Reporting 0 vulns for Ubuntu 20.04 ESM #8977

zefanxu-db · 2025-06-03T22:51:24Z

zefanxu-db
Jun 3, 2025

Description

I am scanning an image that is built on Ubuntu 20.04 ESM.
If I run the scan directly it is reporting no OS vulnerability.

$ trivy image --scanners vuln  --pkg-types os   registry.dev.databricks.com/universe/snapshotter-standalone@sha256:d4efc4ca5f8624d3e791c9f70933802e4bfd03119684584e6dca09c0b004024a --debug       
2025-06-03T22:45:26Z	DEBUG	No plugins loaded
2025-06-03T22:45:26Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-06-03T22:45:26Z	DEBUG	Cache dir	dir="/home/zefan.xu/.cache/trivy"
2025-06-03T22:45:26Z	DEBUG	Cache dir	dir="/home/zefan.xu/.cache/trivy"
2025-06-03T22:45:26Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-06-03T22:45:26Z	DEBUG	Ignore statuses	statuses=[]
2025-06-03T22:45:26Z	DEBUG	DB update was skipped because the local DB is the latest
2025-06-03T22:45:26Z	DEBUG	DB info	schema=2 updated_at=2025-06-03T18:17:08.920957428Z next_update=2025-06-04T18:17:08.920957178Z downloaded_at=2025-06-03T22:12:20.248629552Z
2025-06-03T22:45:26Z	DEBUG	[pkg] Package types	types=[os]
2025-06-03T22:45:26Z	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-06-03T22:45:26Z	INFO	[vuln] Vulnerability scanning is enabled
2025-06-03T22:45:26Z	DEBUG	Initializing scan cache...	type="fs"
2025-06-03T22:45:26Z	DEBUG	[image] Detected image ID	image_id="sha256:d627daeacbd4ca0f892ff64962dd1643939f74a52ee72cc218cf724138abad45"
2025-06-03T22:45:26Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:470b66ea5123c93b0d5606e4213bf9e47d3d426b640d32472e4ac213186c4bb6 sha256:1a8198549c4e12942ecb9583cb37a27acb000c691b3d8ffe3ff58c3a670d7e17 sha256:95907b76c0b08385defe355ef058f980ba8f2065ad6076384eff082cf2d7e94a sha256:034c2d4bf5e9683868cc075f14eacb415885e5b95f58c28e4a14feca8c2182a1 sha256:fda2fa5514ed2d3c505b367e01b35178663905cc0040a66840a48c96a9332196 sha256:6ef1e7aea517ec67d5921e132d3609809773390fa1b8de7a99ac2c732626f351 sha256:df2f6040ae22a094d913fab7c120e72e91d9a6901c6e2066db52a8a527f218a7 sha256:7d7ed424c30a01b045f371bee08e6669c4a981668553cb5b3747389e74913caf sha256:f41ea92577dcb080ed6f3b20f56d7e0a8049e5d0338888492d4826bf152a890f sha256:0928c71e7ab681aa219920c29996c9ccd024a1de83284c3680d3702a64a834e6 sha256:9fcd2e4904d38b849e885e8c0226394b8bc3f166dda6e21c23c39d29c485e09c sha256:0459c2cc01e07ce8ed3523768cba972f9ff6ac3b5d40ce7c6f6fc4e8f9bf6c55 sha256:3fac696bb273f51caab8603c7c747e73d6eaa38932a4231a7a68a014a42c1687 sha256:a2c5cc0cffad57063f19b36951c9c0a7c209ca98bf4fe63999136a3dfc2909f5 sha256:d20d1fddae1c15b1d1f66a1089396d11a4ea239c5bebd8c54ab2d7a1a7df796a sha256:1011ada5ace546929cfc0b026180990ae78294b21bc929c1a9dce1252b245dbd sha256:c8c0bda58ae49b631d52b02180d7d00a143035390e3d2e48872e3a8bb54dc954 sha256:92c3ebea02c9fe520b63c237668a07f8296dffae8673db30fcb92d48a3c2171a sha256:391079b320779a231d70cf3a7ca55cc17139909a4378fc6fd8a3fad36e2382b9 sha256:3cf1f821b5e894790a957607e57235e54c49a7266f2c564ae5c7a516adf12333 sha256:b3de9aef47f8ce631716a1257e348911a9d6f1d808a3c58437eec02d0ca61ab2 sha256:c4548cca79eada37f5b02b5815fecd701d6abd2524da8a475cc0de2f9f3e1657 sha256:fd80ef5ba7b7699faf39e7e01c5d70ad53ffd5e3af73055845423c321b144f3b sha256:d3bd6c769c55fc36c19ae359fc4d4b02393a4b30c100a97601f7fd673d809018 sha256:74321826d83daac5b362599cd3fe33d805d6e6bced2b495dc4eaeaf62c051ca7 sha256:97859c01703d3e54bf36852927bd056c7ca68bbde66f903fe1cd736934afa3bb]
2025-06-03T22:45:26Z	DEBUG	[image] Detected base layers	diff_ids=[sha256:470b66ea5123c93b0d5606e4213bf9e47d3d426b640d32472e4ac213186c4bb6 sha256:1a8198549c4e12942ecb9583cb37a27acb000c691b3d8ffe3ff58c3a670d7e17 sha256:95907b76c0b08385defe355ef058f980ba8f2065ad6076384eff082cf2d7e94a sha256:034c2d4bf5e9683868cc075f14eacb415885e5b95f58c28e4a14feca8c2182a1 sha256:fda2fa5514ed2d3c505b367e01b35178663905cc0040a66840a48c96a9332196 sha256:6ef1e7aea517ec67d5921e132d3609809773390fa1b8de7a99ac2c732626f351]
2025-06-03T22:45:26Z	INFO	Detected OS	family="ubuntu" version="20.04"
2025-06-03T22:45:26Z	WARN	This OS version is not on the EOL list	family="ubuntu" version="20.04-ESM"
2025-06-03T22:45:26Z	INFO	[ubuntu] Detecting vulnerabilities...	os_version="20.04-ESM" pkg_num=522
2025-06-03T22:45:26Z	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-06-03T22:45:26Z	DEBUG	[vex] VEX filtering is disabled

