trivy: Critical CVEs for Python-Pillow Not Detected
Checklist
- I’ve read the documentation regarding wrong detection.
- I’ve confirmed that a security advisory in data sources was correct.
- Run Trivy with
-f jsonthat shows data sources and make sure that the security advisory is correct.
- Run Trivy with
Description
The following CVEs are not detected:
- CVE-2022-22815 - python-pillow
- CVE-2022-22817 - python-pillow
JSON Output of run with -debug:
2022-04-30T13:32:48.320Z DEBUG Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-04-30T13:32:48.323Z DEBUG cache dir: /.cache
2022-04-30T13:32:48.323Z DEBUG There is no valid metadata file: unable to open a file: open /.cache/db/metadata.json: no such file or directory
2022-04-30T13:32:48.323Z INFO Need to update DB
2022-04-30T13:32:48.323Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-04-30T13:32:48.323Z INFO Downloading DB...
2022-04-30T13:32:48.323Z DEBUG no metadata file
26.70 MiB / 31.62 MiB [--------------------------------------------------->_________] 84.44% ? p/s ?31.62 MiB / 31.62 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.62 MiB / 31.62 MiB [----------------------------------------------------------->] 100.00% ? p/s ?31.62 MiB / 31.62 MiB [----------------------------------------------->] 100.00% 8.19 MiB p/s ETA 0s31.62 MiB / 31.62 MiB [----------------------------------------------->] 100.00% 8.19 MiB p/s ETA 0s31.62 MiB / 31.62 MiB [----------------------------------------------->] 100.00% 8.19 MiB p/s ETA 0s31.62 MiB / 31.62 MiB [----------------------------------------------->] 100.00% 7.66 MiB p/s ETA 0s2022-04-30T13:32:50.505Z DEBUG Updating database metadata...
31.62 MiB / 31.62 MiB [-------------------------------------------------] 100.00% 23.70 MiB p/s 1.5s2022-04-30T13:32:50.505Z DEBUG DB Schema: 2, UpdatedAt: 2022-04-30 12:06:49.897516804 +0000 UTC, NextUpdate: 2022-04-30 18:06:49.897516304 +0000 UTC, DownloadedAt: 2022-04-30 13:32:50.505397319 +0000 UTC
2022-04-30T13:32:50.505Z DEBUG Vulnerability type: [os library]
2022-04-30T13:32:50.510Z DEBUG No secret config detected: trivy-secret.yaml
2022-04-30T13:32:50.510Z DEBUG Image ID: sha256:96b8bd3745b71d1da4c64abb7a6f099f97c70b11ea3ff6b95e41690227b91e37
2022-04-30T13:32:50.510Z DEBUG Diff IDs: [sha256:b9e87ec15f633e7691642670d1c9f0ee058d0ad3b683391d33f9dd8dabe4a3a0 sha256:3752ac79194b2721630df3368c1440e5db73961c1cfd73e51938a9ebcd05d986 sha256:799cce708ad972b302afc1abede218261c8c555efb0eaa3e2bbb8a1331ca83b2 sha256:eb10d8e150f563cdf30f9a72b915a22362ec38c98bb5fa15949a8d0a38600fce sha256:6983a67e284431353cf5bacef690a9dc1a5c1e80e9a161998bc98c2ee008acd0 sha256:5e5076d56f7785d360ce88360004e9270bced9921fcbd3307515cde960849d20 sha256:e437a7f087001b6e9f716328647c0140312bb36b6ab21a243708a4fb2d25d17a sha256:16cbfc9aaa97d8341e169c713bdf8d65cfcbe12c10bc7b994e6babbb42d5c7b9 sha256:6039d8c91e72580829c32e886f2cb5cee4fa6a72116740a6c589226017fb20ab sha256:e71d5114b0aa35fbf6c6a050849d6a09c751a5374ef34f4c5f04416c01de9d22 sha256:c0ed0c3c3c5374c330b042e400ac1cdab4edb2f4744a315c52f395b8a4491930 sha256:2cbf65ca6b8385b781de3efafe179d9a398c1fd28956377e3db170cba3abffc2 sha256:6b667ad209c9cb9a8aacd521f5ffeadacb1c15aa624e499c42cfd70c5d009da0 sha256:b37fa5dcf83e02a058dd784fdf6531ae9e0bce65a510adc911fd67bbbaa43329 sha256:a21943dc9f33eb2ac854043c28888e537687013f8a1cd1401120ad521f8b8ab1 sha256:dd08ac3c7c694016ad20bdd10d3a26497fe4100622126660d6e147c21e60fdf8 sha256:5955198184a88f6046a8a7e9106e7ec05713efbd6bc774ff19910c4c0c9def5c]
2022-04-30T13:32:50.510Z DEBUG Base Layers: [sha256:b9e87ec15f633e7691642670d1c9f0ee058d0ad3b683391d33f9dd8dabe4a3a0]
2022-04-30T13:32:50.511Z DEBUG Missing image ID in cache: sha256:96b8bd3745b71d1da4c64abb7a6f099f97c70b11ea3ff6b95e41690227b91e37
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:5955198184a88f6046a8a7e9106e7ec05713efbd6bc774ff19910c4c0c9def5c
