Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trivy database not updated with fixed versions for libarchive-dev, libarchive13 & libcurl4 #5406

Closed
2 tasks
venia-spai opened this issue Oct 19, 2023 Discussed in #5405 · 1 comment
Closed
2 tasks

Comments

@venia-spai
Copy link

Discussed in #5405

Originally posted by venia-spai October 19, 2023

Description

Hello,

I am using trivy image scanning (currently only for critical vulnerabilities) and I have noticed that even after installing newer versions for libarchive-dev, libarchive13 & libcurl4, the scanning continues to be positive.
For example, in the aquasec page for CVE-2022-36227 (packages libarchive-dev and libarchive13) https://avd.aquasec.com/nvd/2022/cve-2022-36227/ it is mentioned that the vulnerability has been fixed since version 3.6.2.
Although the newly installed version of these packages is 3.7.2-1, the trivy scanning is still identifying the packages as vulnerable, as you can see in the attached image. The same applies to libcurl4, with installed version 8.4.0-2. In https://avd.aquasec.com/nvd/2023/cve-2023-23914/ it is mentioned that the vulnerability exists in curl <v7.88.0.

In the report you can see that the "Fixed version" field is blank, so I assume the DB has not been updated to include the package versions which are not affected by the vulnerability.

image

Also, is there maybe a temporary workaround (e.g. configure trivyignore to ignore specific package with specific version)? I couldn't find any such option yet, but it would be great to add a feature like this

Desired Behavior

After updating the packages, the image vulnerability scanning should not report any vulnerabilities.

Actual Behavior

The image vulnerability scanning is still reporting vulnerabilities.
image

Reproduction Steps

1. Updated the packages to versions which are not affected according to the avd.aquasec.com page for each CVE
2. Reran the "trivy image --scanners vuln --severity CRITICAL <image:tag>"  command
3. The trivy report is still identifying the same vulnerabilities

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

Output of command "trivy image --scanners vuln --severity CRITICAL --debug <image:tag>"


2023-10-18T15:30:37.408Z	DEBUG	Missing diff ID in cache: sha256:cd5d0a5ef3063d21faad26f1b0d0c1b91ef07353e50ee432d77b16e77a85f7bc
2023-10-18T15:30:37.554Z	DEBUG	Unable to parse "var/lib/dpkg/available" file: file open error: open var/lib/dpkg/available: file does not exist
2023-10-18T15:30:37.564Z	DEBUG	Missing diff ID in cache: sha256:2c1f011db826f78035512c3f3e8d6cec8416994f8f2ffaa7a7f3c03c1f274498
2023-10-18T15:30:37.666Z	DEBUG	Unable to parse "var/lib/dpkg/available" file: file open error: open var/lib/dpkg/available: file does not exist
2023-10-18T15:30:37.681Z	DEBUG	Missing diff ID in cache: sha256:e0d1289d0d95a74d34f134199a51418880093e76f9bd9b488e8181f634bbb237
2023-10-18T15:30:37.821Z	DEBUG	Missing diff ID in cache: sha256:d665294ed04aca3cea0f2d994d738b00c42862711eb40d403844c4a1219c1b36
2023-10-18T15:30:37.920Z	DEBUG	Missing diff ID in cache: sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef
2023-10-18T15:30:37.943Z	DEBUG	Missing diff ID in cache: sha256:d0d33e707617846d897c4a0efd697ef1f84242e872436f3574b6bab48e13cbc1
2023-10-18T15:30:39.947Z	DEBUG	Unable to parse "var/lib/dpkg/available" file: file open error: open var/lib/dpkg/available: file does not exist
2023-10-18T15:30:41.848Z	INFO	Detected OS: debian
2023-10-18T15:30:41.849Z	INFO	Detecting Debian vulnerabilities...
2023-10-18T15:30:41.849Z	DEBUG	debian: os version: 11
2023-10-18T15:30:41.849Z	DEBUG	debian: the number of packages: 210
2023-10-18T15:30:41.905Z	INFO	Number of language-specific files: 3
2023-10-18T15:30:41.905Z	INFO	Detecting dotnet-core vulnerabilities...
2023-10-18T15:30:41.905Z	DEBUG	Detecting library vulnerabilities, type: dotnet-core, path: usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.23/Microsoft.NETCore.App.deps.json
2023-10-18T15:30:41.905Z	DEBUG	Detecting library vulnerabilities, type: dotnet-core, path: usr/share/dotnet/shared/Microsoft.AspNetCore.App/6.0.23/Microsoft.AspNetCore.App.deps.json
2023-10-18T15:30:41.907Z	DEBUG	Detecting library vulnerabilities, type: dotnet-core, path: app/Nbg.NetCore.DocOCRInfoExtraction.deps.json

Operating System

Ubuntu 22.04.3 LTS

Version

v0.46.0
Also tested in v.0.44.0

Checklist

@github-actions
Copy link

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Oct 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant