bug(bitnami): Go CVEs are reported twice #8863

fmulero · 2025-05-13T12:46:14Z

fmulero
May 13, 2025

Description

Bitnami member here. In bitnami images with gobinaries we can see the spdx analyzed as gobinary file and the the CVEs are reported twice. Not sure if there is any kind of error in the bitnami sbom file, the issue only happens if the image has gobinaries.

Desired Behavior

CVEs over the same binary file are reported just once.

Actual Behavior

In the json report we can see thinks like this:

"Results": [
...
 {
      "Target": "opt/bitnami/common/.spdx-wait-for-port.spdx",
      "Class": "lang-pkgs",
      "Type": "gobinary",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2025-22866",
          "PkgID": "[email protected]",
          "PkgName": "stdlib",
          "PkgPath": "opt/bitnami/common",
          "PkgIdentifier": {
            "PURL": "pkg:golang/[email protected]",
            "UID": "11fe8b8c1d81c734"
          },
         ....
        }
},
{
      "Target": "opt/bitnami/common/bin/wait-for-port",
      "Class": "lang-pkgs",
      "Type": "gobinary",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2025-22866",
          "PkgID": "[email protected]",
          "PkgName": "stdlib",
          "PkgIdentifier": {
            "PURL": "pkg:golang/[email protected]",
            "UID": "cb70ff5498d3cb1f"
          },
....
{

In the sbom file opt/bitnami/common/.spdx-wait-for-port.spdx we can see this:

...
"packages": [ 
       {
            "name": "opt/bitnami/common/bin/wait-for-port",
            "SPDXID": "SPDXRef-Application-cd19f4a07bc0bd87-wait-for-port",
            "downloadLocation": "NONE",
            "filesAnalyzed": false,
            "primaryPackagePurpose": "APPLICATION",
            "copyrightText": "NOASSERTION",
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "NOASSERTION"
        },
       {
            "name": "stdlib",
            "SPDXID": "SPDXRef-Package-5b43dd2818d295c7",
            "versionInfo": "1.22.11",
            "supplier": "NOASSERTION",
            "downloadLocation": "NONE",
            "filesAnalyzed": false,
            "sourceInfo": "opt/bitnami/common/bin/wait-for-port",
            "licenseConcluded": "NONE",
            "licenseDeclared": "NONE",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:golang/[email protected]"
                }
            ],
            "primaryPackagePurpose": "LIBRARY",
            "copyrightText": "NOASSERTION"
        }
....
"relationships": [
        ...
        {
            "spdxElementId": "SPDXRef-Application-cd19f4a07bc0bd87-wait-for-port",
            "relatedSpdxElement": "SPDXRef-Package-5b43dd2818d295c7",
            "relationshipType": "DEPENDS_ON"
        },
        ...
    ]
...

