Trivy looks to be missing Java vulnerabilities (wolfi, apk) #6648

mamccorm · 2024-05-07T09:29:17Z

mamccorm
May 7, 2024

Description

For some reason, trivy is not able to pick-up Java vulnerabilities, in comparison to other scanners. Note, this is for wolfi, which uses APK as it's package manager.

Some support info on wolfi here:

https://aquasecurity.github.io/trivy/v0.50/docs/coverage/os/wolfi/

Desired Behavior

Trivy to report similar / some vulnerabilities for the given image

Actual Behavior

Doesn't seem to run any of the language specific checks:

% trivy image --debug cgr.dev/*****/spark-bitnami:latest
2024-05-07T10:24:09+01:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-07T10:24:09+01:00	DEBUG	Ignore statuses	statuses=[]
2024-05-07T10:24:09+01:00	DEBUG	Cache dir	dir="/Users/REDACTED/Library/Caches/trivy"
2024-05-07T10:24:09+01:00	DEBUG	DB update was skipped because the local DB is the latest
2024-05-07T10:24:09+01:00	DEBUG	DB info	schema=2 updated_at=2024-05-07T06:12:32.648612416Z next_update=2024-05-07T12:12:32.648612145Z downloaded_at=2024-05-07T08:49:15.885247Z
2024-05-07T10:24:09+01:00	INFO	Vulnerability scanning is enabled
2024-05-07T10:24:09+01:00	DEBUG	Vulnerability type	type=[os library]
2024-05-07T10:24:09+01:00	INFO	Secret scanning is enabled
2024-05-07T10:24:09+01:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-07T10:24:09+01:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-07T10:24:09+01:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-07T10:24:09+01:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-05-07T10:24:09+01:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-07T10:24:09+01:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-05-07T10:24:09+01:00	DEBUG	[image] Detected image ID	image_id="sha256:4b288d3be79d5bb42eb617f22655b061e29fc8e4104b94e009a7ac1aea46ea3e"
2024-05-07T10:24:09+01:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:cde1022cf6c73fdd82e60430ad1c05f021836c224f9535550f753cad889b1c48]
2024-05-07T10:24:09+01:00	DEBUG	[image] Detected base layers	diff_ids=[]
2024-05-07T10:24:09+01:00	INFO	Detected OS	family="chainguard" version="20230214"
2024-05-07T10:24:09+01:00	INFO	[chainguard] Detecting Chainguard vulnerabilities...	pkg_num=34
2024-05-07T10:24:09+01:00	INFO	Number of language-specific files	num=0

cgr.dev/*****/spark-bitnami:latest (chainguard 20230214)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Below is a collapsed list of all the JAR files which exist on the image:

