feat(contrib/trivy): preserve JAR Digest in Library conversion#2535
Draft
feat(contrib/trivy): preserve JAR Digest in Library conversion#2535
Conversation
Trivy's `ftypes.Package.Digest` carries the SHA-1 hash for JAR files (set by Trivy's java jar analyzer alongside its own Maven Central canonicalization). The trivy-to-vuls converter was the last hop in this chain that already received Digest in its input but dropped it when constructing models.Library, leaving downstream consumers (e.g. the vuls-saas catalog enrichment pipelines, FutureVuls supply-chain verification) without access to the hash. The Vuls native LibraryScanner path already preserves Digest at scanner/library.go convertLibWithScanner. This change brings the contrib converter to the same level so all three intake paths (LibraryScanner, contrib/trivy, SBOM ingestion in downstream consumers) can rely on Digest being present whenever Trivy supplied it. Test: - New TestConvert/JAR_digest_is_preserved_into_models.Library covers the ClassLangPkg branch with a representative log4j-core sha1. - The vulnerability-derived branch (line 167-172) still has no Digest source on types.DetectedVulnerability, so it remains unchanged; the flatten/unique loop deduplicates by Name+Version so Package-derived entries (with Digest) win when both branches produce the same lib.
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Trivy JSON → Vuls models.ScanResult converter to preserve Trivy-provided JAR SHA-1 digests in models.Library, aligning the contrib trivy-to-vuls path with the native LibraryScanner behavior so downstream consumers can reliably use artifact hashes.
Changes:
- Preserve
ftypes.Package.Digestwhen convertingClassLangPkgpackages intomodels.Library. - Add a unit test ensuring a JAR package’s
Digestflows through conversion into the outputLibrary.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| contrib/trivy/pkg/converter.go | Threads Package.Digest into models.Library.Digest for language package conversion. |
| contrib/trivy/pkg/converter_test.go | Adds a regression test for JAR digest preservation in conversion output. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
shino
reviewed
May 1, 2026
Collaborator
shino
left a comment
shino
left a comment
There was a problem hiding this comment.
Trivy does not include SHA1 (or other JAR file's digests) in its result. PR to Trivy will improve the situation.
This PR diff looks nice but I leave it as open because it makes no actual difference.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
contrib/trivy/pkg/converter.goconverts Trivy native JSON into Vuls'smodels.ScanResult. For language packages (types.ClassLangPkg), it constructsmodels.Libraryfrom each inputftypes.Package:Trivy's java jar analyzer (
pkg/fanal/analyzer/language/java/jar/jar.go) setsftypes.Package.Digestto the JAR's SHA-1 hash ("sha1:<hex>") when scanning JAR files. The native Vuls LibraryScanner path already preserves this onmodels.Library.Digestatscanner/library.go:The contrib converter was the last hop that received the Digest in its input but discarded it. Any consumer that takes Vuls's ScanResult JSON via the
trivy-to-vulsroute (rather than the native LibraryScanner path) loses access to the hash.Why it matters
JAR SHA-1 has multiple downstream uses, all currently disabled for
trivy-to-vuls-derived ScanResult JSON:https://search.maven.org/solrsearch/select?q=1:<sha1>deterministically resolves a SHA-1 to(groupId, artifactId, version). Useful when an input PURL came in groupId-less from a different SBOM tool that the consumer is correlating against.The Vuls LibraryScanner path supports all of these because it preserves Digest. The
trivy-to-vulspath silently doesn't.Fix
One field on the
models.Librarystruct literal:The vulnerability-derived
Libraryconstruction at line 167-172 has no Digest source ontypes.DetectedVulnerabilityand is left unchanged; theflatten and unique librariesloop at line 277 deduplicates byName+Version, so when the same library appears in bothVulnerabilitiesandPackages, the Package-derived entry (with Digest) wins.Test
New
TestConvert/JAR_digest_is_preserved_into_models.LibraryexercisesClassLangPkgwith alog4j-corepackage carrying a representative SHA-1 and asserts the digest flows through to the outputLibrary.go test ./contrib/...andgo vet ./contrib/...pass.Compatibility
Package.Digestfor npm/gem/pypi/etc., sostring("") == ""andLibrary.Digeststays empty.Library.Digest— the field already existed; this only populates it.Related
improveJARInfoupdates Name/Version but not PURL after SHA-1 canonicalization).