Reproduction Steps

$ trivy image --debug bitnami/redis:7.4.2-debian-12-r1 
2025-05-13T14:41:31+02:00	DEBUG	No plugins loaded
2025-05-13T14:41:31+02:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-05-13T14:41:31+02:00	DEBUG	Cache dir	dir="/Users/fm022204/Library/Caches/trivy"
2025-05-13T14:41:31+02:00	DEBUG	Cache dir	dir="/Users/fm022204/Library/Caches/trivy"
2025-05-13T14:41:31+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-05-13T14:41:31+02:00	DEBUG	Ignore statuses	statuses=[]
2025-05-13T14:41:31+02:00	DEBUG	DB update was skipped because the local DB is the latest
2025-05-13T14:41:31+02:00	DEBUG	DB info	schema=2 updated_at=2025-05-13T06:22:44.63558503Z next_update=2025-05-14T06:22:44.63558475Z downloaded_at=2025-05-13T10:59:57.570081Z
2025-05-13T14:41:31+02:00	DEBUG	[pkg] Package types	types=[os library]
2025-05-13T14:41:31+02:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-05-13T14:41:31+02:00	INFO	[vuln] Vulnerability scanning is enabled
2025-05-13T14:41:31+02:00	INFO	[secret] Secret scanning is enabled
2025-05-13T14:41:31+02:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-05-13T14:41:31+02:00	INFO	[secret] Please see also https://trivy.dev/v0.62/docs/scanner/secret#recommendation for faster secret detection
2025-05-13T14:41:31+02:00	DEBUG	Initializing scan cache...	type="fs"
2025-05-13T14:41:31+02:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-05-13T14:41:31+02:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-05-13T14:41:31+02:00	DEBUG	[image] Detected image ID	image_id="sha256:0527618c31c4fe1c01ed6159c0422e72dd70a83a7a3c393b07a40ba300a31415"
2025-05-13T14:41:31+02:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:5a9503a9414c57afd225dd506a477648133ea93bfc7c6f3aa547b9a2a8549dcb]
2025-05-13T14:41:31+02:00	DEBUG	[image] Detected base layers	diff_ids=[]
2025-05-13T14:41:31+02:00	DEBUG	[image] Missing image ID in cache	image_id="sha256:0527618c31c4fe1c01ed6159c0422e72dd70a83a7a3c393b07a40ba300a31415"
2025-05-13T14:41:31+02:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:5a9503a9414c57afd225dd506a477648133ea93bfc7c6f3aa547b9a2a8549dcb"
2025-05-13T14:41:32+02:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/bitnami/wait-for-port"
2025-05-13T14:41:32+02:00	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="github.com/bitnami/wait-for-port" -ldflags=[-s -w]
2025-05-13T14:41:32+02:00	DEBUG	[gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.	dependency="github.com/bitnami/wait-for-port"
2025-05-13T14:41:33+02:00	DEBUG	No secrets found in container image config
2025-05-13T14:41:33+02:00	INFO	Detected OS	family="debian" version="12.9"
2025-05-13T14:41:33+02:00	INFO	[debian] Detecting vulnerabilities...	os_version="12" pkg_num=101
2025-05-13T14:41:33+02:00	INFO	Number of language-specific files	num=4
2025-05-13T14:41:33+02:00	INFO	[bitnami] Detecting vulnerabilities...
2025-05-13T14:41:33+02:00	DEBUG	[bitnami] Scanning packages for vulnerabilities	file_path="opt/bitnami/common"
2025-05-13T14:41:33+02:00	DEBUG	[bitnami] Scanning packages for vulnerabilities	file_path="opt/bitnami/redis"
2025-05-13T14:41:33+02:00	INFO	[gobinary] Detecting vulnerabilities...
2025-05-13T14:41:33+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="opt/bitnami/common/.spdx-wait-for-port.spdx"
2025-05-13T14:41:33+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="opt/bitnami/common/bin/wait-for-port"
2025-05-13T14:41:33+02:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/bitnami/wait-for-port"
2025-05-13T14:41:33+02:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.62/docs/scanner/vulnerability#severity-selection for details.
2025-05-13T14:41:33+02:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-05-13T14:41:33+02:00	DEBUG	[vex] VEX filtering is disabled
2025-05-13T14:41:33+02:00	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Report Summary

┌────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                     Target                     │   Type   │ Vulnerabilities │ Secrets │
├────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ bitnami/redis:7.4.2-debian-12-r1 (debian 12.9) │  debian  │       100       │    -    │
├────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ opt/bitnami/common                             │ bitnami  │        0        │    -    │
├────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ opt/bitnami/common/.spdx-wait-for-port.spdx    │ gobinary │        2        │    -    │
├────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ opt/bitnami/common/bin/wait-for-port           │ gobinary │        2        │    -    │
├────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ opt/bitnami/redis                              │ bitnami  │        1        │    -    │
└────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
...
opt/bitnami/common/.spdx-wait-for-port.spdx (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│     Library     │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib (common) │ CVE-2025-22866 │ MEDIUM   │ fixed  │ 1.22.11           │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│                 │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
│                 │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
│                 ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                 │ CVE-2025-22871 │          │        │                   │ 1.23.8, 1.24.2               │ net/http: Request smuggling due to acceptance of invalid     │
│                 │                │          │        │                   │                              │ chunked data in net/http...                                  │
│                 │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22871                   │
└─────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

