trivy: Critical CVEs for Python-Pillow Not Detected

Checklist

  • I’ve read the documentation regarding wrong detection.
  • I’ve confirmed that a security advisory in data sources was correct.
    • Run Trivy with -f json that shows data sources and make sure that the security advisory is correct.

Description

The following CVEs are not detected:

  • CVE-2022-22815 - python-pillow
  • CVE-2022-22817 - python-pillow

JSON Output of run with -debug:

2022-04-30T13:32:48.320Z	DEBUG	Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-04-30T13:32:48.323Z	DEBUG	cache dir:  /.cache
2022-04-30T13:32:48.323Z	DEBUG	There is no valid metadata file: unable to open a file: open /.cache/db/metadata.json: no such file or directory
2022-04-30T13:32:48.323Z	INFO	Need to update DB
2022-04-30T13:32:48.323Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-04-30T13:32:48.323Z	INFO	Downloading DB...
2022-04-30T13:32:48.323Z	DEBUG	no metadata file
26.70 MiB / 31.62 MiB [--------------------------------------------------->_________] 84.44% ? p/s ?31.62 MiB / 31.62 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.62 MiB / 31.62 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.62 MiB / 31.62 MiB [----------------------------------------------->] 100.00% 8.19 MiB p/s ETA 0s31.62 MiB / 31.62 MiB [----------------------------------------------->] 100.00% 8.19 MiB p/s ETA 0s31.62 MiB / 31.62 MiB [----------------------------------------------->] 100.00% 8.19 MiB p/s ETA 0s31.62 MiB / 31.62 MiB [----------------------------------------------->] 100.00% 7.66 MiB p/s ETA 0s2022-04-30T13:32:50.505Z	DEBUG	Updating database metadata...
31.62 MiB / 31.62 MiB [-------------------------------------------------] 100.00% 23.70 MiB p/s 1.5s2022-04-30T13:32:50.505Z	DEBUG	DB Schema: 2, UpdatedAt: 2022-04-30 12:06:49.897516804 +0000 UTC, NextUpdate: 2022-04-30 18:06:49.897516304 +0000 UTC, DownloadedAt: 2022-04-30 13:32:50.505397319 +0000 UTC
2022-04-30T13:32:50.505Z	DEBUG	Vulnerability type:  [os library]
2022-04-30T13:32:50.510Z	DEBUG	No secret config detected: trivy-secret.yaml
2022-04-30T13:32:50.510Z	DEBUG	Image ID: sha256:96b8bd3745b71d1da4c64abb7a6f099f97c70b11ea3ff6b95e41690227b91e37
2022-04-30T13:32:50.510Z	DEBUG	Diff IDs: [sha256:b9e87ec15f633e7691642670d1c9f0ee058d0ad3b683391d33f9dd8dabe4a3a0 sha256:3752ac79194b2721630df3368c1440e5db73961c1cfd73e51938a9ebcd05d986 sha256:799cce708ad972b302afc1abede218261c8c555efb0eaa3e2bbb8a1331ca83b2 sha256:eb10d8e150f563cdf30f9a72b915a22362ec38c98bb5fa15949a8d0a38600fce sha256:6983a67e284431353cf5bacef690a9dc1a5c1e80e9a161998bc98c2ee008acd0 sha256:5e5076d56f7785d360ce88360004e9270bced9921fcbd3307515cde960849d20 sha256:e437a7f087001b6e9f716328647c0140312bb36b6ab21a243708a4fb2d25d17a sha256:16cbfc9aaa97d8341e169c713bdf8d65cfcbe12c10bc7b994e6babbb42d5c7b9 sha256:6039d8c91e72580829c32e886f2cb5cee4fa6a72116740a6c589226017fb20ab sha256:e71d5114b0aa35fbf6c6a050849d6a09c751a5374ef34f4c5f04416c01de9d22 sha256:c0ed0c3c3c5374c330b042e400ac1cdab4edb2f4744a315c52f395b8a4491930 sha256:2cbf65ca6b8385b781de3efafe179d9a398c1fd28956377e3db170cba3abffc2 sha256:6b667ad209c9cb9a8aacd521f5ffeadacb1c15aa624e499c42cfd70c5d009da0 sha256:b37fa5dcf83e02a058dd784fdf6531ae9e0bce65a510adc911fd67bbbaa43329 sha256:a21943dc9f33eb2ac854043c28888e537687013f8a1cd1401120ad521f8b8ab1 sha256:dd08ac3c7c694016ad20bdd10d3a26497fe4100622126660d6e147c21e60fdf8 sha256:5955198184a88f6046a8a7e9106e7ec05713efbd6bc774ff19910c4c0c9def5c]
2022-04-30T13:32:50.510Z	DEBUG	Base Layers: [sha256:b9e87ec15f633e7691642670d1c9f0ee058d0ad3b683391d33f9dd8dabe4a3a0]
2022-04-30T13:32:50.511Z	DEBUG	Missing image ID in cache: sha256:96b8bd3745b71d1da4c64abb7a6f099f97c70b11ea3ff6b95e41690227b91e37
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:5955198184a88f6046a8a7e9106e7ec05713efbd6bc774ff19910c4c0c9def5c
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:b9e87ec15f633e7691642670d1c9f0ee058d0ad3b683391d33f9dd8dabe4a3a0
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:3752ac79194b2721630df3368c1440e5db73961c1cfd73e51938a9ebcd05d986
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:799cce708ad972b302afc1abede218261c8c555efb0eaa3e2bbb8a1331ca83b2
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:eb10d8e150f563cdf30f9a72b915a22362ec38c98bb5fa15949a8d0a38600fce
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:6983a67e284431353cf5bacef690a9dc1a5c1e80e9a161998bc98c2ee008acd0
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:5e5076d56f7785d360ce88360004e9270bced9921fcbd3307515cde960849d20
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:e437a7f087001b6e9f716328647c0140312bb36b6ab21a243708a4fb2d25d17a
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:16cbfc9aaa97d8341e169c713bdf8d65cfcbe12c10bc7b994e6babbb42d5c7b9
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:6039d8c91e72580829c32e886f2cb5cee4fa6a72116740a6c589226017fb20ab
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:e71d5114b0aa35fbf6c6a050849d6a09c751a5374ef34f4c5f04416c01de9d22
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:c0ed0c3c3c5374c330b042e400ac1cdab4edb2f4744a315c52f395b8a4491930
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:2cbf65ca6b8385b781de3efafe179d9a398c1fd28956377e3db170cba3abffc2
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:6b667ad209c9cb9a8aacd521f5ffeadacb1c15aa624e499c42cfd70c5d009da0
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:b37fa5dcf83e02a058dd784fdf6531ae9e0bce65a510adc911fd67bbbaa43329
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:a21943dc9f33eb2ac854043c28888e537687013f8a1cd1401120ad521f8b8ab1
2022-04-30T13:32:50.511Z	DEBUG	Missing diff ID in cache: sha256:dd08ac3c7c694016ad20bdd10d3a26497fe4100622126660d6e147c21e60fdf8
2022-04-30T13:33:04.659Z	DEBUG	Analysis error: unable to parse YAML (%!a(string=usr/share/doc/PyYAML-3.10/examples/pygments-lexer/example.yaml)): unmarshal yaml: error converting YAML to JSON: yaml: invalid map key: []interface {}{"Detroit Tigers", "Chicago cubs"}
2022-04-30T13:33:04.982Z	INFO	Detected OS: amazon
2022-04-30T13:33:04.982Z	INFO	Detecting Amazon Linux vulnerabilities...
2022-04-30T13:33:04.982Z	DEBUG	amazon: os version: 2
2022-04-30T13:33:04.982Z	DEBUG	amazon: the number of packages: 138
2022-04-30T13:33:04.984Z	DEBUG	failed to parse Amazon Linux installed package version: upstream_version must start with digit
2022-04-30T13:33:04.988Z	INFO	Number of language-specific files: 0
2022-04-30T13:33:04.988Z	DEBUG	Found an ignore file .trivyignore
2022-04-30T13:33:04.988Z	DEBUG	These IDs will be ignored: []