Report Summary

┌──────────────────────────────────────────────────────────────────────────────────┬────────┬─────────────────┐
│                                      Target                                      │  Type  │ Vulnerabilities │
├──────────────────────────────────────────────────────────────────────────────────┼────────┼─────────────────┤
│ registry.dev.databricks.com/universe/snapshotter-standalone@sha256:d4efc4ca5f86- │ ubuntu │        0        │
│ 24d3e791c9f70933802e4bfd03119684584e6dca09c0b004024a (ubuntu 20.04-ESM)          │        │                 │
└──────────────────────────────────────────────────────────────────────────────────┴────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

But if I overwrite the OS as "ubuntu 20.04" (no-ESM), it reports the correct vulnerabilities.

trivy image --scanners vuln  --pkg-types os  --distro ubuntu/20.04 registry.dev.databricks.com/universe/snapshotter-standalone@sha256:d4efc4ca5f8624d3e791c9f70933802e4bfd03119684584e6dca09c0b004024a --debug
2025-06-03T22:45:14Z	DEBUG	No plugins loaded
2025-06-03T22:45:14Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-06-03T22:45:14Z	DEBUG	Cache dir	dir="/home/zefan.xu/.cache/trivy"
2025-06-03T22:45:14Z	DEBUG	Cache dir	dir="/home/zefan.xu/.cache/trivy"
2025-06-03T22:45:14Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-06-03T22:45:14Z	DEBUG	Ignore statuses	statuses=[]
2025-06-03T22:45:14Z	DEBUG	DB update was skipped because the local DB is the latest
2025-06-03T22:45:14Z	DEBUG	DB info	schema=2 updated_at=2025-06-03T18:17:08.920957428Z next_update=2025-06-04T18:17:08.920957178Z downloaded_at=2025-06-03T22:12:20.248629552Z
2025-06-03T22:45:14Z	DEBUG	[pkg] Package types	types=[os]
2025-06-03T22:45:14Z	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-06-03T22:45:14Z	INFO	[vuln] Vulnerability scanning is enabled
2025-06-03T22:45:14Z	DEBUG	Initializing scan cache...	type="fs"
2025-06-03T22:45:14Z	DEBUG	[image] Detected image ID	image_id="sha256:d627daeacbd4ca0f892ff64962dd1643939f74a52ee72cc218cf724138abad45"
2025-06-03T22:45:14Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:470b66ea5123c93b0d5606e4213bf9e47d3d426b640d32472e4ac213186c4bb6 sha256:1a8198549c4e12942ecb9583cb37a27acb000c691b3d8ffe3ff58c3a670d7e17 sha256:95907b76c0b08385defe355ef058f980ba8f2065ad6076384eff082cf2d7e94a sha256:034c2d4bf5e9683868cc075f14eacb415885e5b95f58c28e4a14feca8c2182a1 sha256:fda2fa5514ed2d3c505b367e01b35178663905cc0040a66840a48c96a9332196 sha256:6ef1e7aea517ec67d5921e132d3609809773390fa1b8de7a99ac2c732626f351 sha256:df2f6040ae22a094d913fab7c120e72e91d9a6901c6e2066db52a8a527f218a7 sha256:7d7ed424c30a01b045f371bee08e6669c4a981668553cb5b3747389e74913caf sha256:f41ea92577dcb080ed6f3b20f56d7e0a8049e5d0338888492d4826bf152a890f sha256:0928c71e7ab681aa219920c29996c9ccd024a1de83284c3680d3702a64a834e6 sha256:9fcd2e4904d38b849e885e8c0226394b8bc3f166dda6e21c23c39d29c485e09c sha256:0459c2cc01e07ce8ed3523768cba972f9ff6ac3b5d40ce7c6f6fc4e8f9bf6c55 sha256:3fac696bb273f51caab8603c7c747e73d6eaa38932a4231a7a68a014a42c1687 sha256:a2c5cc0cffad57063f19b36951c9c0a7c209ca98bf4fe63999136a3dfc2909f5 sha256:d20d1fddae1c15b1d1f66a1089396d11a4ea239c5bebd8c54ab2d7a1a7df796a sha256:1011ada5ace546929cfc0b026180990ae78294b21bc929c1a9dce1252b245dbd sha256:c8c0bda58ae49b631d52b02180d7d00a143035390e3d2e48872e3a8bb54dc954 sha256:92c3ebea02c9fe520b63c237668a07f8296dffae8673db30fcb92d48a3c2171a sha256:391079b320779a231d70cf3a7ca55cc17139909a4378fc6fd8a3fad36e2382b9 sha256:3cf1f821b5e894790a957607e57235e54c49a7266f2c564ae5c7a516adf12333 sha256:b3de9aef47f8ce631716a1257e348911a9d6f1d808a3c58437eec02d0ca61ab2 sha256:c4548cca79eada37f5b02b5815fecd701d6abd2524da8a475cc0de2f9f3e1657 sha256:fd80ef5ba7b7699faf39e7e01c5d70ad53ffd5e3af73055845423c321b144f3b sha256:d3bd6c769c55fc36c19ae359fc4d4b02393a4b30c100a97601f7fd673d809018 sha256:74321826d83daac5b362599cd3fe33d805d6e6bced2b495dc4eaeaf62c051ca7 sha256:97859c01703d3e54bf36852927bd056c7ca68bbde66f903fe1cd736934afa3bb]
2025-06-03T22:45:14Z	DEBUG	[image] Detected base layers	diff_ids=[sha256:470b66ea5123c93b0d5606e4213bf9e47d3d426b640d32472e4ac213186c4bb6 sha256:1a8198549c4e12942ecb9583cb37a27acb000c691b3d8ffe3ff58c3a670d7e17 sha256:95907b76c0b08385defe355ef058f980ba8f2065ad6076384eff082cf2d7e94a sha256:034c2d4bf5e9683868cc075f14eacb415885e5b95f58c28e4a14feca8c2182a1 sha256:fda2fa5514ed2d3c505b367e01b35178663905cc0040a66840a48c96a9332196 sha256:6ef1e7aea517ec67d5921e132d3609809773390fa1b8de7a99ac2c732626f351]
2025-06-03T22:45:14Z	INFO	Overriding detected OS with provided distro	detected="ubuntu/20.04" provided="ubuntu/20.04"
2025-06-03T22:45:14Z	INFO	Detected OS	family="ubuntu" version="20.04"
2025-06-03T22:45:14Z	INFO	[ubuntu] Detecting vulnerabilities...	os_version="20.04" pkg_num=522
2025-06-03T22:45:14Z	WARN	This OS version is no longer supported by the distribution	family="ubuntu" version="20.04"
2025-06-03T22:45:14Z	WARN	The vulnerability detection may be insufficient because security updates are not provided
2025-06-03T22:45:14Z	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-06-03T22:45:14Z	DEBUG	[vex] VEX filtering is disabled

