trivy: Missing vulnerabilities for jar files
Description
Trivy (v0.24.4) detects the packages inside a jar file downloaded in a docker container, but does not report the vulnerabilities associated with old packages inside the jar. This however does not happen with a very old version of trivy (0.19.2), which I tested due to #1385.
What did you expect to happen?
The vulnerabilities should be reported
What happened instead?
The vulnerabilities were not reported, even though the packages were listed when using --list-all-pkgs
Output of run with -debug:
Output of trivy v0.19.2:
~# trivy -debug image kobusvschoor/trivy-test:latest
2022-03-22T17:22:38.648+0200 DEBUG Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-03-22T17:22:38.650+0200 DEBUG cache dir: /root/.cache/trivy
2022-03-22T17:22:38.650+0200 DEBUG DB update was skipped because DB is the latest
2022-03-22T17:22:38.650+0200 DEBUG DB Schema: 1, Type: 1, UpdatedAt: 2022-03-22 12:51:11.957750746 +0000 UTC, NextUpdate: 2022-03-22 18:51:11.957749946 +0000 UTC, DownloadedAt: 2022-03-22 15:03:49.039622751 +0000 UTC
2022-03-22T17:22:38.650+0200 DEBUG Vulnerability type: [os library]
2022-03-22T17:22:41.116+0200 DEBUG Image ID: sha256:ff1692feb4c997ec10e90e43f02481caa8d4acbb5092dcf25242da7bd799413f
2022-03-22T17:22:41.116+0200 DEBUG Diff IDs: [sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759 sha256:ac82834fd1e9fb53aae057a68e9084053d217c950d64e0cb8286da51ff93665b]
2022-03-22T17:22:41.117+0200 INFO Detected OS: alpine
2022-03-22T17:22:41.117+0200 WARN This OS version is not on the EOL list: alpine 3.15
2022-03-22T17:22:41.117+0200 INFO Detecting Alpine vulnerabilities...
2022-03-22T17:22:41.117+0200 DEBUG alpine: os version: 3.15
2022-03-22T17:22:41.117+0200 DEBUG alpine: the number of packages: 19
2022-03-22T17:22:41.121+0200 INFO Number of language-specific files: 1
2022-03-22T17:22:41.121+0200 INFO Detecting jar vulnerabilities...
2022-03-22T17:22:41.121+0200 DEBUG Detecting library vulnerabilities, type: jar, path: opt/agent-bond.jar
2022-03-22T17:22:41.121+0200 WARN This OS version is no longer supported by the distribution: alpine 3.15.0
2022-03-22T17:22:41.121+0200 WARN The vulnerability detection may be insufficient because security updates are not provided
kobusvschoor/trivy-test:latest (alpine 3.15.0)
==============================================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
| libcrypto1.1 | CVE-2022-0778 | HIGH | 1.1.1l-r7 | 1.1.1n-r0 | openssl: Infinite loop in |
| | | | | | BN_mod_sqrt() reachable |
| | | | | | when parsing certificates |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-0778 |
+--------------+ + +-------------------+---------------+ +
| libretls | | | 3.3.4-r2 | 3.3.4-r3 | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+ + +-------------------+---------------+ +
| libssl1.1 | | | 1.1.1l-r7 | 1.1.1n-r0 | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
opt/agent-bond.jar (jar)
========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
| org.yaml:snakeyaml | CVE-2017-18640 | HIGH | 1.16 | 1.26 | snakeyaml: Billion laughs |
| | | | | | attack via alias feature |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-18640 |
+--------------------+------------------+----------+-------------------+---------------+---------------------------------------+
Output of trivy v0.24.4:
trivy -debug image kobusvschoor/trivy-test:latest
2022-03-22T17:24:10.366+0200 DEBUG Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2022-03-22T17:24:10.375+0200 DEBUG cache dir: /root/.cache/trivy
2022-03-22T17:24:10.375+0200 DEBUG DB update was skipped because the local DB is the latest
2022-03-22T17:24:10.375+0200 DEBUG DB Schema: 2, UpdatedAt: 2022-03-22 12:08:44.214254904 +0000 UTC, NextUpdate: 2022-03-22 18:08:44.214254704 +0000 UTC, DownloadedAt: 2022-03-22 14:47:19.047274376 +0000 UTC
2022-03-22T17:24:10.375+0200 DEBUG Vulnerability type: [os library]
2022-03-22T17:24:12.868+0200 DEBUG Image ID: sha256:ff1692feb4c997ec10e90e43f02481caa8d4acbb5092dcf25242da7bd799413f
2022-03-22T17:24:12.868+0200 DEBUG Diff IDs: [sha256:8d3ac3489996423f53d6087c81180006263b79f206d3fdec9e66f0e27ceb8759 sha256:ac82834fd1e9fb53aae057a68e9084053d217c950d64e0cb8286da51ff93665b]
2022-03-22T17:24:12.869+0200 DEBUG Missing image ID: sha256:ff1692feb4c997ec10e90e43f02481caa8d4acbb5092dcf25242da7bd799413f
2022-03-22T17:24:12.869+0200 DEBUG Missing diff ID: sha256:ac82834fd1e9fb53aae057a68e9084053d217c950d64e0cb8286da51ff93665b
2022-03-22T17:24:13.162+0200 DEBUG Parsing Java artifacts... {"file": "opt/agent-bond.jar"}
2022-03-22T17:24:14.070+0200 DEBUG Missing image cache: sha256:b92a69d5e6571026e81e8718affff1eec5ee6b4f98d98cbee4b916b2db857f53
2022-03-22T17:24:14.072+0200 INFO Detected OS: alpine
2022-03-22T17:24:14.072+0200 INFO Detecting Alpine vulnerabilities...
2022-03-22T17:24:14.072+0200 DEBUG alpine: os version: 3.15
2022-03-22T17:24:14.072+0200 DEBUG alpine: the number of packages: 19
2022-03-22T17:24:14.074+0200 INFO Number of language-specific files: 1
2022-03-22T17:24:14.074+0200 INFO Detecting jar vulnerabilities...
2022-03-22T17:24:14.074+0200 DEBUG Detecting library vulnerabilities, type: jar, path:
kobusvschoor/trivy-test:latest (alpine 3.15.0)
==============================================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 3, CRITICAL: 0)
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
| libcrypto1.1 | CVE-2022-0778 | HIGH | 1.1.1l-r7 | 1.1.1n-r0 | openssl: Infinite loop in |
| | | | | | BN_mod_sqrt() reachable |
| | | | | | when parsing certificates |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-0778 |
+--------------+ + +-------------------+---------------+ +
| libretls | | | 3.3.4-r2 | 3.3.4-r3 | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+ + +-------------------+---------------+ +
| libssl1.1 | | | 1.1.1l-r7 | 1.1.1n-r0 | |
| | | | | | |
| | | | | | |
| | | | | | |
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
Java (jar)
==========
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Additional details (base image name, container registry info…):
Minimal Dockerfile to replicate. CVE-2017-18640 should be detected in /opt/agent-bond.jar. Also pushed to kobusvschoor/trivy-test:latest for your convenience.
FROM alpine:latest
RUN apk add curl && curl https://repo1.maven.org/maven2/io/fabric8/agent-bond-agent/1.2.0/agent-bond-agent-1.2.0.jar -o /opt/agent-bond.jar
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 21 (17 by maintainers)
@kobus-v-schoor thanks for your report! I’ll try to clarify this issue.