Trivy scanner not able to detect vulnerabilities from python package

[pradyumnaparalikar]

IDs

CVE-2020-35139, CVE-2020-35141 CVE-2023-6129

Description

Python packages are not listed in the vulnerability scans.
we have "ryu", "pyOpenSSL" packages, they are vulnerable and present in an image and they are not detected by trivy scanner.

Any idea why this is happening?
the path of the package is -> /usr/local/lib/python3.9/site-packages# ls | grep ryu

Reproduction Steps

Scan the image with these python packages.

SCORE.   CVE            pkg.    version
7.5 	CVE-2020-35139 	ryu 	4.34 	
7.5 	CVE-2020-35141 	ryu 	4.34 	
6.5 	CVE-2023-6129 	pyOpenSSL 	24.0.0 	

Vulnerabilities are not detected with these python packages present in site packages

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

NA

Version

trivy version is v0.44.0
Using as part of harbor trivy scanning and vulnerability database is also updated.

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @pradyumnaparalikar
Thanks for your report!

I can't reproduce your error.
I created test image:

➜ docker run -it --rm ubuntu

root@be8ba7d7d905:/# apt update

root@be8ba7d7d905:/# apt install python3

root@be8ba7d7d905:/# apt install python3-pip

root@be8ba7d7d905:/# pip install ryu

root@be8ba7d7d905:/# find / -name "ryu"
/usr/local/lib/python3.10/dist-packages/ryu
/usr/local/etc/ryu
/usr/local/bin/ryu

Trivy run:

➜  docker commit be8ba7d7d905 6578

➜ ./old-trivy-v0.44.0 image --vuln-type library -f json 6578 | grep VulnerabilityID -A 2 
2024-05-06T13:17:31.923+0600	INFO	Vulnerability scanning is enabled
2024-05-06T13:17:31.924+0600	INFO	Secret scanning is enabled
2024-05-06T13:17:31.924+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-06T13:17:31.924+0600	INFO	Please see also https://aquasecurity.github.io/trivy/v0.44/docs/scanner/secret/#recommendation for faster secret detection
2024-05-06T13:17:31.945+0600	INFO	Number of language-specific files: 1
2024-05-06T13:17:31.945+0600	INFO	Detecting python-pkg vulnerabilities...
          "VulnerabilityID": "CVE-2020-35139",
          "PkgName": "ryu",
          "PkgPath": "usr/local/lib/python3.10/dist-packages/ryu-4.34.dist-info/METADATA",
--
          "VulnerabilityID": "CVE-2020-35141",
          "PkgName": "ryu",
          "PkgPath": "usr/local/lib/python3.10/dist-packages/ryu-4.34.dist-info/METADATA",
--
          "VulnerabilityID": "CVE-2024-28732",
          "PkgName": "ryu",
          "PkgPath": "usr/local/lib/python3.10/dist-packages/ryu-4.34.dist-info/METADATA",

Trivy works correctly.

Can you create a test image to investigate your problem?

Regards, Dmitriy