Replies: 1 comment 2 replies
-
First of all, we don't have access to the image. Please share the image somehow. Second of all, please see how the JAR files are installed. If it's installed by apk, We do not have access to that image and cannot verify it, but we frequently see this kind of false positives detected by other tools. |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
For some reason, trivy is not able to pick-up Java vulnerabilities, in comparison to other scanners. Note, this is for wolfi, which uses APK as it's package manager.
Some support info on wolfi here:
Desired Behavior
Trivy to report similar / some vulnerabilities for the given image
Actual Behavior
Doesn't seem to run any of the language specific checks:
Below is a collapsed list of all the JAR files which exist on the image:
For comparison, if we run the same scan using another popular open-source scanning tool:
Analysis of missing findings
Using some of the matches from the other popular scanner, lets dive into where it found the matches:
protobuf-java v3.3.0: is detected by the other scanner at the following location:
protobuf-java v3.7.1 is detected by the other scanner at the following location:
mesos v1.4.3:
Conclusion
I didn't go through them all the findings above, but it looks clear that trivy is not picking up the vulnerabilities and seems to be skipping the language specific checks. How do we get trivy to pick these up? Am I missing some optional config setting?
Target
Container Image
Scanner
Vulnerability
Output Format
None
Mode
Standalone
Debug Output
Operating System
wolfi
Version
Checklist
trivy image --reset
Beta Was this translation helpful? Give feedback.
All reactions