/opt/bitnami/spark $ ls /usr/lib/spark/jars
HikariCP-2.5.1.jar                                              kubernetes-model-admissionregistration-6.7.2.jar
JLargeArrays-1.5.jar                                            kubernetes-model-apiextensions-6.7.2.jar
JTransforms-3.1.jar                                             kubernetes-model-apps-6.7.2.jar
RoaringBitmap-0.9.45.jar                                        kubernetes-model-autoscaling-6.7.2.jar
ST4-4.0.4.jar                                                   kubernetes-model-batch-6.7.2.jar
activation-1.1.1.jar                                            kubernetes-model-certificates-6.7.2.jar
aircompressor-0.26.jar                                          kubernetes-model-common-6.7.2.jar
algebra_2.12-2.0.1.jar                                          kubernetes-model-coordination-6.7.2.jar
annotations-17.0.0.jar                                          kubernetes-model-core-6.7.2.jar
antlr-runtime-3.5.2.jar                                         kubernetes-model-discovery-6.7.2.jar
antlr4-runtime-4.9.3.jar                                        kubernetes-model-events-6.7.2.jar
aopalliance-repackaged-2.6.1.jar                                kubernetes-model-extensions-6.7.2.jar
arpack-3.0.3.jar                                                kubernetes-model-flowcontrol-6.7.2.jar
arpack_combined_all-0.1.jar                                     kubernetes-model-gatewayapi-6.7.2.jar
arrow-format-12.0.1.jar                                         kubernetes-model-metrics-6.7.2.jar
arrow-memory-core-12.0.1.jar                                    kubernetes-model-networking-6.7.2.jar
arrow-memory-netty-12.0.1.jar                                   kubernetes-model-node-6.7.2.jar
arrow-vector-12.0.1.jar                                         kubernetes-model-policy-6.7.2.jar
audience-annotations-0.12.0.jar                                 kubernetes-model-rbac-6.7.2.jar
avro-1.11.3.jar                                                 kubernetes-model-resource-6.7.2.jar
avro-ipc-1.11.3.jar                                             kubernetes-model-scheduling-6.7.2.jar
avro-mapred-1.11.3.jar                                          kubernetes-model-storageclass-6.7.2.jar
blas-3.0.3.jar                                                  lapack-3.0.3.jar
bonecp-0.8.0.RELEASE.jar                                        leveldbjni-all-1.8.jar
breeze-macros_2.12-2.1.0.jar                                    libfb303-0.9.3.jar
breeze_2.12-2.1.0.jar                                           libthrift-0.12.0.jar
cats-kernel_2.12-2.1.1.jar                                      listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
checker-qual-3.33.0.jar                                         log4j-1.2-api-2.20.0.jar
chill-java-0.10.0.jar                                           log4j-api-2.20.0.jar
chill_2.12-0.10.0.jar                                           log4j-core-2.20.0.jar
commons-cli-1.5.0.jar                                           log4j-slf4j2-impl-2.20.0.jar
commons-codec-1.16.0.jar                                        logback-classic-1.2.13.jar
commons-collections-3.2.2.jar                                   logback-core-1.2.13.jar
commons-collections4-4.4.jar                                    logging-interceptor-3.12.12.jar
commons-compiler-3.1.9.jar                                      lz4-java-1.8.0.jar
commons-compress-1.26.0.jar                                     mesos-1.4.3-shaded-protobuf.jar
commons-crypto-1.1.0.jar                                        metrics-core-4.2.19.jar
commons-dbcp-1.4.jar                                            metrics-graphite-4.2.19.jar
commons-io-2.13.0.jar                                           metrics-jmx-4.2.19.jar
commons-lang-2.6.jar                                            metrics-json-4.2.19.jar
commons-lang3-3.12.0.jar                                        metrics-jvm-4.2.19.jar
commons-logging-1.1.3.jar                                       minlog-1.3.0.jar
commons-math3-3.6.1.jar                                         netty-all-4.1.108.Final.jar
commons-pool-1.5.4.jar                                          netty-buffer-4.1.108.Final.jar
commons-text-1.10.0.jar                                         netty-codec-4.1.108.Final.jar
compress-lzf-1.1.2.jar                                          netty-codec-http-4.1.108.Final.jar
curator-client-2.13.0.jar                                       netty-codec-http2-4.1.108.Final.jar
curator-framework-2.13.0.jar                                    netty-codec-socks-4.1.108.Final.jar
curator-recipes-2.13.0.jar                                      netty-common-4.1.108.Final.jar
datanucleus-api-jdo-4.2.4.jar                                   netty-handler-4.1.108.Final.jar
datanucleus-core-4.1.17.jar                                     netty-handler-proxy-4.1.108.Final.jar
datanucleus-rdbms-4.1.19.jar                                    netty-resolver-4.1.108.Final.jar
datasketches-java-3.3.0.jar                                     netty-transport-4.1.108.Final.jar
datasketches-memory-2.1.0.jar                                   netty-transport-classes-epoll-4.1.108.Final.jar
derby-10.14.2.0.jar                                             netty-transport-classes-kqueue-4.1.108.Final.jar
dropwizard-metrics-hadoop-metrics2-reporter-0.1.2.jar           netty-transport-native-epoll-4.1.108.Final-linux-aarch_64.jar
error_prone_annotations-2.18.0.jar                              netty-transport-native-epoll-4.1.108.Final-linux-riscv64.jar
failureaccess-1.0.1.jar                                         netty-transport-native-epoll-4.1.108.Final-linux-x86_64.jar
flatbuffers-java-1.12.0.jar                                     netty-transport-native-kqueue-4.1.108.Final-osx-aarch_64.jar
gson-2.10.1.jar                                                 netty-transport-native-kqueue-4.1.108.Final-osx-x86_64.jar
guava-32.0.1-jre.jar                                            netty-transport-native-unix-common-4.1.108.Final.jar
hadoop-client-api-3.3.6.jar                                     objenesis-3.3.jar