Report Summary

┌──────────────────────────────────────────────────────────────────────────────────┬────────┬─────────────────┐
│                                      Target                                      │  Type  │ Vulnerabilities │
├──────────────────────────────────────────────────────────────────────────────────┼────────┼─────────────────┤
│ registry.dev.databricks.com/universe/snapshotter-standalone@sha256:d4efc4ca5f86- │ ubuntu │       14        │
│ 24d3e791c9f70933802e4bfd03119684584e6dca09c0b004024a (ubuntu 20.04)              │        │                 │
└──────────────────────────────────────────────────────────────────────────────────┴────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


registry.dev.databricks.com/universe/snapshotter-standalone@sha256:d4efc4ca5f8624d3e791c9f70933802e4bfd03119684584e6dca09c0b004024a (ubuntu 20.04)

Total: 14 (UNKNOWN: 0, LOW: 0, MEDIUM: 14, HIGH: 0, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────────────────────┬─────────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │         Installed Version         │            Fixed Version            │                            Title                            │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ krb5-locales          │ CVE-2025-3576  │ MEDIUM   │ fixed  │ 1.17-6ubuntu4.9                   │ 1.17-6ubuntu4.11                    │ krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling │
│                       │                │          │        │                                   │                                     │ Message Spoofing via MD5 Collisions                         │
│                       │                │          │        │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2025-3576                   │
├───────────────────────┼────────────────┤          │        ├───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ libc-bin              │ CVE-2025-4802  │          │        │ 2.31-0ubuntu9.17                  │ 2.31-0ubuntu9.18                    │ glibc: static setuid binary dlopen may incorrectly search   │
│                       │                │          │        │                                   │                                     │ LD_LIBRARY_PATH                                             │
│                       │                │          │        │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2025-4802                   │
├───────────────────────┤                │          │        │                                   │                                     │                                                             │
│ libc-dev-bin          │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
├───────────────────────┤                │          │        │                                   │                                     │                                                             │
│ libc6                 │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
├───────────────────────┤                │          │        │                                   │                                     │                                                             │
│ libc6-dev             │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
├───────────────────────┼────────────────┤          │        ├───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ libgssapi-krb5-2      │ CVE-2025-3576  │          │        │ 1.17-6ubuntu4.9                   │ 1.17-6ubuntu4.11                    │ krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling │
│                       │                │          │        │                                   │                                     │ Message Spoofing via MD5 Collisions                         │
│                       │                │          │        │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2025-3576                   │
├───────────────────────┤                │          │        │                                   │                                     │                                                             │
│ libk5crypto3          │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
├───────────────────────┤                │          │        │                                   │                                     │                                                             │
│ libkrb5-3             │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
├───────────────────────┤                │          │        │                                   │                                     │                                                             │
│ libkrb5support0       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
├───────────────────────┼────────────────┤          │        ├───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ libsoup-gnome2.4-1    │ CVE-2025-4476  │          │        │ 2.70.0-1ubuntu0.4                 │ 2.70.0-1ubuntu0.5                   │ libsoup: Null pointer dereference in libsoup may lead to    │
│                       │                │          │        │                                   │                                     │ Denial Of Service...                                        │
│                       │                │          │        │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2025-4476                   │
├───────────────────────┤                │          │        │                                   │                                     │                                                             │
│ libsoup2.4-1          │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
├───────────────────────┼────────────────┤          │        ├───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ locales               │ CVE-2025-4802  │          │        │ 2.31-0ubuntu9.17                  │ 2.31-0ubuntu9.18                    │ glibc: static setuid binary dlopen may incorrectly search   │
│                       │                │          │        │                                   │                                     │ LD_LIBRARY_PATH                                             │
│                       │                │          │        │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2025-4802                   │
├───────────────────────┼────────────────┤          │        ├───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ net-tools             │ CVE-2025-46836 │          │        │ 1.60+git20180626.aebd88e-1ubuntu1 │ 1.60+git20180626.aebd88e-1ubuntu1.3 │ net-tools: net-tools Stack Buffer Overflow                  │
│                       │                │          │        │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2025-46836                  │
├───────────────────────┼────────────────┤          │        ├───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ python3-pkg-resources │ CVE-2025-47273 │          │        │ 45.2.0-1ubuntu0.2                 │ 45.2.0-1ubuntu0.3                   │ setuptools: Path Traversal Vulnerability in setuptools      │
│                       │                │          │        │                                   │                                     │ PackageIndex                                                │
│                       │                │          │        │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2025-47273                  │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────────────────────┴─────────────────────────────────────┴─────────────────────────────────────────────────────────────┘

Desired Behavior

Report 20.04 ESM vulnerabilities.