opt/bitnami/common/bin/wait-for-port (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-22866 │ MEDIUM   │ fixed  │ v1.22.11          │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│         │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-22871 │          │        │                   │ 1.23.8, 1.24.2               │ net/http: Request smuggling due to acceptance of invalid     │
│         │                │          │        │                   │                              │ chunked data in net/http...                                  │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22871                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘
...

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

2025-05-13T14:41:31+02:00	DEBUG	No plugins loaded
2025-05-13T14:41:31+02:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-05-13T14:41:31+02:00	DEBUG	Cache dir	dir="/Users/fm022204/Library/Caches/trivy"
2025-05-13T14:41:31+02:00	DEBUG	Cache dir	dir="/Users/fm022204/Library/Caches/trivy"
2025-05-13T14:41:31+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-05-13T14:41:31+02:00	DEBUG	Ignore statuses	statuses=[]
2025-05-13T14:41:31+02:00	DEBUG	DB update was skipped because the local DB is the latest
2025-05-13T14:41:31+02:00	DEBUG	DB info	schema=2 updated_at=2025-05-13T06:22:44.63558503Z next_update=2025-05-14T06:22:44.63558475Z downloaded_at=2025-05-13T10:59:57.570081Z
2025-05-13T14:41:31+02:00	DEBUG	[pkg] Package types	types=[os library]
2025-05-13T14:41:31+02:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-05-13T14:41:31+02:00	INFO	[vuln] Vulnerability scanning is enabled
2025-05-13T14:41:31+02:00	INFO	[secret] Secret scanning is enabled
2025-05-13T14:41:31+02:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-05-13T14:41:31+02:00	INFO	[secret] Please see also https://trivy.dev/v0.62/docs/scanner/secret#recommendation for faster secret detection
2025-05-13T14:41:31+02:00	DEBUG	Initializing scan cache...	type="fs"
2025-05-13T14:41:31+02:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-05-13T14:41:31+02:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-05-13T14:41:31+02:00	DEBUG	[image] Detected image ID	image_id="sha256:0527618c31c4fe1c01ed6159c0422e72dd70a83a7a3c393b07a40ba300a31415"
2025-05-13T14:41:31+02:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:5a9503a9414c57afd225dd506a477648133ea93bfc7c6f3aa547b9a2a8549dcb]
2025-05-13T14:41:31+02:00	DEBUG	[image] Detected base layers	diff_ids=[]
2025-05-13T14:41:31+02:00	DEBUG	[image] Missing image ID in cache	image_id="sha256:0527618c31c4fe1c01ed6159c0422e72dd70a83a7a3c393b07a40ba300a31415"
2025-05-13T14:41:31+02:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:5a9503a9414c57afd225dd506a477648133ea93bfc7c6f3aa547b9a2a8549dcb"
2025-05-13T14:41:32+02:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/bitnami/wait-for-port"
2025-05-13T14:41:32+02:00	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="github.com/bitnami/wait-for-port" -ldflags=[-s -w]
2025-05-13T14:41:32+02:00	DEBUG	[gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.	dependency="github.com/bitnami/wait-for-port"
2025-05-13T14:41:33+02:00	DEBUG	No secrets found in container image config
2025-05-13T14:41:33+02:00	INFO	Detected OS	family="debian" version="12.9"
2025-05-13T14:41:33+02:00	INFO	[debian] Detecting vulnerabilities...	os_version="12" pkg_num=101
2025-05-13T14:41:33+02:00	INFO	Number of language-specific files	num=4
2025-05-13T14:41:33+02:00	INFO	[bitnami] Detecting vulnerabilities...
2025-05-13T14:41:33+02:00	DEBUG	[bitnami] Scanning packages for vulnerabilities	file_path="opt/bitnami/common"
2025-05-13T14:41:33+02:00	DEBUG	[bitnami] Scanning packages for vulnerabilities	file_path="opt/bitnami/redis"
2025-05-13T14:41:33+02:00	INFO	[gobinary] Detecting vulnerabilities...
2025-05-13T14:41:33+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="opt/bitnami/common/.spdx-wait-for-port.spdx"
2025-05-13T14:41:33+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="opt/bitnami/common/bin/wait-for-port"
2025-05-13T14:41:33+02:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/bitnami/wait-for-port"
2025-05-13T14:41:33+02:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.62/docs/scanner/vulnerability#severity-selection for details.
2025-05-13T14:41:33+02:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-05-13T14:41:33+02:00	DEBUG	[vex] VEX filtering is disabled
2025-05-13T14:41:33+02:00	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Operating System

macOS Sonoma

Version

Version: 0.62.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-05-13 06:22:44.63558503 +0000 UTC
  NextUpdate: 2025-05-14 06:22:44.63558475 +0000 UTC
  DownloadedAt: 2025-05-13 10:59:57.570081 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-05-12 02:46:40.669179331 +0000 UTC
  NextUpdate: 2025-05-15 02:46:40.66917914 +0000 UTC
  DownloadedAt: 2025-05-12 17:38:06.311364 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

DmitriyLewen · 2025-05-14T06:38:12Z

DmitriyLewen
May 14, 2025
Maintainer

Hello @fmulero
Thanks for your report!

You are right. Trivy creates duplicate packages:

from opt/bitnami/common/bin/wait-for-port Go Binary
from opt/bitnami/common/.spdx-wait-for-port.spdx SPDX file.

Problem with SPDX file, more precisely with SPDXRef-Application-cd19f4a07bc0bd87-wait-for-port:

        {
            "name": "opt/bitnami/common/bin/wait-for-port",
            "SPDXID": "SPDXRef-Application-cd19f4a07bc0bd87-wait-for-port",
            "downloadLocation": "NONE",
            "filesAnalyzed": false,
            "primaryPackagePurpose": "APPLICATION",
            "copyrightText": "NOASSERTION",
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "NOASSERTION"
        },

This component doesn't have info about type of this application.
So Trivy groups up packages from .spdx-wait-for-port.spdx, but use filpath of spdx file (opt/bitnami/common/.spdx-wait-for-port.spdx instead of opt/bitnami/common/bin/wait-for-port).

After that Trivy thinks that these are 2 different targets (different filepaths).

Unfortunately, SPDX format does not have regulations for such cases - we cannot handle all possible cases.

hi @juan131! sorry for the ping.
But maybe you'll be interested in this case, and together we can figure out how to fix such cases.

0 replies

fmulero · 2025-05-27T16:53:19Z

fmulero
May 27, 2025
Author

Thanks @DmitriyLewen for the explanation.

I am trying to understand where is the problem, but I don't see it clearly.

With simpler image with a gobinary we see the following:

$ trivy image bitnami/harbor-exporter:2.13.0 --table-mode summary
2025-05-27T18:11:26+02:00       INFO    [vuln] Vulnerability scanning is enabled
2025-05-27T18:11:26+02:00       INFO    [secret] Secret scanning is enabled
2025-05-27T18:11:26+02:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-05-27T18:11:26+02:00       INFO    [secret] Please see also https://trivy.dev/v0.62/docs/scanner/secret#recommendation for faster secret detection
2025-05-27T18:11:28+02:00       INFO    Detected OS     family="debian" version="12.11"
2025-05-27T18:11:28+02:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=116
2025-05-27T18:11:28+02:00       INFO    Number of language-specific files       num=3
2025-05-27T18:11:28+02:00       INFO    [bitnami] Detecting vulnerabilities...
2025-05-27T18:11:28+02:00       INFO    [gobinary] Detecting vulnerabilities...
2025-05-27T18:11:28+02:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.62/docs/scanner/vulnerability#severity-selection for details.