hadoop-client-runtime-3.3.6.jar                                 okhttp-3.12.12.jar
hadoop-shaded-guava-1.1.1.jar                                   okio-1.17.6.jar
hadoop-yarn-server-web-proxy-3.3.6.jar                          opencsv-2.3.jar
hive-beeline-2.3.9.jar                                          orc-core-1.9.2-shaded-protobuf.jar
hive-cli-2.3.9.jar                                              orc-mapreduce-1.9.2-shaded-protobuf.jar
hive-common-2.3.9.jar                                           orc-shims-1.9.2.jar
hive-exec-2.3.9-core.jar                                        oro-2.0.8.jar
hive-jdbc-2.3.9.jar                                             osgi-resource-locator-1.0.3.jar
hive-llap-common-2.3.9.jar                                      paranamer-2.8.jar
hive-metastore-2.3.9.jar                                        parquet-column-1.13.1.jar
hive-serde-2.3.9.jar                                            parquet-common-1.13.1.jar
hive-service-rpc-3.1.3.jar                                      parquet-encoding-1.13.1.jar
hive-shims-0.23-2.3.9.jar                                       parquet-format-structures-1.13.1.jar
hive-shims-2.3.9.jar                                            parquet-hadoop-1.13.1.jar
hive-shims-common-2.3.9.jar                                     parquet-jackson-1.13.1.jar
hive-shims-scheduler-2.3.9.jar                                  pickle-1.3.jar
hive-storage-api-2.8.1.jar                                      py4j-0.10.9.7.jar
hk2-api-2.6.1.jar                                               rocksdbjni-8.3.2.jar
hk2-locator-2.6.1.jar                                           scala-collection-compat_2.12-2.7.0.jar
hk2-utils-2.6.1.jar                                             scala-compiler-2.12.18.jar
httpclient-4.5.14.jar                                           scala-library-2.12.18.jar
httpcore-4.4.16.jar                                             scala-parser-combinators_2.12-2.3.0.jar
istack-commons-runtime-3.0.8.jar                                scala-reflect-2.12.18.jar
ivy-2.5.2.jar                                                   scala-xml_2.12-2.1.0.jar
j2objc-annotations-2.8.jar                                      shims-0.9.45.jar
jackson-annotations-2.15.2.jar                                  slf4j-api-2.0.7.jar
jackson-core-2.15.2.jar                                         snakeyaml-2.0.jar
jackson-core-asl-1.9.13.jar                                     snakeyaml-engine-2.6.jar
jackson-databind-2.15.2.jar                                     snappy-java-1.1.10.5.jar
jackson-dataformat-yaml-2.15.2.jar                              spark-catalyst_2.12-3.5.1.jar
jackson-datatype-jsr310-2.15.2.jar                              spark-common-utils_2.12-3.5.1.jar
jackson-mapper-asl-1.9.13.jar                                   spark-core_2.12-3.5.1.jar
jackson-module-scala_2.12-2.15.2.jar                            spark-graphx_2.12-3.5.1.jar
jakarta.annotation-api-1.3.5.jar                                spark-hive-thriftserver_2.12-3.5.1.jar
jakarta.inject-2.6.1.jar                                        spark-hive_2.12-3.5.1.jar
jakarta.servlet-api-4.0.3.jar                                   spark-kubernetes_2.12-3.5.1.jar
jakarta.validation-api-2.0.2.jar                                spark-kvstore_2.12-3.5.1.jar
jakarta.ws.rs-api-2.1.6.jar                                     spark-launcher_2.12-3.5.1.jar
jakarta.xml.bind-api-2.3.2.jar                                  spark-mesos_2.12-3.5.1.jar
janino-3.1.9.jar                                                spark-mllib-local_2.12-3.5.1.jar
javassist-3.29.2-GA.jar                                         spark-mllib_2.12-3.5.1.jar
javax.jdo-3.2.0-m3.jar                                          spark-network-common_2.12-3.5.1.jar
javolution-5.5.1.jar                                            spark-network-shuffle_2.12-3.5.1.jar
jaxb-runtime-2.3.2.jar                                          spark-repl_2.12-3.5.1.jar
jcl-over-slf4j-2.0.7.jar                                        spark-sketch_2.12-3.5.1.jar
jdo-api-3.0.1.jar                                               spark-sql-api_2.12-3.5.1.jar
jersey-client-2.40.jar                                          spark-sql_2.12-3.5.1.jar
jersey-common-2.40.jar                                          spark-streaming_2.12-3.5.1.jar
jersey-container-servlet-2.40.jar                               spark-tags_2.12-3.5.1.jar
jersey-container-servlet-core-2.40.jar                          spark-unsafe_2.12-3.5.1.jar
jersey-hk2-2.40.jar                                             spark-yarn_2.12-3.5.1.jar
jersey-server-2.40.jar                                          spire-macros_2.12-0.17.0.jar
jline-2.14.6.jar                                                spire-platform_2.12-0.17.0.jar
joda-time-2.12.5.jar                                            spire-util_2.12-0.17.0.jar
jodd-core-3.5.2.jar                                             spire_2.12-0.17.0.jar
jpam-1.1.jar                                                    stax-api-1.0.1.jar
json-1.8.jar                                                    stream-2.9.6.jar
json4s-ast_2.12-3.7.0-M11.jar                                   super-csv-2.2.0.jar
json4s-core_2.12-3.7.0-M11.jar                                  threeten-extra-1.7.1.jar
json4s-jackson_2.12-3.7.0-M11.jar                               tink-1.9.0.jar
json4s-scalap_2.12-3.7.0-M11.jar                                transaction-api-1.1.jar
jsr305-3.0.0.jar                                                univocity-parsers-2.9.1.jar
jta-1.1.jar                                                     xbean-asm9-shaded-4.23.jar
jul-to-slf4j-2.0.7.jar                                          xz-1.9.jar
kryo-shaded-4.0.2.jar                                           zjsonpatch-0.3.0.jar
kubernetes-client-6.7.2.jar                                     zookeeper-3.8.4.jar
kubernetes-client-api-6.7.2.jar                                 zookeeper-jute-3.8.4.jar
kubernetes-httpclient-okhttp-6.7.2.jar                          zstd-jni-1.5.5-4.jar