Actual Behavior

Show 0 vulnerability for Ubuntu 20.04 ESM.

Reproduction Steps

1. scan any image on Ubuntu 20.04 ESM
2.
3.
...

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

trivy image --scanners vuln  --pkg-types os  --distro ubuntu/20.04 registry.dev.databricks.com/universe/snapshotter-standalone@sha256:d4efc4ca5f8624d3e791c9f70933802e4bfd03119684584e6dca09c0b004024a --debug
2025-06-03T22:45:14Z	DEBUG	No plugins loaded
2025-06-03T22:45:14Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-06-03T22:45:14Z	DEBUG	Cache dir	dir="/home/zefan.xu/.cache/trivy"
2025-06-03T22:45:14Z	DEBUG	Cache dir	dir="/home/zefan.xu/.cache/trivy"
2025-06-03T22:45:14Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-06-03T22:45:14Z	DEBUG	Ignore statuses	statuses=[]
2025-06-03T22:45:14Z	DEBUG	DB update was skipped because the local DB is the latest
2025-06-03T22:45:14Z	DEBUG	DB info	schema=2 updated_at=2025-06-03T18:17:08.920957428Z next_update=2025-06-04T18:17:08.920957178Z downloaded_at=2025-06-03T22:12:20.248629552Z
2025-06-03T22:45:14Z	DEBUG	[pkg] Package types	types=[os]
2025-06-03T22:45:14Z	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-06-03T22:45:14Z	INFO	[vuln] Vulnerability scanning is enabled
2025-06-03T22:45:14Z	DEBUG	Initializing scan cache...	type="fs"
2025-06-03T22:45:14Z	DEBUG	[image] Detected image ID	image_id="sha256:d627daeacbd4ca0f892ff64962dd1643939f74a52ee72cc218cf724138abad45"
2025-06-03T22:45:14Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:470b66ea5123c93b0d5606e4213bf9e47d3d426b640d32472e4ac213186c4bb6 sha256:1a8198549c4e12942ecb9583cb37a27acb000c691b3d8ffe3ff58c3a670d7e17 sha256:95907b76c0b08385defe355ef058f980ba8f2065ad6076384eff082cf2d7e94a sha256:034c2d4bf5e9683868cc075f14eacb415885e5b95f58c28e4a14feca8c2182a1 sha256:fda2fa5514ed2d3c505b367e01b35178663905cc0040a66840a48c96a9332196 sha256:6ef1e7aea517ec67d5921e132d3609809773390fa1b8de7a99ac2c732626f351 sha256:df2f6040ae22a094d913fab7c120e72e91d9a6901c6e2066db52a8a527f218a7 sha256:7d7ed424c30a01b045f371bee08e6669c4a981668553cb5b3747389e74913caf sha256:f41ea92577dcb080ed6f3b20f56d7e0a8049e5d0338888492d4826bf152a890f sha256:0928c71e7ab681aa219920c29996c9ccd024a1de83284c3680d3702a64a834e6 sha256:9fcd2e4904d38b849e885e8c0226394b8bc3f166dda6e21c23c39d29c485e09c sha256:0459c2cc01e07ce8ed3523768cba972f9ff6ac3b5d40ce7c6f6fc4e8f9bf6c55 sha256:3fac696bb273f51caab8603c7c747e73d6eaa38932a4231a7a68a014a42c1687 sha256:a2c5cc0cffad57063f19b36951c9c0a7c209ca98bf4fe63999136a3dfc2909f5 sha256:d20d1fddae1c15b1d1f66a1089396d11a4ea239c5bebd8c54ab2d7a1a7df796a sha256:1011ada5ace546929cfc0b026180990ae78294b21bc929c1a9dce1252b245dbd sha256:c8c0bda58ae49b631d52b02180d7d00a143035390e3d2e48872e3a8bb54dc954 sha256:92c3ebea02c9fe520b63c237668a07f8296dffae8673db30fcb92d48a3c2171a sha256:391079b320779a231d70cf3a7ca55cc17139909a4378fc6fd8a3fad36e2382b9 sha256:3cf1f821b5e894790a957607e57235e54c49a7266f2c564ae5c7a516adf12333 sha256:b3de9aef47f8ce631716a1257e348911a9d6f1d808a3c58437eec02d0ca61ab2 sha256:c4548cca79eada37f5b02b5815fecd701d6abd2524da8a475cc0de2f9f3e1657 sha256:fd80ef5ba7b7699faf39e7e01c5d70ad53ffd5e3af73055845423c321b144f3b sha256:d3bd6c769c55fc36c19ae359fc4d4b02393a4b30c100a97601f7fd673d809018 sha256:74321826d83daac5b362599cd3fe33d805d6e6bced2b495dc4eaeaf62c051ca7 sha256:97859c01703d3e54bf36852927bd056c7ca68bbde66f903fe1cd736934afa3bb]
2025-06-03T22:45:14Z	DEBUG	[image] Detected base layers	diff_ids=[sha256:470b66ea5123c93b0d5606e4213bf9e47d3d426b640d32472e4ac213186c4bb6 sha256:1a8198549c4e12942ecb9583cb37a27acb000c691b3d8ffe3ff58c3a670d7e17 sha256:95907b76c0b08385defe355ef058f980ba8f2065ad6076384eff082cf2d7e94a sha256:034c2d4bf5e9683868cc075f14eacb415885e5b95f58c28e4a14feca8c2182a1 sha256:fda2fa5514ed2d3c505b367e01b35178663905cc0040a66840a48c96a9332196 sha256:6ef1e7aea517ec67d5921e132d3609809773390fa1b8de7a99ac2c732626f351]
2025-06-03T22:45:14Z	INFO	Overriding detected OS with provided distro	detected="ubuntu/20.04" provided="ubuntu/20.04"
2025-06-03T22:45:14Z	INFO	Detected OS	family="ubuntu" version="20.04"
2025-06-03T22:45:14Z	INFO	[ubuntu] Detecting vulnerabilities...	os_version="20.04" pkg_num=522
2025-06-03T22:45:14Z	WARN	This OS version is no longer supported by the distribution	family="ubuntu" version="20.04"
2025-06-03T22:45:14Z	WARN	The vulnerability detection may be insufficient because security updates are not provided
2025-06-03T22:45:14Z	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-06-03T22:45:14Z	DEBUG	[vex] VEX filtering is disabled

