Trivy docker image has vulnerabilities? #8332

middleagedman · 2025-02-02T01:49:53Z

middleagedman
Feb 2, 2025

IDs

CVE-2024-45336, CVE-2024-45341

Description

So I pulled down the latest trivy docker image (docker pull aquasec/trivy). Then I installed trivy via pacman -S trivy
And I scanned the docker image and it reports a vuln, but I don't think it's correct. Is it actually complaining about my OS?

Reproduction Steps

# sudo pacman -S trivy
# docker pull aquasec/trivy
# trivy image aquasec/trivy

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

trivy image aquasec/trivy --debug
2025-02-01T20:45:17-05:00       DEBUG   No plugins loaded
2025-02-01T20:45:17-05:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-01T20:45:17-05:00       DEBUG   Cache dir       dir="/home/tom/.cache/trivy"
2025-02-01T20:45:17-05:00       DEBUG   Cache dir       dir="/home/tom/.cache/trivy"
2025-02-01T20:45:17-05:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-01T20:45:17-05:00       DEBUG   Ignore statuses statuses=[]
2025-02-01T20:45:17-05:00       DEBUG   DB update was skipped because the local DB is the latest
2025-02-01T20:45:17-05:00       DEBUG   DB info schema=2 updated_at=2025-02-02T00:21:30.370386254Z next_update=2025-02-03T00:21:30.370386124Z downloaded_at=2025-02-02T01:34:22.058961974Z
2025-02-01T20:45:17-05:00       DEBUG   [pkg] Package types     types=[os library]
2025-02-01T20:45:17-05:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-02-01T20:45:17-05:00       INFO    [vuln] Vulnerability scanning is enabled
2025-02-01T20:45:17-05:00       INFO    [secret] Secret scanning is enabled
2025-02-01T20:45:17-05:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-01T20:45:17-05:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.59/docs/scanner/secret#recommendation for faster secret detection
2025-02-01T20:45:17-05:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-02-01T20:45:17-05:00       DEBUG   Initializing scan cache...      type="fs"
2025-02-01T20:45:17-05:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-02-01T20:45:17-05:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-02-01T20:45:17-05:00       DEBUG   [image] Detected image ID       image_id="sha256:f67504ca581bee4b3833687bcb47f590f3ed826db250da3fe240cc53e7a6e9c4"
2025-02-01T20:45:17-05:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:3e01818d79cd3467f1d60e54224f3f6ce5170eceb54e265d96bb82344b8c24e7 sha256:174ac372eafb31a01a7e72062f873aa7cf357dfe0133f0fbd794f2f43ae278dd sha256:f75706aada560f9fc3c035a44e9c8f8da8bf7317a39df18ae86c56fdd8344d66 sha256:178f0c84f66ac6f6b57214291b8827aa1199eb29949efec2aafe838998b8df67]
2025-02-01T20:45:17-05:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:3e01818d79cd3467f1d60e54224f3f6ce5170eceb54e265d96bb82344b8c24e7]
2025-02-01T20:45:17-05:00       INFO    Detected OS     family="alpine" version="3.21.0"
2025-02-01T20:45:17-05:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.21" repository="3.21" pkg_num=28
2025-02-01T20:45:17-05:00       INFO    Number of language-specific files       num=1
2025-02-01T20:45:17-05:00       INFO    [gobinary] Detecting vulnerabilities...
2025-02-01T20:45:17-05:00       DEBUG   [gobinary] Scanning packages for vulnerabilities  file_path="usr/local/bin/trivy"
2025-02-01T20:45:17-05:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.59/docs/scanner/vulnerability#severity-selection for details.
2025-02-01T20:45:17-05:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-02-01T20:45:17-05:00       DEBUG   [vex] VEX filtering is disabled

aquasec/trivy (alpine 3.21.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/local/bin/trivy (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-45336 │ MEDIUM   │ fixed  │ v1.23.4           │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly    │
│         │                │          │        │                   │                              │ sent after cross-domain redirect                             │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-45341 │          │        │                   │                              │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│         │                │          │        │                   │                              │ bypass URI name...                                           │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

Version

Version: 0.59.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-02-02 00:21:30.370386254 +0000 UTC
  NextUpdate: 2025-02-03 00:21:30.370386124 +0000 UTC
  DownloadedAt: 2025-02-02 01:34:22.058961974 +0000 UTC

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

DmitriyLewen · 2025-02-03T05:42:59Z

DmitriyLewen
Feb 3, 2025
Maintainer

Hello @middleagedman

Trivy didn't find vulns in alpine 3.21.0 (OS for aquasec/trivy image).

But Trivy found 2 vulns in Trivy binary.

0 replies

middleagedman · 2025-02-03T20:58:03Z

middleagedman
Feb 3, 2025
Author

Correct. So I guess a patch is coming for that soon :)

1 reply

DmitriyLewen Feb 4, 2025
Maintainer

Created #8341

DmitriyLewen · 2025-02-04T05:48:06Z

DmitriyLewen
Feb 4, 2025
Maintainer

Created #8341

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Trivy docker image has vulnerabilities? #8332

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Trivy docker image has vulnerabilities? #8332

Uh oh!

middleagedman Feb 2, 2025

IDs

Description

Reproduction Steps

Target

Scanner

Target OS

Debug Output

Version

Checklist

Replies: 3 comments · 1 reply

Uh oh!

DmitriyLewen Feb 3, 2025 Maintainer

Uh oh!

middleagedman Feb 3, 2025 Author

Uh oh!

DmitriyLewen Feb 4, 2025 Maintainer

Uh oh!

DmitriyLewen Feb 4, 2025 Maintainer

middleagedman
Feb 2, 2025

Replies: 3 comments 1 reply

DmitriyLewen
Feb 3, 2025
Maintainer

middleagedman
Feb 3, 2025
Author

DmitriyLewen Feb 4, 2025
Maintainer

DmitriyLewen
Feb 4, 2025
Maintainer