Without source path it is impossible to identify the location of a vuln in HTML reports

[rungitringit]

Question

Hello,

I'm using Trivy, with the scan2html plugin, to create scheduled HTML reports for Developers on their Linux workstations. The goal is so Developers will catch vulnerabilities in dependencies they use and update any utilities (binaries) they use.

Trivy is an excellent tool for this! Thank you!

Unfortunately some vulnerabilities from the rootfs scan are simply reported as being in "Python" or "Go". As an OS might have many python components or go binaries and the Developer may use multiple venvs, it is difficult to interpret where the vulnerability actually is.

I can't find a way to have them more clearly identified by file path or component. Can you please help?

Here's the output using html.tpl showing a vulnerability in a urllib3 library from Python somewhere in the OS:

The same problem occurs with scan2html, as it presumably has the same limitation from the source report:

If I manually search the json output from trivy for the vulnerability (the vulnerable library or package name can be too generic) I can identify that in this case the vulnerable version is in a venv I own:

        {
          "VulnerabilityID": "CVE-2025-66471",
          "PkgName": "urllib3",
          "PkgPath": "myuser/venv/lib/python3.10/site-packages/urllib3-2.5.0.dist-info/METADATA",
          "PkgIdentifier": {
            "PURL": "pkg:pypi/urllib3@2.5.0",

however not all vulnerabilities with a generic language name will have the PkgPath field!

Is this a known issue or am I using rootfs incorrectly?

As an aside, while I prefer the output from scan2html, I am mainly using it because it shows a "target" column which often details file paths from rootfs scans which html.tpl does not.

Thank you!

Target

Filesystem

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Operating System

Ubuntu 22.04

Version

0.68.2
with scan2html plugin v.03.26 (this may not be relevant)

[rungitringit]

I think the problem may be that the reported vulnerabilities lack a "Target" field in the source JSON report.
Why would this be?

[rungitringit]

I have read something that suggests the problem might be avoided by running an fs scan rather than a rootfs scan (I find the difference confusing!).

• I tested by scanning / using rootfs and excluded homedirs
• I then scanned the homedirs separately with an fs scan.

Unfortunately this produces less results for the homedirs. For example my vulnerable python urllib in a python virtual environment isn't detected.