For comparison, if we run the same scan using another popular open-source scanning tool:

 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                 cgr.dev/*****/spark-bitnami:latest
 ✔ Parsed image                                                         sha256:4b288d3be79d5bb42eb617f22655b061e29fc8e4104b94e009a7ac1aea46ea3e
 ✔ Cataloged contents                                                          7cd42974e4b51ec4ab41da830942d3e29fdbd956a0056aeebe8eea3495fdfc76
   ├── ✔ Packages                        [480 packages]
   ├── ✔ File digests                    [2,593 files]
   ├── ✔ File metadata                   [2,593 locations]
   └── ✔ Executables                     [120 executables]
 ✔ Scanned for vulnerabilities     [25 vulnerability matches]
   ├── by severity: 0 critical, 16 high, 7 medium, 2 low, 0 negligible
   └── by status:   25 fixed, 0 not-fixed, 0 ignored
NAME                    INSTALLED   FIXED-IN        TYPE          VULNERABILITY        SEVERITY
commons-configuration2  2.8.0       2.10.1          java-archive  GHSA-xjp4-hw94-mvp5  Medium
commons-configuration2  2.8.0       2.10.1          java-archive  GHSA-9w38-p64v-xpmv  Medium
json-smart              1.3.2       1.3.3           java-archive  GHSA-fg2v-w576-w4v3  High
json-smart              1.3.2       2.4.9           java-archive  GHSA-493p-pfq6-5258  High
libthrift               0.12.0      0.13.0          java-archive  GHSA-rj7p-rfgp-852x  High
libthrift               0.12.0      0.14.0          java-archive  GHSA-g2fg-mr77-6vrm  High
mesos                   1.4.3       1.6.0           java-archive  GHSA-95q3-pppp-r683  High
nimbus-jose-jwt         9.8.1       9.37.2          java-archive  GHSA-gvpg-vgmx-xg6w  Medium
protobuf-java           3.3.0       3.16.1          java-archive  GHSA-wrvw-hg22-4m67  High
protobuf-java           3.3.0       3.16.3          java-archive  GHSA-g5ww-5jh7-63cx  High
protobuf-java           3.3.0       3.15.0          java-archive  GHSA-77rm-9x9h-xj3g  High
protobuf-java           3.3.0       3.16.3          java-archive  GHSA-4gg5-vx3j-xwc7  High
protobuf-java           3.3.0       3.16.3          java-archive  GHSA-h4h5-3hr4-j3g2  Medium
protobuf-java           3.7.1       3.16.1          java-archive  GHSA-wrvw-hg22-4m67  High
protobuf-java           3.7.1       3.16.3          java-archive  GHSA-g5ww-5jh7-63cx  High
protobuf-java           3.7.1       3.15.0          java-archive  GHSA-77rm-9x9h-xj3g  High
protobuf-java           3.7.1       3.16.3          java-archive  GHSA-4gg5-vx3j-xwc7  High
protobuf-java           3.7.1       3.16.3          java-archive  GHSA-h4h5-3hr4-j3g2  Medium

