Trivy not detecting CVE 2022-37734, 2023-28867, 2024-22233 in jar file

[pcbadger]

IDs

2022-37734, 2023-28867, 2024-22233

Description

I've just added trivy to our pipeline and in some cases it's scanning the images and the jar files on them with no issue and in others it appeared to be ignoring the jar file. After further investigation, it turned out to be scanning the jar file, just ignoring certain CVEs.
These here are picked up by maven, but not by trivy. I'm using the latest version and the latest DB. I checked the DB with boltbrowser and they're there under the maven section

graphql-java-codegen-5.9.0.jar NVD CVE-2022-37734 High NVD-CWE-Other
graphql-java-codegen-5.9.0.jar NVD CVE-2023-28867 High CWE-770
spring-core-6.0.14.jar OSS INDEX CVE-2024-22233 High CWE-noinfo

TBH, this smells like it could be a feature I don't understand rather than a bug, but I'd like some opinions please.

Reproduction Steps

1. mvn clean install
2. docker build -t myimage .
3. docker save myimage >  image_to_scan.tar
3. trivy image  --input image_to_scan.tar --scanners vuln --debug

Target

Container Image

Scanner

Vulnerability

Target OS

alpine 3.18

Debug Output

trivy image  --input image_to_scan.tar --scanners vuln --debug
2024-02-06T15:50:29.187Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-02-06T15:50:29.188Z	DEBUG	Ignore statuses	{"statuses": null}
2024-02-06T15:50:29.232Z	DEBUG	cache dir:  /Users/#######/Library/Caches/trivy
2024-02-06T15:50:29.233Z	DEBUG	DB update was skipped because the local DB is the latest
2024-02-06T15:50:29.233Z	DEBUG	DB Schema: 2, UpdatedAt: 2024-02-06 12:12:54.708265153 +0000 UTC, NextUpdate: 2024-02-06 18:12:54.708264381 +0000 UTC, DownloadedAt: 2024-02-06 15:09:05.131622 +0000 UTC
2024-02-06T15:50:29.233Z	INFO	Vulnerability scanning is enabled
2024-02-06T15:50:29.234Z	DEBUG	Vulnerability type:  [os library]
2024-02-06T15:50:29.366Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-02-06T15:50:29.366Z	DEBUG	Image ID: sha256:20445a7c4e481e69d8af66aab1212fd8f0b3889c26ef8c9378b7c5e1cfdf3b08
2024-02-06T15:50:29.367Z	DEBUG	Diff IDs: [sha256:cc2447e1835a40530975ab80bb1f872fbab0f2a0faecf2ab16fbbb89b3589438 sha256:f314066c69348832caa4ee93d3eb3bcc11e63001e3bcf020e9fd83c96ace7482 sha256:22bf74b2421f27ab1892c376590f6c9a520f7cee7f5eb57cb00c98367edfe82f sha256:34a768934574c5f6a05756c55d7e8aef0f57153e17c7751f7156b30593117567 sha256:31faa5a4de86174bcb24e2a082f179188f4d4128e39ea57fc33887de7a4d7406 sha256:0377f7dbfe4cf3467a1a35466a5364c9ee92674db9a330091305ae4926ac6ef6 sha256:83f1f6319e0d6c910a27f652154b98ac248eb04ab8ae5b20cb29105b0f1decb5 sha256:84b5cea7c66743dee39f644311336e8134efff909a86e231ab3798770f60f373 sha256:fb7893418d8e444074d23db1d7d22840e323b6d1fd6401fab46dacb8e1167284 sha256:203ec967e2e921217cd4df4066353e082a494090f92ad5da98e1ed514dea1bcd sha256:98d59e5cb3f8cc87f30ea4d037ea4b92ae964edc1f76762216f441b405d6ef54 sha256:c93b026ad6a69822c942648029f31abb553372993f91d62f6e6fb602ec3c297b sha256:b4897f4aaf570357b8768919d02be61aa2b93a69f7347ad3e76c0149b3671876 sha256:5707121ca15f196e511359fbc83078d445e8177b94cce70381b53c89db3b869d sha256:517fec2bd0c54ae6cdd4b1062a7d67eaf4f1155ed3b55cb82496ca50fcb1647f sha256:1b19e8502ce020aef400e4998782159e09ab7ed5131c1377529d50b0cc0ce48b sha256:8c22ad8c82eb5b76bf4d29d67e865a8fbb89b344ab0bc1e75fea5f2f1f8dbfb6 sha256:ea08d5eb17fc9862dbf65d05e1c50132e3854acffd372e4af535f9f502f7a330 sha256:9de417afd450e5ee7e6df60802ca7f3b13ead36ef07cc288c7b8cdba7c1db6ea]
2024-02-06T15:50:29.367Z	DEBUG	Base Layers: [sha256:cc2447e1835a40530975ab80bb1f872fbab0f2a0faecf2ab16fbbb89b3589438]
2024-02-06T15:50:29.370Z	INFO	Detected OS: alpine
2024-02-06T15:50:29.370Z	INFO	Detecting Alpine vulnerabilities...
2024-02-06T15:50:29.370Z	DEBUG	alpine: os version: 3.18
2024-02-06T15:50:29.370Z	DEBUG	alpine: package repository: 3.18
2024-02-06T15:50:29.370Z	DEBUG	alpine: the number of packages: 51
2024-02-06T15:50:29.374Z	INFO	Number of language-specific files: 1
2024-02-06T15:50:29.374Z	INFO	Detecting jar vulnerabilities...
2024-02-06T15:50:29.374Z	DEBUG	Detecting library vulnerabilities, type: jar, path:

image_to_scan.tar (alpine 3.18.4)

