Trivy can't find vulnerable transitive dependency on an image

[ASarco]

IDs

CVE-2024-25710 CVE-2024-26308

Description

According to CVE-2024-25710 and CVE-2024-26308 , commons-compress 1.24.0 has a vulnerability. However, on a Maven Spring Boot project with modules, if this dependency is transitively added through lastest Testcontainers, Trivy image scan doesn't find it. This behaviour doesn't seem to happen on project with no modules, or when scanning the filesystem.

 trivy filesystem . -s CRITICAL,HIGH
2024-02-23T17:16:11.558Z        INFO    Vulnerability scanning is enabled
2024-02-23T17:16:11.558Z        INFO    Secret scanning is enabled
2024-02-23T17:16:11.559Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-23T17:16:11.559Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-02-23T17:16:12.042Z        INFO    Number of language-specific files: 3
2024-02-23T17:16:12.043Z        INFO    Detecting pom vulnerabilities...

M1/pom.xml (pom)
================
Total: 2 (HIGH: 2, CRITICAL: 0)

┌─────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├─────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.apache.commons:commons-compress │ CVE-2024-25710 │ HIGH     │ fixed  │ 1.24.0            │ 1.26.0        │ commons-compress: Denial of service caused by an infinite   │
│                                     │                │          │        │                   │               │ loop for a corrupted...                                     │
│                                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-25710                  │
│                                     ├────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│                                     │ CVE-2024-26308 │          │        │                   │               │ commons-compress: OutOfMemoryError unpacking broken Pack200 │
│                                     │                │          │        │                   │               │ file                                                        │
│                                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-26308                  │

Reproduction Steps

1. Clone the example repo: https://github.com/ASarco/trivyexample
2. Build the image with:  ./mvnw -B clean install -DskipTests=true 
3. Run trivy: trivy image docker.io/trivytest/m2:latest -s CRITICAL,HIGH

Target

Container Image

Scanner

Vulnerability

Target OS

Win 10 with docker

Debug Output

 trivy image docker.io/trivytest/m2:latest -s CRITICAL,HIGH --debug
2024-02-23T17:06:20.518Z        DEBUG   Severities: ["CRITICAL" "HIGH"]
2024-02-23T17:06:20.519Z        DEBUG   Ignore statuses {"statuses": null}
2024-02-23T17:06:20.524Z        DEBUG   cache dir:  C:\Users\sarc83518\AppData\Local\trivy
2024-02-23T17:06:20.526Z        DEBUG   DB update was skipped because the local DB was downloaded during the last hour
2024-02-23T17:06:20.527Z        DEBUG   DB Schema: 2, UpdatedAt: 2024-02-23 00:14:48.102665047 +0000 UTC, NextUpdate: 2024-02-23 06:14:48.102664466 +0000 UTC, DownloadedAt: 2024-02-23 16:52:40.6604441 +0000 UTC
2024-02-23T17:06:20.531Z        INFO    Vulnerability scanning is enabled
2024-02-23T17:06:20.531Z        DEBUG   Vulnerability type:  [os library]
2024-02-23T17:06:20.531Z        INFO    Secret scanning is enabled
2024-02-23T17:06:20.532Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-23T17:06:20.532Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-02-23T17:06:20.532Z        DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-23T17:06:20.657Z        DEBUG   No secret config detected: trivy-secret.yaml
2024-02-23T17:06:20.657Z        DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-02-23T17:06:20.658Z        DEBUG   No secret config detected: trivy-secret.yaml
2024-02-23T17:06:20.658Z        DEBUG   Image ID: sha256:3a6e38d88f332e7435dfbcb961f569e082e56e1e70474695afa9c6926efe26a3
2024-02-23T17:06:20.659Z        DEBUG   Diff IDs: [sha256:d101c9453715a978a2a520f553588e77dfb4236762175eba61c5c264a449c75d sha256:3f2333e5ae1ba4f388e16a8c284e4c8a6c0fc6ddd5fc423de945727d7c9b0316 sha256:508a98b5683ca1d9a4e18802b6884991
5c63fc4f4c2f42c4e2294b3ead8f6e86 sha256:3defa3ae8fad9067aa1e6631b55c62df121afd7084f566e345e169efa37452fc sha256:118ec7df23244db89187bcde5f6be02b93f414cfa0b740d1ecc942c7f875c15c sha256:1db18a3f2dfdad7ed39b04051b671de67006f7972bce2a1d42
8eb0ec9b310931 sha256:bea0a3dc2651cac7c9c567a5cb4e7536107b357cb9113e8806f690f050500012 sha256:63947728e20f9b14d86f38d054f5c731a885dde465e5df2b24d404330dd744ab sha256:417e5bfc3c82b9373cf6804206e071d2fc74560df867d0f39cb21ac3d15231b6 sha
256:3e93ba17fe2b0dd1f3c5d5a18ebc55345d225d42dd9561db159da15d5b1bc842 sha256:585d8b141d7aa07eecde5a1bae075c7898ab5809a215d66f160d3dfd46eaf577 sha256:cdd4575ae9b376f8c8925c9b305123f24c4afaf52bfe5efcbf0283adfbd4fc6a sha256:e176f5200b56ff
222ab5119670d86dd1c41dee1d48b22489f257fbb01125d478 sha256:bb45bcb89b6be292954b2e81e9ece0f4bd874d1f35fd66988b51a42313a458e3 sha256:ab99df5db2b97d32fa490bf9196b11e367a7f722f7df9f914fbfe4914305e43e sha256:5f70bf18a086007016e948b04aed3b82
103a36bea41755b6cddfaf10ace3c6ef sha256:b29a89339ae4830610cf8323e4087bba61b25ade9d62fd1d1397c324dc455ef6 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:6ab16bbb5573e8d715efe9c69d1e0c483439272db1c17b992a
385e135f6ef0a7 sha256:39a06d9d9e3100f6e3d818c51fa1febe4de7969eec0e5d1aa4963b2892866933 sha256:1dc94a70dbaa2171fb086500a5d27797f779219b126b0a1eebb9180c2792e80e]
2024-02-23T17:06:20.659Z        DEBUG   Base Layers: []
2024-02-23T17:06:20.676Z        INFO    Detected OS: ubuntu
2024-02-23T17:06:20.677Z        INFO    Detecting Ubuntu vulnerabilities...
2024-02-23T17:06:20.677Z        DEBUG   ubuntu: os version: 22.04
2024-02-23T17:06:20.677Z        DEBUG   ubuntu: the number of packages: 108
2024-02-23T17:06:20.680Z        INFO    Number of language-specific files: 5
2024-02-23T17:06:20.680Z        INFO    Detecting gobinary vulnerabilities...
2024-02-23T17:06:20.680Z        DEBUG   Detecting library vulnerabilities, type: gobinary, path: layers/paketo-buildpacks_bellsoft-liberica/helper/helper
2024-02-23T17:06:20.682Z        DEBUG   Detecting library vulnerabilities, type: gobinary, path: layers/paketo-buildpacks_spring-boot/helper/helper
2024-02-23T17:06:20.682Z        DEBUG   Detecting library vulnerabilities, type: gobinary, path: layers/paketo-buildpacks_ca-certificates/helper/helper
2024-02-23T17:06:20.682Z        DEBUG   Detecting library vulnerabilities, type: gobinary, path: cnb/lifecycle/launcher
2024-02-23T17:06:20.682Z        INFO    Detecting jar vulnerabilities...
2024-02-23T17:06:20.683Z        DEBUG   Detecting library vulnerabilities, type: jar, path:

docker.io/trivytest/m2:latest (ubuntu 22.04)
============================================
Total: 0 (HIGH: 0, CRITICAL: 0)

Version

 trivy --version
Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-23 00:14:48.102665047 +0000 UTC
  NextUpdate: 2024-02-23 06:14:48.102664466 +0000 UTC
  DownloadedAt: 2024-02-23 16:52:40.6604441 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-02-22 04:45:27.539778706 +0000 UTC
  NextUpdate: 2024-02-25 04:45:27.539778585 +0000 UTC
  DownloadedAt: 2024-02-22 12:51:51.5298651 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @ASarco
Thanks for your report!

Your test repository is private. Can you make it public please?

Regards, Dmitriy

[DmitriyLewen]

@ASarco I got error when trying to build application (from root or M1 dir).
Can you just push a test image to Docker Hub/ghcr?
This will save me a lot of time.

[ASarco]

Sure, I'll try to upload it today, I'll let you know when it's done.

[ASarco]

It's uploaded: docker pull asarco/dockerhub:trivytest

BTW, Docker Scout finds the vulnerability in commons-compress 1.24.0

[DmitriyLewen]

Thanks!
I check your image.
Trivy correctly detects these CVEs:

➜ trivy -d image asarco/dockerhub:trivytest
...
Java (jar)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 0)

┌─────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├─────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.apache.commons:commons-compress │ CVE-2024-25710 │ HIGH     │ fixed  │ 1.24.0            │ 1.26.0        │ commons-compress: Denial of service caused by an infinite   │
│                                     │                │          │        │                   │               │ loop for a corrupted...                                     │
│                                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-25710                  │
├─────────────────────────────────────┤                │          │        │                   │               │                                                             │
│ org.apache.commons:commons-compress │                │          │        │                   │               │                                                             │
│ (commons-compress-1.24.0.jar)       │                │          │        │                   │               │                                                             │
│                                     │                │          │        │                   │               │                                                             │
├─────────────────────────────────────┼────────────────┤          │        │                   │               ├─────────────────────────────────────────────────────────────┤
│ org.apache.commons:commons-compress │ CVE-2024-26308 │          │        │                   │               │ commons-compress: OutOfMemoryError unpacking broken Pack200 │
│                                     │                │          │        │                   │               │ file                                                        │
│                                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-26308                  │
├─────────────────────────────────────┤                │          │        │                   │               │                                                             │
│ org.apache.commons:commons-compress │                │          │        │                   │               │                                                             │
│ (commons-compress-1.24.0.jar)       │                │          │        │                   │               │                                                             │
│                                     │                │          │        │                   │               │                                                             │
└─────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

i recheck your example:

M1/pom.xml (pom)
================
Total: 2 (HIGH: 2, CRITICAL: 0)

you checked M1 dir for pom.xml

trivy image docker.io/trivytest/m2:latest -s CRITICAL,HIGH --debug

but image for M2

[ASarco]

Oh, I see. Sorry for wasting your time, but actually I can see now where our problem is. We create our image based on M2 (different name in our actual app), because M1 and M3 are more like libraries contributing to M1. This is an inherited app that we have dockerized so maybe we should review how we do it.
Thanks.

[DmitriyLewen]

I close this discussion. Feel free to reopen this discussion if you still have questions.

Regards, Dmitiry