Report Summary

┌────────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                         Target                         │   Type   │ Vulnerabilities │ Secrets │
├────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ bitnami/harbor-exporter:2.13.0 (debian 12.11)          │  debian  │       110       │    -    │
├────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ opt/bitnami/harbor-exporter                            │ bitnami  │        0        │    -    │
├────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ opt/bitnami/harbor-exporter/.spdx-harbor-exporter.spdx │ gobinary │        3        │    -    │
├────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ opt/bitnami/harbor-exporter/bin/harbor_exporter        │ gobinary │        3        │    -    │
└────────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

opt/bitnami/harbor-exporter/bin/harbor_exporter and opt/bitnami/harbor-exporter/.spdx-harbor-exporter.spdx appears like gobinary files and the bitnami type doesn't have any vulnerability (when the spdx file is opt/bitnami/harbor-exporter/.spdx-harbor-exporter.spdx)

Other weird example, in this case without gobinaries, is this one:

$ trivy image bitnami/cassandra-exporter --table-mode summary
2025-05-27T18:37:10+02:00       INFO    [vuln] Vulnerability scanning is enabled
2025-05-27T18:37:10+02:00       INFO    [secret] Secret scanning is enabled
2025-05-27T18:37:10+02:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-05-27T18:37:10+02:00       INFO    [secret] Please see also https://trivy.dev/v0.62/docs/scanner/secret#recommendation for faster secret detection
2025-05-27T18:37:12+02:00       INFO    Detected OS     family="debian" version="12.11"
2025-05-27T18:37:12+02:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=116
2025-05-27T18:37:12+02:00       INFO    Number of language-specific files       num=3
2025-05-27T18:37:12+02:00       INFO    [bitnami] Detecting vulnerabilities...
2025-05-27T18:37:12+02:00       INFO    [jar] Detecting vulnerabilities...
2025-05-27T18:37:12+02:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.62/docs/scanner/vulnerability#severity-selection for details.

Report Summary

┌───────────────────────────────────────────────────────┬─────────┬─────────────────┬─────────┐
│                        Target                         │  Type   │ Vulnerabilities │ Secrets │
├───────────────────────────────────────────────────────┼─────────┼─────────────────┼─────────┤
│ bitnami/cassandra-exporter (debian 12.11)             │ debian  │       110       │    -    │
├───────────────────────────────────────────────────────┼─────────┼─────────────────┼─────────┤
│ opt/bitnami/cassandra-exporter/cassandra_exporter.jar │   jar   │       12        │    -    │
├───────────────────────────────────────────────────────┼─────────┼─────────────────┼─────────┤
│ opt/bitnami/cassandra-exporter                        │ bitnami │        0        │    -    │
├───────────────────────────────────────────────────────┼─────────┼─────────────────┼─────────┤
│ opt/bitnami/java                                      │ bitnami │        0        │    -    │
└───────────────────────────────────────────────────────┴─────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

All the affected libraries in opt/bitnami/cassandra-exporter/cassandra_exporter.jar, appears in the opt/bitnami/cassandra-exporter/.spdx-cassandra-exporter.spdx file as part of the cassandra_exporter.jar, shouldn't they appear under the bitnami type?

11 replies

fmulero Jun 4, 2025
Author

Sorry, I think I messed up. I am going back to the beginning.

In bitnami images with gobinaries we can see the spdx analyzed as gobinary file and the the CVEs are reported twice.

Why did I say twice? Because if we analyse other containers like cassandra-exporter, CVEs are only reported for the jar file:

$ trivy image bitnami/cassandra-exporter:2.3.8-debian-12-r48 -q --pkg-types library --table-mode summary

Report Summary

┌───────────────────────────────────────────────────────┬─────────┬─────────────────┬─────────┐
│                        Target                         │  Type   │ Vulnerabilities │ Secrets │
├───────────────────────────────────────────────────────┼─────────┼─────────────────┼─────────┤
│ opt/bitnami/cassandra-exporter/cassandra_exporter.jar │   jar   │       12        │    -    │
├───────────────────────────────────────────────────────┼─────────┼─────────────────┼─────────┤
│ opt/bitnami/cassandra-exporter                        │ bitnami │        0        │    -    │
├───────────────────────────────────────────────────────┼─────────┼─────────────────┼─────────┤
│ opt/bitnami/java                                      │ bitnami │        0        │    -    │
└───────────────────────────────────────────────────────┴─────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

If we analyse only the SPDX file from the container we can see exactly the same CVEs reported for jar file:

$ docker create --name cass bitnami/cassandra-exporter:2.3.8-debian-12-r48
7253acc96a65b5f6568f2078f0c5429452e26834e0934d96bf9065687cadaa90
$ docker cp cass:/opt/bitnami/cassandra-exporter/.spdx-cassandra-exporter.spdx /tmp/spdx-cassandra-exporter.spdx
Successfully copied 28.2kB to /tmp/spdx-cassandra-exporter.spdx
$ trivy sbom /tmp/spdx-cassandra-exporter.spdx -q --pkg-types library --table-mode summary

Report Summary

┌────────────────────────┬─────────┬─────────────────┐
│         Target         │  Type   │ Vulnerabilities │
├────────────────────────┼─────────┼─────────────────┤
│                        │ bitnami │        0        │
├────────────────────────┼─────────┼─────────────────┤
│ cassandra_exporter.jar │   jar   │       12        │
└────────────────────────┴─────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

I assume that's the correct behavior but please amend me if I am wrong.

In the case of containers with gobinaries, we are facing the problem exposed:

$ trivy image bitnami/harbor-exporter:2.13.0 -q --pkg-types library --table-mode summary

Report Summary

┌────────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                         Target                         │   Type   │ Vulnerabilities │ Secrets │
├────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ opt/bitnami/harbor-exporter                            │ bitnami  │        0        │    -    │
├────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ opt/bitnami/harbor-exporter/.spdx-harbor-exporter.spdx │ gobinary │        3        │    -    │
├────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ opt/bitnami/harbor-exporter/bin/harbor_exporter        │ gobinary │        3        │    -    │

Said that, it seems the problem is in both sides: The Bitnami SPDX file is not correct and there are some issues in Trivy.

From Btinami side, I'll try to analyse what changes we can do and I'll back to you.

DmitriyLewen Jun 5, 2025
Maintainer

@fmulero Thanks for the jar example and for pointing it out again.
I investigated the differences and found the reason why deduplication works for jar but not for Go binaries
Created #8993

fmulero Jun 5, 2025
Author

I was playing a little building the SPDX with trivy directly and it works fine thanks to the annotations, there is no file element pointing to the gobinary and related to the application package:

{
      "name": "opt/bitnami/harbor-exporter/bin/harbor_exporter",
      "SPDXID": "SPDXRef-Application-2a5527f1cdd2ada4",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "primaryPackagePurpose": "APPLICATION",
      "annotations": [
        {
          "annotator": "Tool: trivy-0.62.1",
          "annotationDate": "2025-06-05T09:47:42Z",
          "annotationType": "OTHER",
          "comment": "Class: lang-pkgs"
        },
        {
          "annotator": "Tool: trivy-0.62.1",
          "annotationDate": "2025-06-05T09:47:42Z",
          "annotationType": "OTHER",
          "comment": "Type: gobinary"
        }
      ]
    },

If we add the annotation with the comment Type: gobinary to the Application package in the original SPDX file (here an example an example):

