trivy: InstalledVersion comparison doesn't process "epoch" value in debian package version numbers

Description

trivy rootfs -s HIGH -f json / shows several packages are vulnerable due to incorrect version comparison.

For example, the debian package named zabbix-get with version 1:5.0.20-1+bionic is flagged as a “HIGH” severity vulnerability, but the details indicate that only versions before 2.2.x, 3.0.31 and 3.2 are vulnerable.

What did you expect to happen?

I expected that the epoch 1: value would be handled correctly (see http://manpages.ubuntu.com/manpages/trusty/man5/deb-version.5.html ), and Trivy would see that version 5.0.20 is more recent than the vulnerable versions.

What happened instead?

It incorrectly declares multiple packages to be vulnerable:

{
  "VulnerabilityID": "CVE-2020-11800",
  "PkgName": "zabbix-get",
  "InstalledVersion": "1:5.0.20-1+bionic",
  "Layer": {},
  "SeveritySource": "ubuntu",
  "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-11800",
  "DataSource": {
    "ID": "ubuntu",
    "Name": "Ubuntu CVE Tracker",
    "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
  },
  "Title": "Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote att ...",
  "Description": "Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code.",
  "Severity": "HIGH",
  "CVSS": {
    "nvd": {
      "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
      "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "V2Score": 7.5,
      "V3Score": 9.8
    }
  },
  "References": [
    "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00007.html",
    "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11800",
    "https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/85453e04656fc7bd8a6790f5295d79410101745c",
    "https://lists.debian.org/debian-lts-announce/2020/11/msg00039.html",
    "https://support.zabbix.com/browse/DEV-1538",
    "https://support.zabbix.com/browse/ZBX-17600",
    "https://support.zabbix.com/browse/ZBXSEC-30",
    "https://support.zabbix.com/browse/ZBXSEC-30 (not public)"
  ],
  "PublishedDate": "2020-10-07T16:15:00Z",
  "LastModifiedDate": "2022-01-01T18:16:00Z"
}

Output of run with -debug:

(2237 lines of files scanned, not very useful for this report.)

Output of trivy -v:

Version: 0.24.4
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-03-29 06:06:20.605614808 +0000 UTC
  NextUpdate: 2022-03-29 12:06:20.605614408 +0000 UTC
  DownloadedAt: 2022-03-29 06:17:15.692256189 +0000 UTC

Additional details (base image name, container registry info…):

OS: Ubuntu 18.04

We’re evaluating Trivy for use in our organization.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 30

Most upvoted comments

Hello @PenelopeFudd Thanks for your report!

I will try to reproduce your problem and write to you later.

Regards. Dmitriy

+1
DmitriyLewen on Mar 29, 2022

@DmitriyLewen Could you take a look? We are supposed to handle epoch properly.

+1
knqyf263 on Mar 29, 2022
Read more comments on GitHub
← trivy: FATAL error in image scan: failed to analyze image: failed to extract files: missing signature key
trivy: Maven dependencies not resolved correctly during filesystem scan - properties →