Report Summary

┌──────────────────────────────────────────────────────────────────────────────────┬────────┬─────────────────┐
│                                      Target                                      │  Type  │ Vulnerabilities │
├──────────────────────────────────────────────────────────────────────────────────┼────────┼─────────────────┤
│ registry.dev.databricks.com/universe/snapshotter-standalone@sha256:d4efc4ca5f86- │ ubuntu │       14        │
│ 24d3e791c9f70933802e4bfd03119684584e6dca09c0b004024a (ubuntu 20.04)              │        │                 │
└──────────────────────────────────────────────────────────────────────────────────┴────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


registry.dev.databricks.com/universe/snapshotter-standalone@sha256:d4efc4ca5f8624d3e791c9f70933802e4bfd03119684584e6dca09c0b004024a (ubuntu 20.04)

Total: 14 (UNKNOWN: 0, LOW: 0, MEDIUM: 14, HIGH: 0, CRITICAL: 0)

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────────────────────┬─────────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │         Installed Version         │            Fixed Version            │                            Title                            │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ krb5-locales          │ CVE-2025-3576  │ MEDIUM   │ fixed  │ 1.17-6ubuntu4.9                   │ 1.17-6ubuntu4.11                    │ krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling │
│                       │                │          │        │                                   │                                     │ Message Spoofing via MD5 Collisions                         │
│                       │                │          │        │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2025-3576                   │
├───────────────────────┼────────────────┤          │        ├───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ libc-bin              │ CVE-2025-4802  │          │        │ 2.31-0ubuntu9.17                  │ 2.31-0ubuntu9.18                    │ glibc: static setuid binary dlopen may incorrectly search   │
│                       │                │          │        │                                   │                                     │ LD_LIBRARY_PATH                                             │
│                       │                │          │        │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2025-4802                   │
├───────────────────────┤                │          │        │                                   │                                     │                                                             │
│ libc-dev-bin          │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
├───────────────────────┤                │          │        │                                   │                                     │                                                             │
│ libc6                 │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
├───────────────────────┤                │          │        │                                   │                                     │                                                             │
│ libc6-dev             │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
├───────────────────────┼────────────────┤          │        ├───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ libgssapi-krb5-2      │ CVE-2025-3576  │          │        │ 1.17-6ubuntu4.9                   │ 1.17-6ubuntu4.11                    │ krb5: Kerberos RC4-HMAC-MD5 Checksum Vulnerability Enabling │
│                       │                │          │        │                                   │                                     │ Message Spoofing via MD5 Collisions                         │
│                       │                │          │        │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2025-3576                   │
├───────────────────────┤                │          │        │                                   │                                     │                                                             │
│ libk5crypto3          │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
├───────────────────────┤                │          │        │                                   │                                     │                                                             │
│ libkrb5-3             │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
├───────────────────────┤                │          │        │                                   │                                     │                                                             │
│ libkrb5support0       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
├───────────────────────┼────────────────┤          │        ├───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ libsoup-gnome2.4-1    │ CVE-2025-4476  │          │        │ 2.70.0-1ubuntu0.4                 │ 2.70.0-1ubuntu0.5                   │ libsoup: Null pointer dereference in libsoup may lead to    │
│                       │                │          │        │                                   │                                     │ Denial Of Service...                                        │
│                       │                │          │        │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2025-4476                   │
├───────────────────────┤                │          │        │                                   │                                     │                                                             │
│ libsoup2.4-1          │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
│                       │                │          │        │                                   │                                     │                                                             │
├───────────────────────┼────────────────┤          │        ├───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ locales               │ CVE-2025-4802  │          │        │ 2.31-0ubuntu9.17                  │ 2.31-0ubuntu9.18                    │ glibc: static setuid binary dlopen may incorrectly search   │
│                       │                │          │        │                                   │                                     │ LD_LIBRARY_PATH                                             │
│                       │                │          │        │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2025-4802                   │
├───────────────────────┼────────────────┤          │        ├───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ net-tools             │ CVE-2025-46836 │          │        │ 1.60+git20180626.aebd88e-1ubuntu1 │ 1.60+git20180626.aebd88e-1ubuntu1.3 │ net-tools: net-tools Stack Buffer Overflow                  │
│                       │                │          │        │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2025-46836                  │
├───────────────────────┼────────────────┤          │        ├───────────────────────────────────┼─────────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ python3-pkg-resources │ CVE-2025-47273 │          │        │ 45.2.0-1ubuntu0.2                 │ 45.2.0-1ubuntu0.3                   │ setuptools: Path Traversal Vulnerability in setuptools      │
│                       │                │          │        │                                   │                                     │ PackageIndex                                                │
│                       │                │          │        │                                   │                                     │ https://avd.aquasec.com/nvd/cve-2025-47273                  │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────────────────────┴─────────────────────────────────────┴─────────────────────────────────────────────────────────────┘

Operating System

Ubuntu 20.04.6 LTS

Version

trivy -v
Version: 0.62.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-06-03 18:17:08.920957428 +0000 UTC
  NextUpdate: 2025-06-04 18:17:08.920957178 +0000 UTC
  DownloadedAt: 2025-06-03 22:12:20.248629552 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-06-03 03:36:02.788367795 +0000 UTC
  NextUpdate: 2025-06-06 03:36:02.788367634 +0000 UTC
  DownloadedAt: 2025-06-03 22:23:20.867920901 +0000 UTC
Check Bundle:
  Digest: sha256:e13d31ec41e7a61a0eeb42afccd73a8e2802244c5c772764a5e2ffb30cab727c
  DownloadedAt: 2025-05-26 05:25:24.711446273 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

DmitriyLewen · 2025-06-04T06:15:06Z

DmitriyLewen
Jun 4, 2025
Maintainer

Helllo @zefanxu-db
Thanks for your report!

