Trivy is not reporting many vulnerabilties

[venkatasandeeplade]

IDs

CVE-2020-3810,CVE-2021-43618,CVE-2022-1271,CVE-2022-44640,CVE-2023-26604,CVE-2023-26604,CVE-2021-24032,CVE-2022-40897,CVE-2023-35945,CVE-2020-29363

Description

Team we have a docker image which uses Ubuntu Focal version . We are trying to a comparison between Trivy and other commercial tool and observed below vulnerabilities are not reported in Trivy though they are applicable to Ubuntu Focal. Image OS details

NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

Please find packages and CVEs that are applicable which trivy is not reporting

apt/2.0.9/amd64. https://nvd.nist.gov/vuln/detail/CVE-2020-3810
gmp/2:6.1.0+dfsg-2 https://ubuntu.com/security/CVE-2021-43618
gzip/1.10-0ubuntu https://ubuntu.com/security/CVE-2022-1271
libhcrypto4-heimdal/7.7.0+dfsg-1ubuntu1.2/amd64 https://ubuntu.com/security/CVE-2022-44640
libsystemd0/245.4-4ubuntu3.22/amd64 https://ubuntu.com/security/CVE-2023-26604
libudev1/245.4-4ubuntu3.22/amd64 https://ubuntu.com/security/CVE-2023-26604
libzstd/1.4.3+dfsg-1 https://ubuntu.com/security/CVE-2021-24032
nativesdk-python3-setuptools/45.2.0-r0/x86_64-nativesdk https://ubuntu.com/security/CVE-2022-40897
nghttp2/1.40.0-1 https://ubuntu.com/security/CVE-2023-35945
p11-kit/0.23.19-2 https://ubuntu.com/security/CVE-2020-29363

Trivy version details
Version: 0.45.1
Vulnerability DB:
Version: 2
UpdatedAt: 2024-03-23 12:13:41.031654956 +0000 UTC
NextUpdate: 2024-03-23 18:13:41.031654705 +0000 UTC
DownloadedAt: 2024-03-23 14:28:01.102631756 +0000 UTC

Trivy command used

/tmp/trivy/trivy image --exit-code 0 --ignore-unfixed --no-progress --timeout 15m --format json -o /tmp/trivy/image_vul.json

Reproduction Steps

Run trivy scan for Ubuntu-focal image
/tmp/trivy/trivy image --exit-code 0 --ignore-unfixed --no-progress --timeout 15m --format json  -o /tmp/trivy/image_vul.json <image>

Target

Container Image

Scanner

Vulnerability

Target OS

Ubuntu 20.04.6 LTS

Debug Output

2024-03-23T21:13:07.295+0530	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-03-23T21:13:07.298+0530	DEBUG	Ignore statuses	{"statuses": ["unknown","not_affected","affected","under_investigation","will_not_fix","fix_deferred","end_of_life"]}
2024-03-23T21:13:07.317+0530	DEBUG	cache dir:  /home/core/.cache/trivy
2024-03-23T21:13:07.318+0530	DEBUG	DB update was skipped because the local DB is the latest
2024-03-23T21:13:07.318+0530	DEBUG	DB Schema: 2, UpdatedAt: 2024-03-23 12:13:41.031654956 +0000 UTC, NextUpdate: 2024-03-23 18:13:41.031654705 +0000 UTC, DownloadedAt: 2024-03-23 14:28:01.102631756 +0000 UTC
2024-03-23T21:13:07.318+0530	INFO	Vulnerability scanning is enabled
2024-03-23T21:13:07.318+0530	DEBUG	Vulnerability type:  [os library]
2024-03-23T21:13:07.318+0530	INFO	Secret scanning is enabled
2024-03-23T21:13:07.318+0530	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-23T21:13:07.318+0530	INFO	Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2024-03-23T21:13:07.328+0530	DEBUG	No secret config detected: trivy-secret.yaml
2024-03-23T21:13:07.329+0530	DEBUG	No secret config detected: trivy-secret.yaml
2024-03-23T21:13:07.351+0530	INFO	Detected OS: ubuntu
2024-03-23T21:13:07.351+0530	INFO	Detecting Ubuntu vulnerabilities...
2024-03-23T21:13:07.351+0530	DEBUG	ubuntu: os version: 20.04
2024-03-23T21:13:07.351+0530	DEBUG	ubuntu: the number of packages: 176
2024-03-23T21:13:07.365+0530	INFO	Number of language-specific files: 0

Version

Version: 0.45.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-23 12:13:41.031654956 +0000 UTC
  NextUpdate: 2024-03-23 18:13:41.031654705 +0000 UTC
  DownloadedAt: 2024-03-23 14:28:01.102631756 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @venkatasandeeplade
Thanks for your report!

