HTML report doesn't contain JAR name

[szpak]

Description

The provided HTML report doesn't provide information about JAR name where vulnerabilities are found. It can be problematic to understand the report in that form.

What did you expect to happen?

What happened instead?

Output of run with -debug:

I will provide it if really needed.

Output of trivy -v:

Version: 0.19.2
Vulnerability DB:
  Type: Light
  Version: 1
  UpdatedAt: 2021-09-20 06:05:50.061173292 +0000 UTC
  NextUpdate: 2021-09-20 12:05:50.061172992 +0000 UTC
  DownloadedAt: 2021-09-20 09:36:47.339817189 +0000 UTC

Additional details (base image name, container registry info...):

With html.tpl downloaded from current master.

trivy image --format template --template "@html.tpl" -o report2.html registry.gitlab.com/cryptocurrency-exchange/infra/tools-machine:ubuntu20-04

Possible solution

A quick fix is to replace:

  <tr class="group-header"><th colspan="6">{{ escapeXML .Type }}</th></tr>

with:

  <tr class="group-header"><th colspan="6">{{ escapeXML .Type }} - {{ escapeXML .Target }}</th></tr>

in html.tpl.

However, a target can be quite long and it could be displayed with some smaller font. A person with some CSS skill could suggest something.

[szpak]

#1269 by @masahiro331 compacted the output table to:

(Java in the header here is from my local patch adding {{ escapeXML .Target }}).

It would be even more problematic to get the JAR path (it can be quite long to put it into a separate column - maybe as part of the "Links"?). On the hand, I realized that in the majority of cases package and installed version can be used to determine the JAR (I'm not sure about shaded jars with multiple packages included - @ivanvc what it your case with tabula.jar in #1260?).

I plan to close this issue, if no-one opposes.

[ivanvc]

Makes sense, seems like a cleaner approach. I closed my PR too :)