harbor-scanner-trivy: Scan results mismatch after upgrading Harbor to v2.2.0 with new normalized DB schema for vulnerability data

Hi,

We are seeing scan result mismatch. Image: debian:buster-20200803 Result when using trivy 0.16.0 image

Result when using harbor-scanner-trivy 0.18.0 which has trivy 0.16.0 image

The highlighted CVEs should be listed as medium as per NVD database. https://nvd.nist.gov/vuln/detail/CVE-2021-24031 https://nvd.nist.gov/vuln/detail/CVE-2021-24032

Also tested harbor-scanner-trivy 0.19.0 and it also has this issue.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 18 (11 by maintainers)

Most upvoted comments

Now, as I remember, during the upgrade scan_reports were indeed cleared. As you stated issue could be with updating severities in the vulnerability_record table.

+1
piyush94 on Jul 2, 2021

Yes. It should delete all vulnerability reports from the database. If it’s mission critical prod env make sure you have a DB backup. Anyway all vulnerability reports should be recreated on rescan.

+1
danielpacak on Jul 1, 2021
Read more comments on GitHub
← defsec: bug: false positive for DS0017 for arbitrary update command
kube-hunter: Final hook is hanging →