git CLI output mangles stdout when output format is supposed to be JSON during repository scans

[therealpxc]

Description

trivy repository --format cyclonedx ... <URI> is not usable in shell pipelines.

Desired Behavior

When a --format option is set, all that appears on stdout should be parseable as a valid entity in that format.

Actual Behavior

Even when a --format option is set, git command line output and other messages end up in stdout, so stdout doesn't parse in the specified format.

Reproduction Steps

In a Git repository (an empty one if you like, doesn't matter), compare the output of

trivy filesystem --format cyclonedx --scanners vuln . | jq >/dev/null && echo success || echo failure

(which works correctly) to the output of

trivy repository --format cyclonedx --scanners vuln file://. | jq >/dev/null && echo success || echo failure

which fails because jq can't parse stdout, which is not valid json on account of containing errant git output.

You can observe the same thing with actually-remote git repos, too; it just takes longer:

trivy repository --format cyclonedx --scanners vuln https://github.com/aquasecurity/trivy.git | jq >/dev/null && echo success || echo failure

Target

Git Repository

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

❯ trivy repository --format cyclonedx --scanners vuln file://. --debug | jq
2024-09-18T15:26:30-07:00	DEBUG	Cache dir	dir="/Users/patcal04/Library/Caches/trivy"
2024-09-18T15:26:30-07:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-09-18T15:26:30-07:00	DEBUG	Ignore statuses	statuses=[]
2024-09-18T15:26:30-07:00	DEBUG	DB update was skipped because the local DB is the latest
2024-09-18T15:26:30-07:00	DEBUG	DB info	schema=2 updated_at=2024-09-18T18:13:21.187484554Z next_update=2024-09-19T00:13:21.187484163Z downloaded_at=2024-09-18T20:24:17.597058Z
2024-09-18T15:26:30-07:00	INFO	Vulnerability scanning is enabled
2024-09-18T15:26:30-07:00	DEBUG	Vulnerability type	type=[library]
2024-09-18T15:26:30-07:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-18T15:26:30-07:00	DEBUG	Initializing scan cache...	type="memory"
jq: parse error: Invalid numeric literal at line 1, column 12

Operating System

macOS Sonoma

Version

❯ trivy --version
Version: dev
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-09-18 18:13:21.187484554 +0000 UTC
  NextUpdate: 2024-09-19 00:13:21.187484163 +0000 UTC
  DownloadedAt: 2024-09-18 20:24:17.597058 +0000 UTC

❯ realpath (which trivy)
/nix/store/llf8zg8x45jkpsqdx9z1288dzaz80mp5-trivy-0.53.0/bin/trivy

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

Thanks. Created #7547