You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am using trivy image scanning (currently only for critical vulnerabilities) and I have noticed that even after installing newer versions for libarchive-dev, libarchive13 & libcurl4, the scanning continues to be positive.
For example, in the aquasec page for CVE-2022-36227 (packages libarchive-dev and libarchive13) https://avd.aquasec.com/nvd/2022/cve-2022-36227/ it is mentioned that the vulnerability has been fixed since version 3.6.2.
Although the newly installed version of these packages is 3.7.2-1, the trivy scanning is still identifying the packages as vulnerable, as you can see in the attached image. The same applies to libcurl4, with installed version 8.4.0-2. In https://avd.aquasec.com/nvd/2023/cve-2023-23914/ it is mentioned that the vulnerability exists in curl <v7.88.0.
In the report you can see that the "Fixed version" field is blank, so I assume the DB has not been updated to include the package versions which are not affected by the vulnerability.
Also, is there maybe a temporary workaround (e.g. configure trivyignore to ignore specific package with specific version)? I couldn't find any such option yet, but it would be great to add a feature like this
Desired Behavior
After updating the packages, the image vulnerability scanning should not report any vulnerabilities.
Actual Behavior
The image vulnerability scanning is still reporting vulnerabilities.
Reproduction Steps
1. Updated the packages to versions which are not affected according to the avd.aquasec.com page for each CVE
2. Reran the "trivy image --scanners vuln --severity CRITICAL <image:tag>"command
3. The trivy report is still identifying the same vulnerabilities
Target
Container Image
Scanner
Vulnerability
Output Format
None
Mode
Standalone
Debug Output
Output of command"trivy image --scanners vuln --severity CRITICAL --debug <image:tag>"
2023-10-18T15:30:37.408Z DEBUG Missing diff ID in cache: sha256:cd5d0a5ef3063d21faad26f1b0d0c1b91ef07353e50ee432d77b16e77a85f7bc
2023-10-18T15:30:37.554Z DEBUG Unable to parse "var/lib/dpkg/available" file: file open error: open var/lib/dpkg/available: file does not exist
2023-10-18T15:30:37.564Z DEBUG Missing diff ID in cache: sha256:2c1f011db826f78035512c3f3e8d6cec8416994f8f2ffaa7a7f3c03c1f274498
2023-10-18T15:30:37.666Z DEBUG Unable to parse "var/lib/dpkg/available" file: file open error: open var/lib/dpkg/available: file does not exist
2023-10-18T15:30:37.681Z DEBUG Missing diff ID in cache: sha256:e0d1289d0d95a74d34f134199a51418880093e76f9bd9b488e8181f634bbb237
2023-10-18T15:30:37.821Z DEBUG Missing diff ID in cache: sha256:d665294ed04aca3cea0f2d994d738b00c42862711eb40d403844c4a1219c1b36
2023-10-18T15:30:37.920Z DEBUG Missing diff ID in cache: sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
2023-10-18T15:30:37.943Z DEBUG Missing diff ID in cache: sha256:d0d33e707617846d897c4a0efd697ef1f84242e872436f3574b6bab48e13cbc1
2023-10-18T15:30:39.947Z DEBUG Unable to parse "var/lib/dpkg/available" file: file open error: open var/lib/dpkg/available: file does not exist
2023-10-18T15:30:41.848Z INFO Detected OS: debian
2023-10-18T15:30:41.849Z INFO Detecting Debian vulnerabilities...
2023-10-18T15:30:41.849Z DEBUG debian: os version: 11
2023-10-18T15:30:41.849Z DEBUG debian: the number of packages: 210
2023-10-18T15:30:41.905Z INFO Number of language-specific files: 3
2023-10-18T15:30:41.905Z INFO Detecting dotnet-core vulnerabilities...
2023-10-18T15:30:41.905Z DEBUG Detecting library vulnerabilities, type: dotnet-core, path: usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.23/Microsoft.NETCore.App.deps.json
2023-10-18T15:30:41.905Z DEBUG Detecting library vulnerabilities, type: dotnet-core, path: usr/share/dotnet/shared/Microsoft.AspNetCore.App/6.0.23/Microsoft.AspNetCore.App.deps.json
2023-10-18T15:30:41.907Z DEBUG Detecting library vulnerabilities, type: dotnet-core, path: app/Nbg.NetCore.DocOCRInfoExtraction.deps.json
Discussed in #5405
Originally posted by venia-spai October 19, 2023
Description
Hello,
I am using trivy image scanning (currently only for critical vulnerabilities) and I have noticed that even after installing newer versions for libarchive-dev, libarchive13 & libcurl4, the scanning continues to be positive.
For example, in the aquasec page for CVE-2022-36227 (packages libarchive-dev and libarchive13) https://avd.aquasec.com/nvd/2022/cve-2022-36227/ it is mentioned that the vulnerability has been fixed since version 3.6.2.
Although the newly installed version of these packages is 3.7.2-1, the trivy scanning is still identifying the packages as vulnerable, as you can see in the attached image. The same applies to libcurl4, with installed version 8.4.0-2. In https://avd.aquasec.com/nvd/2023/cve-2023-23914/ it is mentioned that the vulnerability exists in curl <v7.88.0.
In the report you can see that the "Fixed version" field is blank, so I assume the DB has not been updated to include the package versions which are not affected by the vulnerability.
Also, is there maybe a temporary workaround (e.g. configure trivyignore to ignore specific package with specific version)? I couldn't find any such option yet, but it would be great to add a feature like this
Desired Behavior
After updating the packages, the image vulnerability scanning should not report any vulnerabilities.
Actual Behavior
The image vulnerability scanning is still reporting vulnerabilities.
Reproduction Steps
Target
Container Image
Scanner
Vulnerability
Output Format
None
Mode
Standalone
Debug Output
Operating System
Ubuntu 22.04.3 LTS
Version
v0.46.0 Also tested in v.0.44.0
Checklist
trivy image --reset
The text was updated successfully, but these errors were encountered: