**Is** Scanning a "from scratch" docker image fails with ``` ... 021-12-22T07:34:45.807Z DEBUG OS is not detected and vulnerabilities in OS packages are not detected. 2021-12-22T07:34:45.807Z DEBUG Detected OS: unknown 2021-12-22T07:34:45.807Z INFO Number of language-specific files: 0 [ERROR] [2021-12-22 07:34:45 +0000] [] ▶ private method `select' called for nil:NilClass ``` **Expected** The scan should finish without errors **Analysis** I think gtcs has wrong assumption for the json output of trivy. The Keys `metadata / os Family `, `metadata / os / Name`, `Results` and perhaps others do not always exist. This is where https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/blob/master/lib/gcs/dependency_list_converter.rb#L26 and following will fail. ## Implementation Plan - [x] ~backend in `lib/gcs/dependency_list_converter.rb` in `container-scanning` analyzer return empty report when there JSON report from Trivy does not contain `Result` section.