Created #8978

Regards, Dmitriy

0 replies

DmitriyLewen · 2025-06-04T08:21:51Z

DmitriyLewen
Jun 4, 2025
Maintainer

@zefanxu-db - #8978 (comment)

4 replies

zefanxu-db Jun 4, 2025
Author

thanks for the quick fix! should I expect Trivy DB to start having 20.04 ESM vulns within roughly 24 hours?

DmitriyLewen Jun 5, 2025
Maintainer

trivy-db already contains advisories for 20.04-ESM.

zefanxu-db Jun 5, 2025
Author

that's odd.. I am still seeing 0 vulns with a freshly downloaded trivy-db

$ trivy image --scanners vuln  --pkg-types os  --ignore-unfixed registry.dev.databricks.com/universe/snapshotter-standalone@sha256:d4efc4ca5f8624d3e791c9f70933802e4bfd03119684584e6dca09c0b004024a --debug
2025-06-05T21:17:50Z	DEBUG	No plugins loaded
2025-06-05T21:17:50Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-06-05T21:17:50Z	DEBUG	Cache dir	dir="/home/zefan.xu/.cache/trivy"
2025-06-05T21:17:50Z	DEBUG	Cache dir	dir="/home/zefan.xu/.cache/trivy"
2025-06-05T21:17:50Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-06-05T21:17:50Z	DEBUG	Ignore statuses	statuses=[0 1 2 4 5 6 7]
2025-06-05T21:17:50Z	DEBUG	[vulndb] There is no db file
2025-06-05T21:17:50Z	DEBUG	[vulndb] There is no valid metadata file	err="file open error: open /home/zefan.xu/.cache/trivy/db/metadata.json: no such file or directory"
2025-06-05T21:17:50Z	WARN	[vulndb] Trivy DB may be corrupted and will be re-downloaded. If you manually downloaded DB - use the `--skip-db-update` flag to skip updating DB.
2025-06-05T21:17:50Z	INFO	[vulndb] Need to update DB
2025-06-05T21:17:50Z	INFO	[vulndb] Downloading vulnerability DB...
2025-06-05T21:17:50Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
65.14 MiB / 65.14 MiB [----------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 28.80 MiB p/s 2.5s
2025-06-05T21:17:54Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-06-05T21:17:54Z	DEBUG	Updating database metadata...
2025-06-05T21:17:54Z	DEBUG	DB info	schema=2 updated_at=2025-06-05T12:17:26.526651837Z next_update=2025-06-06T12:17:26.526651557Z downloaded_at=2025-06-05T21:17:54.998965627Z
2025-06-05T21:17:54Z	DEBUG	[pkg] Package types	types=[os]
2025-06-05T21:17:54Z	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-06-05T21:17:54Z	INFO	[vuln] Vulnerability scanning is enabled
2025-06-05T21:17:54Z	DEBUG	Initializing scan cache...	type="fs"
2025-06-05T21:17:54Z	DEBUG	[notification] Running version check
2025-06-05T21:17:55Z	DEBUG	[image] Detected image ID	image_id="sha256:d627daeacbd4ca0f892ff64962dd1643939f74a52ee72cc218cf724138abad45"
2025-06-05T21:17:55Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:470b66ea5123c93b0d5606e4213bf9e47d3d426b640d32472e4ac213186c4bb6 sha256:1a8198549c4e12942ecb9583cb37a27acb000c691b3d8ffe3ff58c3a670d7e17 sha256:95907b76c0b08385defe355ef058f980ba8f2065ad6076384eff082cf2d7e94a sha256:034c2d4bf5e9683868cc075f14eacb415885e5b95f58c28e4a14feca8c2182a1 sha256:fda2fa5514ed2d3c505b367e01b35178663905cc0040a66840a48c96a9332196 sha256:6ef1e7aea517ec67d5921e132d3609809773390fa1b8de7a99ac2c732626f351 sha256:df2f6040ae22a094d913fab7c120e72e91d9a6901c6e2066db52a8a527f218a7 sha256:7d7ed424c30a01b045f371bee08e6669c4a981668553cb5b3747389e74913caf sha256:f41ea92577dcb080ed6f3b20f56d7e0a8049e5d0338888492d4826bf152a890f sha256:0928c71e7ab681aa219920c29996c9ccd024a1de83284c3680d3702a64a834e6 sha256:9fcd2e4904d38b849e885e8c0226394b8bc3f166dda6e21c23c39d29c485e09c sha256:0459c2cc01e07ce8ed3523768cba972f9ff6ac3b5d40ce7c6f6fc4e8f9bf6c55 sha256:3fac696bb273f51caab8603c7c747e73d6eaa38932a4231a7a68a014a42c1687 sha256:a2c5cc0cffad57063f19b36951c9c0a7c209ca98bf4fe63999136a3dfc2909f5 sha256:d20d1fddae1c15b1d1f66a1089396d11a4ea239c5bebd8c54ab2d7a1a7df796a sha256:1011ada5ace546929cfc0b026180990ae78294b21bc929c1a9dce1252b245dbd sha256:c8c0bda58ae49b631d52b02180d7d00a143035390e3d2e48872e3a8bb54dc954 sha256:92c3ebea02c9fe520b63c237668a07f8296dffae8673db30fcb92d48a3c2171a sha256:391079b320779a231d70cf3a7ca55cc17139909a4378fc6fd8a3fad36e2382b9 sha256:3cf1f821b5e894790a957607e57235e54c49a7266f2c564ae5c7a516adf12333 sha256:b3de9aef47f8ce631716a1257e348911a9d6f1d808a3c58437eec02d0ca61ab2 sha256:c4548cca79eada37f5b02b5815fecd701d6abd2524da8a475cc0de2f9f3e1657 sha256:fd80ef5ba7b7699faf39e7e01c5d70ad53ffd5e3af73055845423c321b144f3b sha256:d3bd6c769c55fc36c19ae359fc4d4b02393a4b30c100a97601f7fd673d809018 sha256:74321826d83daac5b362599cd3fe33d805d6e6bced2b495dc4eaeaf62c051ca7 sha256:97859c01703d3e54bf36852927bd056c7ca68bbde66f903fe1cd736934afa3bb]