Output of trivy -v:

Digest: sha256:5c8043510bb84ed663a4c0b23887c96edb7e78093bceef0083921887e961494f
Status: Downloaded newer image for aquasec/trivy:latest
docker.io/aquasec/trivy:latest
Version: 0.27.1

Additional details (base image name, container registry info…):

  • Base image is amazonlinux:2
  • Trivy does not detect the aforementioned CVEs, but AWS Inspector does

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 15

Most upvoted comments

@AErmie sorry for confuse you before.

For packages installed from rpm/yum Trivy uses OS Databases: data-sourse Amazon Linux Security Center is used for amazon linux 2.

For example: your container contains python-pillow with this version:

bash-4.2# yum info python-pillow
Loaded plugins: ovl, priorities
Installed Packages
Name        : python-pillow
Arch        : x86_64
Version     : 2.0.0
Release     : 23.gitd1c6db8.amzn2.0.1

CVE-2022-22815 and CVE-2022-22817 vulnerabilities have been fixed have been fixed for python-pillow-2.0.0-23.gitd1c6db8.amzn2.0.1.

Trivy doesn’t detect other vulnerabilities, because vulnerability has been fixed for this package or Amazon Linux Security Center doesn’t contain information about this vulnerability.

Taking vulnerabilities from all sources can lead to false positives, so we only include vulnerabilities from the OS database.