trivy detecting vulnerabilities in linux header packages?

[uchi-mata]

IDs

CVE-2024-26828

Description

Hi,

trivy seems to often report linux-headers packages as vulnerable to kernel CVEs. I get that headers are part of the kernel, however, they rarely do contain the actual vulnerability. Often the actual kernel or the corresponding modules package is reported as well, however, I cannot seem to get a good understanding of the logic behind it.

Is the detection/evaluation logic explained somewhere?

Thanks,
Matthias

Reproduction Steps

Run trivy on any Ubuntu system and header packages will be reported as vulnerable. The Ubuntu vulnerability information (also as mentioned in the data sources) does not list the header packages as vulnerable.

Target

Filesystem

Scanner

Vulnerability

Target OS

Ubuntu 20.04

Debug Output

# trivy fs --scanners vuln / --debug
2024-04-25T14:43:55.071Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-25T14:43:55.071Z	DEBUG	Ignore statuses	{"statuses": null}
2024-04-25T14:43:55.076Z	DEBUG	cache dir:  /root/.cache/trivy
2024-04-25T14:43:55.077Z	DEBUG	DB update was skipped because the local DB is the latest
2024-04-25T14:43:55.077Z	DEBUG	DB Schema: 2, UpdatedAt: 2024-04-25 12:12:20.162732803 +0000 UTC, NextUpdate: 2024-04-25 18:12:20.162732522 +0000 UTC, DownloadedAt: 2024-04-25 14:20:08.779009059 +0000 UTC
2024-04-25T14:43:55.078Z	INFO	Vulnerability scanning is enabled
2024-04-25T14:43:55.078Z	DEBUG	Vulnerability type:  [os library]
2024-04-25T14:43:55.078Z	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-04-25T14:43:55.078Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-04-25T14:43:55.079Z	DEBUG	Walk the file tree rooted at '/' in parallel
2024-04-25T14:43:55.081Z	DEBUG	Skipping directory: sys
2024-04-25T14:43:55.082Z	DEBUG	Skipping directory: proc
2024-04-25T14:43:57.719Z	DEBUG	Skipping directory: dev
2024-04-25T14:43:58.310Z	INFO	Detected OS: ubuntu
2024-04-25T14:43:58.310Z	INFO	Detecting Ubuntu vulnerabilities...
2024-04-25T14:43:58.311Z	DEBUG	ubuntu: os version: 20.04
2024-04-25T14:43:58.311Z	DEBUG	ubuntu: the number of packages: 625
2024-04-25T14:43:58.404Z	INFO	Number of language-specific files: 0

Version

# trivy --version
Version: 0.50.4
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-25 12:12:20.162732803 +0000 UTC
  NextUpdate: 2024-04-25 18:12:20.162732522 +0000 UTC
  DownloadedAt: 2024-04-25 14:20:08.779009059 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

This is a known problem. Security advisories are issued for source packages (e.g. linux) only and do not state which binary packages (e.g. linux-libc-dev and linux-headers) are actually affected. For example, if BIND is vulnerable, it will be detected even if only bind-licence is installed. linux-headers is unlikely to be affected by the Linux vulnerability, but our understanding is that it is not completely zero and this package cannot be ignored.

We welcome any better solution.

[uchi-mata]

Thanks for the explanation! Yeah, took some digging based on your input but I see where you are coming from now - no immediately great ideas here :/

You say it is a known problem: Is this documented anywhere? I tried to search for the problem and found this but did not clearly make the connection back then. Could it make sense to include this challenge in the documentation so people can adjust their triaging processes with that information?

[knqyf263]

Not documented. Yes, we should document it. There is a page for troubleshooting, but it may not fit this case. Do we need a new page?