...
       {
            "name": "opt/bitnami/harbor-exporter/bin/harbor_exporter",
            "SPDXID": "SPDXRef-Application-c958679d1b6f5088-harbor-exporter",
            "downloadLocation": "NONE",
            "filesAnalyzed": false,
            "primaryPackagePurpose": "APPLICATION",
            "copyrightText": "NOASSERTION",
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "NOASSERTION",
            "annotations": [
                {
                    "annotator": "Person: Fran Mulero",
                    "annotationDate": "2025-06-05T09:47:42Z",
                    "annotationType": "OTHER",
                    "comment": "Type: gobinary"
                }
            ]
        },
...

Everything works fine:
```console
$ trivy image -q --pkg-types library  bitnami/harbor-exporter:framu

Report Summary

┌─────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                     Target                      │   Type   │ Vulnerabilities │ Secrets │
├─────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ opt/bitnami/harbor-exporter                     │ bitnami  │        0        │    -    │
├─────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ opt/bitnami/harbor-exporter/bin/harbor_exporter │ gobinary │        3        │    -    │
└─────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


opt/bitnami/harbor-exporter/bin/harbor_exporter (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│              Library               │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net (harbor-exporter) │ CVE-2025-22872 │ MEDIUM   │ fixed  │ v0.37.0           │ 0.38.0        │ golang.org/x/net/html: Incorrect Neutralization of Input     │
│                                    │                │          │        │                   │               │ During Web Page Generation in x/net in...                    │
│                                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-22872                   │
├────────────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ helm.sh/helm/v3 (harbor-exporter)  │ CVE-2025-32386 │          │        │ v3.17.2           │ 3.17.3        │ helm.sh/helm/v3: Helm Allows A Specially Crafted Chart       │
│                                    │                │          │        │                   │               │ Archive To Cause Out Of...                                   │
│                                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-32386                   │
│                                    ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                                    │ CVE-2025-32387 │          │        │                   │               │ helm.sh/helm/v3: Helm Allows A Specially Crafted JSON Schema │
│                                    │                │          │        │                   │               │ To Cause A Stack...                                          │
│                                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-32387                   │
└────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

So it seems the file element and the relationships are not really needed.

DmitriyLewen Jun 6, 2025
Maintainer

I apologize.
I thought that we add trivy prefix for both SPDX and CycloneDX.
That's why I thought that adding a property named with Trivy prefix would be unacceptable for you and didn't suggest it.

But as you correctly noted - SPDX doesn't need Trivy prefix.
So if this approach suits you - it would be an ideal solution.

DmitriyLewen Jul 23, 2025
Maintainer

Hello @fmulero

If we add the annotation with the comment Type: gobinary to the Application package in the original SPDX file

Is there any news about these changes?

We got similar issue from user for bitnami/keycloak:26.0.7 image.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

bug(bitnami): Go CVEs are reported twice #8863

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 11 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

bug(bitnami): Go CVEs are reported twice #8863

Uh oh!

fmulero May 13, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments · 11 replies

Uh oh!

Uh oh!

DmitriyLewen May 14, 2025 Maintainer

Uh oh!

fmulero May 27, 2025 Author

Uh oh!

fmulero Jun 4, 2025 Author

Uh oh!

DmitriyLewen Jun 5, 2025 Maintainer

Uh oh!

fmulero Jun 5, 2025 Author

Uh oh!

DmitriyLewen Jun 6, 2025 Maintainer

Uh oh!

DmitriyLewen Jul 23, 2025 Maintainer

fmulero
May 13, 2025

Replies: 2 comments 11 replies

DmitriyLewen
May 14, 2025
Maintainer

fmulero
May 27, 2025
Author

fmulero Jun 4, 2025
Author

DmitriyLewen Jun 5, 2025
Maintainer

fmulero Jun 5, 2025
Author

DmitriyLewen Jun 6, 2025
Maintainer

DmitriyLewen Jul 23, 2025
Maintainer