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:b9e87ec15f633e7691642670d1c9f0ee058d0ad3b683391d33f9dd8dabe4a3a0
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:3752ac79194b2721630df3368c1440e5db73961c1cfd73e51938a9ebcd05d986
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:799cce708ad972b302afc1abede218261c8c555efb0eaa3e2bbb8a1331ca83b2
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:eb10d8e150f563cdf30f9a72b915a22362ec38c98bb5fa15949a8d0a38600fce
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:6983a67e284431353cf5bacef690a9dc1a5c1e80e9a161998bc98c2ee008acd0
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:5e5076d56f7785d360ce88360004e9270bced9921fcbd3307515cde960849d20
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:e437a7f087001b6e9f716328647c0140312bb36b6ab21a243708a4fb2d25d17a
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:16cbfc9aaa97d8341e169c713bdf8d65cfcbe12c10bc7b994e6babbb42d5c7b9
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:6039d8c91e72580829c32e886f2cb5cee4fa6a72116740a6c589226017fb20ab
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:e71d5114b0aa35fbf6c6a050849d6a09c751a5374ef34f4c5f04416c01de9d22
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:c0ed0c3c3c5374c330b042e400ac1cdab4edb2f4744a315c52f395b8a4491930
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:2cbf65ca6b8385b781de3efafe179d9a398c1fd28956377e3db170cba3abffc2
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:6b667ad209c9cb9a8aacd521f5ffeadacb1c15aa624e499c42cfd70c5d009da0
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:b37fa5dcf83e02a058dd784fdf6531ae9e0bce65a510adc911fd67bbbaa43329
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:a21943dc9f33eb2ac854043c28888e537687013f8a1cd1401120ad521f8b8ab1
2022-04-30T13:32:50.511Z DEBUG Missing diff ID in cache: sha256:dd08ac3c7c694016ad20bdd10d3a26497fe4100622126660d6e147c21e60fdf8
2022-04-30T13:33:04.659Z DEBUG Analysis error: unable to parse YAML (%!a(string=usr/share/doc/PyYAML-3.10/examples/pygments-lexer/example.yaml)): unmarshal yaml: error converting YAML to JSON: yaml: invalid map key: []interface {}{"Detroit Tigers", "Chicago cubs"}
2022-04-30T13:33:04.982Z INFO Detected OS: amazon
2022-04-30T13:33:04.982Z INFO Detecting Amazon Linux vulnerabilities...
2022-04-30T13:33:04.982Z DEBUG amazon: os version: 2
2022-04-30T13:33:04.982Z DEBUG amazon: the number of packages: 138
2022-04-30T13:33:04.984Z DEBUG failed to parse Amazon Linux installed package version: upstream_version must start with digit
2022-04-30T13:33:04.988Z INFO Number of language-specific files: 0
2022-04-30T13:33:04.988Z DEBUG Found an ignore file .trivyignore
2022-04-30T13:33:04.988Z DEBUG These IDs will be ignored: []
Output of trivy -v:
Digest: sha256:5c8043510bb84ed663a4c0b23887c96edb7e78093bceef0083921887e961494f
Status: Downloaded newer image for aquasec/trivy:latest
docker.io/aquasec/trivy:latest
Version: 0.27.1
Additional details (base image name, container registry info…):
- Base image is
amazonlinux:2 - Trivy does not detect the aforementioned CVEs, but AWS Inspector does
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 15
@AErmie sorry for confuse you before.
For packages installed from
rpm/yumTrivy uses OS Databases: data-sourse Amazon Linux Security Center is used for amazon linux 2.For example: your container contains
python-pillowwith this version:CVE-2022-22815 and CVE-2022-22817 vulnerabilities have been fixed have been fixed for
python-pillow-2.0.0-23.gitd1c6db8.amzn2.0.1.Trivy doesn’t detect other vulnerabilities, because vulnerability has been fixed for this package or
Amazon Linux Security Centerdoesn’t contain information about this vulnerability.Taking vulnerabilities from all sources can lead to false positives, so we only include vulnerabilities from the OS database.