2025-06-05T21:17:55Z	DEBUG	[image] Detected base layers	diff_ids=[sha256:470b66ea5123c93b0d5606e4213bf9e47d3d426b640d32472e4ac213186c4bb6 sha256:1a8198549c4e12942ecb9583cb37a27acb000c691b3d8ffe3ff58c3a670d7e17 sha256:95907b76c0b08385defe355ef058f980ba8f2065ad6076384eff082cf2d7e94a sha256:034c2d4bf5e9683868cc075f14eacb415885e5b95f58c28e4a14feca8c2182a1 sha256:fda2fa5514ed2d3c505b367e01b35178663905cc0040a66840a48c96a9332196 sha256:6ef1e7aea517ec67d5921e132d3609809773390fa1b8de7a99ac2c732626f351]
2025-06-05T21:17:55Z	DEBUG	[image] Missing image ID in cache	image_id="sha256:d627daeacbd4ca0f892ff64962dd1643939f74a52ee72cc218cf724138abad45"
2025-06-05T21:17:55Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:fda2fa5514ed2d3c505b367e01b35178663905cc0040a66840a48c96a9332196"
2025-06-05T21:17:55Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:470b66ea5123c93b0d5606e4213bf9e47d3d426b640d32472e4ac213186c4bb6"
2025-06-05T21:17:55Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:95907b76c0b08385defe355ef058f980ba8f2065ad6076384eff082cf2d7e94a"
2025-06-05T21:17:55Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:034c2d4bf5e9683868cc075f14eacb415885e5b95f58c28e4a14feca8c2182a1"
2025-06-05T21:17:55Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:1a8198549c4e12942ecb9583cb37a27acb000c691b3d8ffe3ff58c3a670d7e17"
2025-06-05T21:17:55Z	DEBUG	[notification] Version check completed	latest_version="0.63.0"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:6ef1e7aea517ec67d5921e132d3609809773390fa1b8de7a99ac2c732626f351"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:df2f6040ae22a094d913fab7c120e72e91d9a6901c6e2066db52a8a527f218a7"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:7d7ed424c30a01b045f371bee08e6669c4a981668553cb5b3747389e74913caf"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:f41ea92577dcb080ed6f3b20f56d7e0a8049e5d0338888492d4826bf152a890f"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:0928c71e7ab681aa219920c29996c9ccd024a1de83284c3680d3702a64a834e6"
2025-06-05T21:18:31Z	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2025-06-05T21:18:31Z	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:9fcd2e4904d38b849e885e8c0226394b8bc3f166dda6e21c23c39d29c485e09c"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:0459c2cc01e07ce8ed3523768cba972f9ff6ac3b5d40ce7c6f6fc4e8f9bf6c55"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:3fac696bb273f51caab8603c7c747e73d6eaa38932a4231a7a68a014a42c1687"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:a2c5cc0cffad57063f19b36951c9c0a7c209ca98bf4fe63999136a3dfc2909f5"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:d20d1fddae1c15b1d1f66a1089396d11a4ea239c5bebd8c54ab2d7a1a7df796a"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:1011ada5ace546929cfc0b026180990ae78294b21bc929c1a9dce1252b245dbd"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:c8c0bda58ae49b631d52b02180d7d00a143035390e3d2e48872e3a8bb54dc954"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:92c3ebea02c9fe520b63c237668a07f8296dffae8673db30fcb92d48a3c2171a"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:391079b320779a231d70cf3a7ca55cc17139909a4378fc6fd8a3fad36e2382b9"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:3cf1f821b5e894790a957607e57235e54c49a7266f2c564ae5c7a516adf12333"
2025-06-05T21:18:31Z	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:b3de9aef47f8ce631716a1257e348911a9d6f1d808a3c58437eec02d0ca61ab2"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:c4548cca79eada37f5b02b5815fecd701d6abd2524da8a475cc0de2f9f3e1657"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:fd80ef5ba7b7699faf39e7e01c5d70ad53ffd5e3af73055845423c321b144f3b"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:d3bd6c769c55fc36c19ae359fc4d4b02393a4b30c100a97601f7fd673d809018"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:74321826d83daac5b362599cd3fe33d805d6e6bced2b495dc4eaeaf62c051ca7"
2025-06-05T21:18:31Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:97859c01703d3e54bf36852927bd056c7ca68bbde66f903fe1cd736934afa3bb"
2025-06-05T21:18:31Z	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2025-06-05T21:18:31Z	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2025-06-05T21:18:31Z	DEBUG	No secrets found in container image config
2025-06-05T21:18:32Z	INFO	Detected OS	family="ubuntu" version="20.04"
2025-06-05T21:18:32Z	WARN	This OS version is not on the EOL list	family="ubuntu" version="20.04-ESM"
2025-06-05T21:18:32Z	INFO	[ubuntu] Detecting vulnerabilities...	os_version="20.04-ESM" pkg_num=522
2025-06-05T21:18:32Z	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-06-05T21:18:32Z	DEBUG	[vex] VEX filtering is disabled

