWriter_Write(t *testing.T) {
 			wantOutput: `
 Report Summary
 
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
 ┌────────┬──────┬─────────────────┐
 │ Target │ Type │ Vulnerabilities │
 ├────────┼──────┼─────────────────┤
@@ -91,6 +94,9 @@ Total: 1 (MEDIUM: 0, HIGH: 1)
 			wantOutput: `
 Report Summary
 
+Legend:
+- '-': Not scanned
+- '0': Clean (no security findings detected)
 ┌────────┬──────┬─────────────────┐
 │ Target │ Type │ Vulnerabilities │
 ├────────┼──────┼─────────────────┤

pkg/report/table/vulnerability.go

@@ -139,8 +139,6 @@ func (r *vulnerabilityRenderer) setVulnerabilityRows(tw *table.Table, vulns []ty
 	for _, v := range vulns {
 		lib := v.PkgName
 		if v.PkgPath != "" {
-			// get path to root jar
-			// for other languages return unchanged path
 			pkgPath := rootJarFromPath(v.PkgPath)
 			fileName := filepath.Base(pkgPath)
 			lib = fmt.Sprintf("%s (%s)", v.PkgName, fileName)
@@ -373,6 +371,8 @@ var jarExtensions = []string{
 	".ear",
 }
 
+// rootJarFromPath returns path to root jar.
+// For other languages return unchanged path
 func rootJarFromPath(path string) string {
 	// File paths are always forward-slashed in Trivy
 	paths := strings.Split(path, "/")