trivy: Missing vulnerabilities for jar files

Description

Trivy (v0.24.4) detects the packages inside a jar file downloaded in a docker container, but does not report the vulnerabilities associated with old packages inside the jar. This however does not happen with a very old version of trivy (0.19.2), which I tested due to #1385.

What did you expect to happen?

The vulnerabilities should be reported

What happened instead?

The vulnerabilities were not reported, even though the packages were listed when using --list-all-pkgs

Output of run with -debug:

Output of trivy v0.19.2:

~# trivy -debug image kobusvschoor/trivy-test:latest
2022-03-22T17:22:38.648+0200	DEBUG	Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-03-22T17:22:38.650+0200	DEBUG	cache dir:  /root/.cache/trivy
2022-03-22T17:22:38.650+0200	DEBUG	DB update was skipped because DB is the latest
2022-03-22T17:22:38.650+0200	DEBUG	DB Schema: 1, Type: 1, UpdatedAt: 2022-03-22 12:51:11.957750746 +0000 UTC, NextUpdate: 2022-03-22 18:51:11.957749946 +0000 UTC, DownloadedAt: 2022-03-22 15:03:49.039622751 +0000 UTC
2022-03-22T17:22:38.650+0200	DEBUG	Vulnerability type:  [os library]
2022-03-22T17:22:41.116+0200	DEBUG	Image ID: sha256:ff1692feb4c997ec10e90e43f02481caa8d4acbb5092dcf25242da7bd799413f
2022-03-22T17:22:41.116+0200	DEBUG	Diff IDs: [sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759 sha256:ac82834fd1e9fb53aae057a68e9084053d217c950d64e0cb8286da51ff93665b]
2022-03-22T17:22:41.117+0200	INFO	Detected OS: alpine
2022-03-22T17:22:41.117+0200	WARN	This OS version is not on the EOL list: alpine 3.15
2022-03-22T17:22:41.117+0200	INFO	Detecting Alpine vulnerabilities...
2022-03-22T17:22:41.117+0200	DEBUG	alpine: os version: 3.15
2022-03-22T17:22:41.117+0200	DEBUG	alpine: the number of packages: 19
2022-03-22T17:22:41.121+0200	INFO	Number of language-specific files: 1
2022-03-22T17:22:41.121+0200	INFO	Detecting jar vulnerabilities...
2022-03-22T17:22:41.121+0200	DEBUG	Detecting library vulnerabilities, type: jar, path: opt/agent-bond.jar
2022-03-22T17:22:41.121+0200	WARN	This OS version is no longer supported by the distribution: alpine 3.15.0
2022-03-22T17:22:41.121+0200	WARN	The vulnerability detection may be insufficient because security updates are not provided

kobusvschoor/trivy-test:latest (alpine 3.15.0)
==============================================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)

+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
| libcrypto1.1 | CVE-2022-0778    | HIGH     | 1.1.1l-r7         | 1.1.1n-r0     | openssl: Infinite loop in            |
|              |                  |          |                   |               | BN_mod_sqrt() reachable              |
|              |                  |          |                   |               | when parsing certificates            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-0778 |
+--------------+                  +          +-------------------+---------------+                                      +
| libretls     |                  |          | 3.3.4-r2          | 3.3.4-r3      |                                      |
|              |                  |          |                   |               |                                      |
|              |                  |          |                   |               |                                      |
|              |                  |          |                   |               |                                      |
+--------------+                  +          +-------------------+---------------+                                      +
| libssl1.1    |                  |          | 1.1.1l-r7         | 1.1.1n-r0     |                                      |
|              |                  |          |                   |               |                                      |
|              |                  |          |                   |               |                                      |
|              |                  |          |                   |               |                                      |
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+

opt/agent-bond.jar (jar)
========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
|      LIBRARY       | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| org.yaml:snakeyaml | CVE-2017-18640   | HIGH     |              1.16 |          1.26 | snakeyaml: Billion laughs             |
|                    |                  |          |                   |               | attack via alias feature              |
|                    |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2017-18640 |
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+

