CVE-2024-3094 is flagged for xz-libs-5.4.6-r0

[venkatasandeeplade]

IDs

CVE-2024-3094

Description

Team
In our image , CVE-2024-3094 is flagged though xz-lib version is xz-libs-5.4.6-r0

`ccc85caee824:~# apk info xz-libs
xz-libs-5.4.5-r0 description:
Library and CLI tools for XZ and LZMA compressed files (libraries)

xz-libs-5.4.5-r0 webpage:
https://tukaani.org/xz

xz-libs-5.4.5-r0 installed size:
232 KiB

xz-libs-5.4.6-r0 description:
Library and CLI tools for XZ and LZMA compressed files (libraries)

xz-libs-5.4.6-r0 webpage:
https://xz.tukaani.org/xz-utils/

xz-libs-5.4.6-r0 installed size:
232 KiB
`
But as per https://security.alpinelinux.org/vuln/CVE-2024-3094 versions below 5.6.0 are not vulnerable

Reproduction Steps

1. Run trivy scan for image "nicolaka/netshoot:latest"
2.
3.

Target

Container Image

Scanner

Vulnerability

Target OS

Alpine Linux

Debug Output

core@cop-dev-jenkins1:/tmp/trivy$ ./trivy image --no-progress --timeout 15m --format json -o nicolaka.json nicolaka/netshoot --debug
2024-04-09T11:39:25.582+0530	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-09T11:39:25.583+0530	DEBUG	Ignore statuses	{"statuses": null}
2024-04-09T11:39:25.607+0530	DEBUG	cache dir:  /home/core/.cache/trivy
2024-04-09T11:39:25.617+0530	DEBUG	DB update was skipped because the local DB is the latest
2024-04-09T11:39:25.617+0530	DEBUG	DB Schema: 2, UpdatedAt: 2024-04-09 00:18:34.920626307 +0000 UTC, NextUpdate: 2024-04-09 06:18:34.920626057 +0000 UTC, DownloadedAt: 2024-04-09 06:07:44.590558311 +0000 UTC
2024-04-09T11:39:25.617+0530	INFO	Vulnerability scanning is enabled
2024-04-09T11:39:25.617+0530	DEBUG	Vulnerability type:  [os library]
2024-04-09T11:39:25.617+0530	INFO	Secret scanning is enabled
2024-04-09T11:39:25.617+0530	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-04-09T11:39:25.617+0530	INFO	Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-04-09T11:39:25.617+0530	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-04-09T11:39:27.774+0530	DEBUG	No secret config detected: trivy-secret.yaml
2024-04-09T11:39:27.774+0530	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-04-09T11:39:27.774+0530	DEBUG	No secret config detected: trivy-secret.yaml
2024-04-09T11:39:28.213+0530	DEBUG	Image ID: sha256:81744d0a7f2497a4d7843348f1d43f7147ed5443e08cde04d2059ce1e2abde86
2024-04-09T11:39:28.214+0530	DEBUG	Diff IDs: [sha256:5af4f8f59b764c64c6def53f52ada809fe38d528441d08d01c206dfb3fc3b691 sha256:04c6fd2803baee333d2e628bee819904d804e8ffa1b28397d6dc77ec2311c2d6 sha256:8e070b720ca038838764c9d6113ed1015e1a73babe2a1e7b1b73ffd23fcfb49d sha256:570ed891c8f22e9268b1a77ac15b16e7a7e602afadf2fb8077562a63786c0b0d sha256:dce121370fdde79bfa83e54e61695f765b13518e07c9c1389a09000e870ebcfa sha256:2ab995cb9221d1748d95962bd3c6d37edf7f882155183f3581b4f2a5bba5e6f1 sha256:4a5a387884f87833ae30453bc44073dac1d6abdb17be84ae181100f87944bb8f sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:55ecc19964fabb0a9c5ed6d313cd86da8a7545f07d104afe8992e6ade62aed6a sha256:18283020e5646a942e5c52fd81a9368a411c5d75679bb7cd5371d61df05350df sha256:8fb86ce8c42d13cbe2ac989e604d7d07143117553fb72387678c974bee61cc3a sha256:1983617d2115935a5d0c9625298791745a1d35531d3eb589c367b38bdc76411a sha256:cd4c28687179ad8eed38c79044f7a6337c40c771c3cdbf202562a9974b7005de sha256:0ea8355dd359f14953dfda109ae9522115ffd24614d96eeea89fd516661e8c2d sha256:196e0cb88eb9e3d2c884a197b4ab638d5280e57250f9738381276a825245f3b4]
2024-04-09T11:39:28.214+0530	DEBUG	Base Layers: [sha256:5af4f8f59b764c64c6def53f52ada809fe38d528441d08d01c206dfb3fc3b691]
2024-04-09T11:39:28.245+0530	INFO	Detected OS: alpine
2024-04-09T11:39:28.245+0530	INFO	Detecting Alpine vulnerabilities...
2024-04-09T11:39:28.245+0530	DEBUG	alpine: os version: 3.19
2024-04-09T11:39:28.245+0530	DEBUG	alpine: package repository: edge
2024-04-09T11:39:28.245+0530	DEBUG	alpine: the number of packages: 273
2024-04-09T11:39:28.281+0530	INFO	Number of language-specific files: 5
2024-04-09T11:39:28.281+0530	INFO	Detecting gobinary vulnerabilities...
2024-04-09T11:39:28.281+0530	DEBUG	Detecting library vulnerabilities, type: gobinary, path: usr/local/bin/ctop
2024-04-09T11:39:28.283+0530	DEBUG	Detecting library vulnerabilities, type: gobinary, path: usr/local/bin/calicoctl
2024-04-09T11:39:28.287+0530	DEBUG	Detecting library vulnerabilities, type: gobinary, path: usr/local/bin/termshark
2024-04-09T11:39:28.289+0530	DEBUG	Detecting library vulnerabilities, type: gobinary, path: usr/local/bin/grpcurl
2024-04-09T11:39:28.290+0530	DEBUG	Detecting library vulnerabilities, type: gobinary, path: usr/local/bin/fortio

Version

core@cop-dev-jenkins1:/tmp/trivy$ ./trivy --version
Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-09 00:18:34.920626307 +0000 UTC
  NextUpdate: 2024-04-09 06:18:34.920626057 +0000 UTC
  DownloadedAt: 2024-04-09 06:07:44.590558311 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

Duplicate of #6448