Analysis of missing findings

Using some of the matches from the other popular scanner, lets dive into where it found the matches:

protobuf-java v3.3.0: is detected by the other scanner at the following location:

/usr/lib/spark/jars/mesos-1.4.3-shaded-protobuf.jar
/usr/lib/spark/jars/mesos-1.4.3-shaded-protobuf.jar:com.google.protobuf:protobuf-java

...
...
    "cpes": [
     "cpe:2.3:a:protobuf-java:protobuf-java:3.3.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:protobuf-java:protobuf_java:3.3.0:*:*:*:*:*:*:*",
     "cpe:2.3:a:protobuf_java:protobuf-java:3.3.0:*:*:*:*:*:*:*",
...

protobuf-java v3.7.1 is detected by the other scanner at the following location:

/usr/lib/spark/jars/hadoop-client-runtime-3.3.6.jar
/usr/lib/spark/jars/hadoop-client-runtime-3.3.6.jar:com.google.protobuf:protobuf-java

...
...
    "cpes": [
     "cpe:2.3:a:protobuf-java:protobuf-java:3.7.1:*:*:*:*:*:*:*",
     "cpe:2.3:a:protobuf-java:protobuf_java:3.7.1:*:*:*:*:*:*:*",
    ...
    ....

mesos v1.4.3:

/opt/bitnami/spark $ ls /usr/lib/spark/jars | grep "mesos"
mesos-1.4.3-shaded-protobuf.jar
spark-mesos_2.12-3.5.1.jar

/usr/lib/spark/jars/mesos-1.4.3-shaded-protobuf.jar
/usr/lib/spark/jars/mesos-1.4.3-shaded-protobuf.jar:com.google.protobuf:protobuf-java

Conclusion

I didn't go through them all the findings above, but it looks clear that trivy is not picking up the vulnerabilities and seems to be skipping the language specific checks. How do we get trivy to pick these up? Am I missing some optional config setting?

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

Above

Operating System

wolfi

Version

% trivy --version
Version: 0.51.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-07 06:12:32.648612416 +0000 UTC
  NextUpdate: 2024-05-07 12:12:32.648612145 +0000 UTC
  DownloadedAt: 2024-05-07 08:49:15.885247 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-05-07 01:00:58.558003136 +0000 UTC
  NextUpdate: 2024-05-10 01:00:58.558002966 +0000 UTC
  DownloadedAt: 2024-05-07 08:49:47.648669 +0000 UTC

Checklist

Run trivy image --reset
Read the troubleshooting

knqyf263 · 2024-05-07T10:55:19Z

knqyf263
May 7, 2024
Maintainer

First of all, we don't have access to the image. Please share the image somehow. Second of all, please see how the JAR files are installed. If it's installed by apk, grep "\.jar" /lib/apk/db/installed shows the file paths. In that case, upstream advisories, such as GHSA, should not be applied since they cause false positives due to backporting by the vendor.

We do not have access to that image and cannot verify it, but we frequently see this kind of false positives detected by other tools.

2 replies

luhring May 7, 2024

I just chatted w/ @mamccorm offline — my read is this is working as intended. Thanks @knqyf263 🙏

knqyf263 May 7, 2024
Maintainer

Sure thing. Please let us know if you want us to take a further look. Another possible cause is that scanning of JAR files is not perfect and uses heuristics, so artifact names may not be identified.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy looks to be missing Java vulnerabilities (wolfi, apk) #6648

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 2 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Trivy looks to be missing Java vulnerabilities (wolfi, apk) #6648

mamccorm May 7, 2024

Description

Desired Behavior

Actual Behavior

Analysis of missing findings

Conclusion

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 1 comment · 2 replies

knqyf263 May 7, 2024 Maintainer

luhring May 7, 2024

knqyf263 May 7, 2024 Maintainer

mamccorm
May 7, 2024

Replies: 1 comment 2 replies

knqyf263
May 7, 2024
Maintainer

knqyf263 May 7, 2024
Maintainer