Output of trivy v0.24.4:

trivy -debug image kobusvschoor/trivy-test:latest
2022-03-22T17:24:10.366+0200	DEBUG	Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-03-22T17:24:10.375+0200	DEBUG	cache dir:  /root/.cache/trivy
2022-03-22T17:24:10.375+0200	DEBUG	DB update was skipped because the local DB is the latest
2022-03-22T17:24:10.375+0200	DEBUG	DB Schema: 2, UpdatedAt: 2022-03-22 12:08:44.214254904 +0000 UTC, NextUpdate: 2022-03-22 18:08:44.214254704 +0000 UTC, DownloadedAt: 2022-03-22 14:47:19.047274376 +0000 UTC
2022-03-22T17:24:10.375+0200	DEBUG	Vulnerability type:  [os library]
2022-03-22T17:24:12.868+0200	DEBUG	Image ID: sha256:ff1692feb4c997ec10e90e43f02481caa8d4acbb5092dcf25242da7bd799413f
2022-03-22T17:24:12.868+0200	DEBUG	Diff IDs: [sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759 sha256:ac82834fd1e9fb53aae057a68e9084053d217c950d64e0cb8286da51ff93665b]
2022-03-22T17:24:12.869+0200	DEBUG	Missing image ID: sha256:ff1692feb4c997ec10e90e43f02481caa8d4acbb5092dcf25242da7bd799413f
2022-03-22T17:24:12.869+0200	DEBUG	Missing diff ID: sha256:ac82834fd1e9fb53aae057a68e9084053d217c950d64e0cb8286da51ff93665b
2022-03-22T17:24:13.162+0200	DEBUG	Parsing Java artifacts...	{"file": "opt/agent-bond.jar"}
2022-03-22T17:24:14.070+0200	DEBUG	Missing image cache: sha256:b92a69d5e6571026e81e8718affff1eec5ee6b4f98d98cbee4b916b2db857f53
2022-03-22T17:24:14.072+0200	INFO	Detected OS: alpine
2022-03-22T17:24:14.072+0200	INFO	Detecting Alpine vulnerabilities...
2022-03-22T17:24:14.072+0200	DEBUG	alpine: os version: 3.15
2022-03-22T17:24:14.072+0200	DEBUG	alpine: the number of packages: 19
2022-03-22T17:24:14.074+0200	INFO	Number of language-specific files: 1
2022-03-22T17:24:14.074+0200	INFO	Detecting jar vulnerabilities...
2022-03-22T17:24:14.074+0200	DEBUG	Detecting library vulnerabilities, type: jar, path: 

kobusvschoor/trivy-test:latest (alpine 3.15.0)
==============================================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)

+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
| libcrypto1.1 | CVE-2022-0778    | HIGH     | 1.1.1l-r7         | 1.1.1n-r0     | openssl: Infinite loop in            |
|              |                  |          |                   |               | BN_mod_sqrt() reachable              |
|              |                  |          |                   |               | when parsing certificates            |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-0778 |
+--------------+                  +          +-------------------+---------------+                                      +
| libretls     |                  |          | 3.3.4-r2          | 3.3.4-r3      |                                      |
|              |                  |          |                   |               |                                      |
|              |                  |          |                   |               |                                      |
|              |                  |          |                   |               |                                      |
+--------------+                  +          +-------------------+---------------+                                      +
| libssl1.1    |                  |          | 1.1.1l-r7         | 1.1.1n-r0     |                                      |
|              |                  |          |                   |               |                                      |
|              |                  |          |                   |               |                                      |
|              |                  |          |                   |               |                                      |
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+

Java (jar)
==========
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Additional details (base image name, container registry info…):

Minimal Dockerfile to replicate. CVE-2017-18640 should be detected in /opt/agent-bond.jar. Also pushed to kobusvschoor/trivy-test:latest for your convenience.

FROM alpine:latest

RUN apk add curl && curl https://repo1.maven.org/maven2/io/fabric8/agent-bond-agent/1.2.0/agent-bond-agent-1.2.0.jar -o /opt/agent-bond.jar

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 21 (17 by maintainers)

Most upvoted comments

@kobus-v-schoor thanks for your report! I’ll try to clarify this issue.