Can you send your image?
Or perhaps you can create test image?

Regards, Dmitriy

[venkatasandeeplade]

Hi @DmitriyLewen our company policy doesn't allow us to share image. Is there anything else i can help with ?

[DmitriyLewen]

apt/2.0.9/amd64. https://nvd.nist.gov/vuln/detail/CVE-2020-3810
gmp/2:6.1.0+dfsg-2 https://ubuntu.com/security/CVE-2021-43618
gzip/1.10-0ubuntu https://ubuntu.com/security/CVE-2022-1271
libhcrypto4-heimdal/7.7.0+dfsg-1ubuntu1.2/amd64 https://ubuntu.com/security/CVE-2022-44640
libsystemd0/245.4-4ubuntu3.22/amd64 https://ubuntu.com/security/CVE-2023-26604
libudev1/245.4-4ubuntu3.22/amd64 https://ubuntu.com/security/CVE-2023-26604
libzstd/1.4.3+dfsg-1 https://ubuntu.com/security/CVE-2021-24032
nativesdk-python3-setuptools/45.2.0-r0/x86_64-nativesdk https://ubuntu.com/security/CVE-2022-40897
nghttp2/1.40.0-1 https://ubuntu.com/security/CVE-2023-35945
p11-kit/0.23.19-2 https://ubuntu.com/security/CVE-2020-29363

Can you run Trivy with the -f json --list-all-pkgs flag and compare the packages (and their versions) from the Packages array and these packages.

[venkatasandeeplade]

nativesdk-python3-setuptools is not seen
gmp , nghttp2 , p11-kit packages are seen with different name

for each in all.get('Results')[0].get('Packages'):
... print ("{}/{}".format(each.get('Name'),each.get('Version')))
...
apt/2.0.9
gzip/1.10
libhcrypto4-heimdal/7.7.0+dfsg
libsystemd0/245.4
libudev1/245.4
libzstd1/1.4.4+dfsg
libp11-kit0/0.23.20
libgmp10/6.2.0+dfsg
libnghttp2-14/1.40.0

P.S: Removed other packages in the above output
Also in my docker file , we did downloaded redis.tar.gz using wget and extracted to /usr/src/redis. Trivy is not showing in list-packages

[DmitriyLewen]

nativesdk-python3-setuptools is not seen

How do you install this package?

gmp , nghttp2 , p11-kit packages are seen with different name

Sorry for confusing. Trivy uses SrcName and SrcVersion to find vulnerabilities.

we did downloaded redis.tar.gz using wget and extracted to /usr/src/redis.

This is not dep package. That is why Trivy can't detect this package.

apt/2.0.9/amd64. https://nvd.nist.gov/vuln/detail/CVE-2020-3810
gmp/2:6.1.0+dfsg-2 https://ubuntu.com/security/CVE-2021-43618
gzip/1.10-0ubuntu https://ubuntu.com/security/CVE-2022-1271
libhcrypto4-heimdal/7.7.0+dfsg-1ubuntu1.2/amd64 https://ubuntu.com/security/CVE-2022-44640
libsystemd0/245.4-4ubuntu3.22/amd64 https://ubuntu.com/security/CVE-2023-26604
libudev1/245.4-4ubuntu3.22/amd64 https://ubuntu.com/security/CVE-2023-26604
libzstd/1.4.3+dfsg-1 https://ubuntu.com/security/CVE-2021-24032
nativesdk-python3-setuptools/45.2.0-r0/x86_64-nativesdk https://ubuntu.com/security/CVE-2022-40897
nghttp2/1.40.0-1 https://ubuntu.com/security/CVE-2023-35945
p11-kit/0.23.19-2 https://ubuntu.com/security/CVE-2020-29363

I recheck this list:

• apt - fixed version is 2.0.2 - https://ubuntu.com/security/CVE-2020-3810
• gmp - looks like .. version doesn't exist :

  root@b7b1de851abf:/# apt list -a libgmp10   
  Listing... Done
  libgmp10/focal-updates,focal-security,now 2:6.2.0+dfsg-4ubuntu0.1 arm64 [installed]
  libgmp10/focal 2:6.2.0+dfsg-4 arm64
  

• gzip - fixed version is 1.10-0ubuntu4.1 - https://ubuntu.com/security/CVE-2022-1271

Looks like your packages don't contain these vulnerabilities.

I didn't check all CVEs.
Tell me if Trivy missed vulnerability for package version < fixed version for Ubuntu advisory database.