Report Summary

┌──────────────────────────────────────────────────────────────────────────────────┬────────┬─────────────────┐
│                                      Target                                      │  Type  │ Vulnerabilities │
├──────────────────────────────────────────────────────────────────────────────────┼────────┼─────────────────┤
│ registry.dev.databricks.com/universe/snapshotter-standalone@sha256:d4efc4ca5f86- │ ubuntu │        0        │
│ 24d3e791c9f70933802e4bfd03119684584e6dca09c0b004024a (ubuntu 20.04-ESM)          │        │                 │
└──────────────────────────────────────────────────────────────────────────────────┴────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2025-06-05T21:18:32Z	DEBUG	[notification] Printing notices

zefanxu-db Jun 5, 2025
Author

oh actually it's because of the --ignore-unfixed option now

zefanxu-db · 2025-06-05T21:53:48Z

zefanxu-db
Jun 5, 2025
Author

I think there is something wrong with the 20.04 ESM advisories.

I double checked with SBOM that the image is running a vulnerable version of libsoup, which is affected by https://ubuntu.com/security/CVE-2025-4476

but this is not showing up regardless of --ignore-unfixed with 20.04-ESM version, it does show a bunch of unfixed vulns with libsoup2.4-1

├─────────────────────────────────┼──────────────────┤          │          │                                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│ libsoup2.4-1                    │ CVE-2025-32049   │          │          │                                      │               │ libsoup: Denial of Service attack to websocket server        │
│                                 │                  │          │          │                                      │               │ https://avd.aquasec.com/nvd/cve-2025-32049                   │
│                                 ├──────────────────┤          │          │                                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│                                 │ CVE-2025-32907   │          │          │                                      │               │ libsoup: Denial of service in server when client requests a  │
│                                 │                  │          │          │                                      │               │ large amount...                                              │
│                                 │                  │          │          │                                      │               │ https://avd.aquasec.com/nvd/cve-2025-32907                   │
│                                 ├──────────────────┤          │          │                                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│                                 │ CVE-2025-4035    │          │          │                                      │               │ libsoup: Cookie domain validation bypass via uppercase       │
│                                 │                  │          │          │                                      │               │ characters in libsoup                                        │
│                                 │                  │          │          │                                      │               │ https://avd.aquasec.com/nvd/cve-2025-4035                    │
│                                 ├──────────────────┤          │          │                                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│                                 │ CVE-2025-4945    │          │          │                                      │               │ libsoup: Integer Overflow in Cookie Expiration Date Handling │
│                                 │                  │          │          │                                      │               │ in libsoup                                                   │
│                                 │                  │          │          │                                      │               │ https://avd.aquasec.com/nvd/cve-2025-4945                    │
│                                 ├──────────────────┤          │          │                                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│                                 │ CVE-2025-4948    │          │          │                                      │               │ libsoup: Integer Underflow in                                │
│                                 │                  │          │          │                                      │               │ soup_multipart_new_from_message() Leading to Denial of       │
│                                 │                  │          │          │                                      │               │ Service in libsoup...                                        │
│                                 │                  │          │          │                                      │               │ https://avd.aquasec.com/nvd/cve-2025-4948                    │
│                                 ├──────────────────┤          │          │                                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│                                 │ CVE-2025-4969    │          │          │                                      │               │ libsoup: Off-by-One Out-of-Bounds Read in find_boundary() in │
│                                 │                  │          │          │                                      │               │ soup-multipart.c                                             │
│                                 │                  │          │          │                                      │               │ https://avd.aquasec.com/nvd/cve-2025-4969                    │
├─────────────────────────────────┼──────────────────┤          │          ├──────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤

However it does show up with --distro ubuntu/20.04 flag (see original post).

Is that possible that 20.04 ESM advisory is incomplete in some way? e.g. 20.04 non-ESM needs to be joined with 20.04 ESM advisory

1 reply

DmitriyLewen Jun 6, 2025
Maintainer

hmm... The Ubuntu CVE file always includes fixed versions for both releases (in this case 20.04 and 20.04-esm), even if it is the same version

But Ubuntu didn't update this CVE - https://ubuntu.com/security/CVE-2025-4476#:~:text=Last%20updated%2030%20May%202025

I suggest you wait a little, only 6 days have passed since the start of work on 20.04-ESM, perhaps they have not yet managed to update the advisory files

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Reporting 0 vulns for Ubuntu 20.04 ESM #8977

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments 5 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Reporting 0 vulns for Ubuntu 20.04 ESM #8977

Uh oh!

zefanxu-db Jun 3, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 3 comments · 5 replies

Uh oh!

DmitriyLewen Jun 4, 2025 Maintainer

Uh oh!

DmitriyLewen Jun 4, 2025 Maintainer

Uh oh!

zefanxu-db Jun 4, 2025 Author

Uh oh!

DmitriyLewen Jun 5, 2025 Maintainer

Uh oh!

zefanxu-db Jun 5, 2025 Author

Uh oh!

zefanxu-db Jun 5, 2025 Author

Uh oh!

zefanxu-db Jun 5, 2025 Author

Uh oh!

DmitriyLewen Jun 6, 2025 Maintainer

zefanxu-db
Jun 3, 2025

Replies: 3 comments 5 replies

DmitriyLewen
Jun 4, 2025
Maintainer

DmitriyLewen
Jun 4, 2025
Maintainer

zefanxu-db Jun 4, 2025
Author

DmitriyLewen Jun 5, 2025
Maintainer

zefanxu-db Jun 5, 2025
Author

zefanxu-db Jun 5, 2025
Author

zefanxu-db
Jun 5, 2025
Author

DmitriyLewen Jun 6, 2025
Maintainer