Total: 13 (UNKNOWN: 0, LOW: 0, MEDIUM: 13, HIGH: 0, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl       │ CVE-2023-46218 │ MEDIUM   │ fixed  │ 8.4.0-r0          │ 8.5.0-r0      │ curl: information disclosure by exploiting a mixed case flaw │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-46218                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2023-46219 │          │        │                   │               │ curl: excessively long file name may lead to unknown HSTS    │
│            │                │          │        │                   │               │ status                                                       │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-46219                   │
├────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-6129  │          │        │ 3.1.4-r1          │ 3.1.4-r3      │ openssl: POLY1305 MAC implementation corrupts vector         │
│            │                │          │        │                   │               │ registers on PowerPC                                         │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6129                    │
│            ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│            │ CVE-2023-6237  │          │        │                   │ 3.1.4-r4      │ openssl: Excessive time spent checking invalid RSA public    │
│            │                │          │        │                   │               │ keys                                                         │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6237                    │
│            ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│            │ CVE-2024-0727  │          │        │                   │ 3.1.4-r5      │ openssl: denial of service via null dereference              │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-0727                    │
├────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl    │ CVE-2023-46218 │          │        │ 8.4.0-r0          │ 8.5.0-r0      │ curl: information disclosure by exploiting a mixed case flaw │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-46218                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2023-46219 │          │        │                   │               │ curl: excessively long file name may lead to unknown HSTS    │
│            │                │          │        │                   │               │ status                                                       │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-46219                   │
├────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libssl3    │ CVE-2023-6129  │          │        │ 3.1.4-r1          │ 3.1.4-r3      │ openssl: POLY1305 MAC implementation corrupts vector         │
│            │                │          │        │                   │               │ registers on PowerPC                                         │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6129                    │
│            ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│            │ CVE-2023-6237  │          │        │                   │ 3.1.4-r4      │ openssl: Excessive time spent checking invalid RSA public    │
│            │                │          │        │                   │               │ keys                                                         │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6237                    │
│            ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│            │ CVE-2024-0727  │          │        │                   │ 3.1.4-r5      │ openssl: denial of service via null dereference              │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-0727                    │
├────────────┼────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│ openssl    │ CVE-2023-6129  │          │        │                   │ 3.1.4-r3      │ openssl: POLY1305 MAC implementation corrupts vector         │
│            │                │          │        │                   │               │ registers on PowerPC                                         │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6129                    │
│            ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│            │ CVE-2023-6237  │          │        │                   │ 3.1.4-r4      │ openssl: Excessive time spent checking invalid RSA public    │
│            │                │          │        │                   │               │ keys                                                         │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6237                    │
│            ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│            │ CVE-2024-0727  │          │        │                   │ 3.1.4-r5      │ openssl: denial of service via null dereference              │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-0727                    │
└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──

Version

trivy --version
Version: 0.46.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-06 12:12:54.708265153 +0000 UTC
  NextUpdate: 2024-02-06 18:12:54.708264381 +0000 UTC
  DownloadedAt: 2024-02-06 15:09:05.131622 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-02-06 00:43:50.236466389 +0000 UTC
  NextUpdate: 2024-02-09 00:43:50.236466208 +0000 UTC
  DownloadedAt: 2024-02-06 11:17:19.604257 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @pcbadger
Thanks for your interest to Trivy.

Can you share your image for investigation?
If not- rescan the image with -f json --list-all-pkgs flags and check that Trivy correctly finds packages from these jar files.

Regards, Dmitriy

[pcbadger]

Thanks for the reply. Unfortunately I can't share the image, but I have run the scan and can confirm the affected packages show up.

` {
"Name": "io.github.kobylynskyi:graphql-java-codegen",
"Version": "5.9.0",
"Layer": {
"DiffID": "sha256:9de417afd450e5ee7e6df60802ca7f3b13ead36ef07cc288c7b8cdba7c1db6ea"
},
"FilePath": "app/app.jar/BOOT-INF/lib/graphql-java-codegen-5.9.0.jar"
},

            {
      "Name": "org.springframework:spring-core",
      "Version": "6.0.14",
      "Layer": {
        "DiffID": "sha256:9de417afd450e5ee7e6df60802ca7f3b13ead36ef07cc288c7b8cdba7c1db6ea"
      },
      "FilePath": "app/app.jar/BOOT-INF/lib/spring-core-6.0.14.jar"
    },`

[DmitriyLewen]

io.github.kobylynskyi:graphql-java-codegen

But GitHub database only marks package com.graphql-java:graphql-java as affected:
GHSA-v62j-cxhh-fq22
GHSA-p4qx-6w5p-4rj2

  "Name": "org.springframework:spring-core",

  "Version": "6.0.14",

CVE-2024-22233 only affects versions 6.1.2 and 6.0.15:
GHSA-r4q3-7g4q-x89m