distro alma/10 (newest release) does not deliver rpm findings #9188

rriemann · 2025-07-13T09:10:13Z

rriemann
Jul 13, 2025

Description

I use the bootc almalinux 10 kde image to test scanning with trivy:

trivy image --scanners vuln quay.io/almalinuxorg/atomic-desktop-kde

Note that this image may be x84_64 and my Fedora CoreOS scanning machine is ARM.

I think the issue is that almalinux 10 is not yet supported/recognised by trivy. At least this version is missing in the docs at:
https://trivy.dev/latest/docs/coverage/os/

Desired Behavior

I see vulnerabilties from rpm packages

Actual Behavior

I only see vulnerabilities from python and go packages:

trivy output

2025-07-13T09:03:21Z    INFO    [vuln] Vulnerability scanning is enabled
2025-07-13T09:05:08Z    INFO    Number of language-specific files       num=6
2025-07-13T09:05:08Z    INFO    [gobinary] Detecting vulnerabilities...
2025-07-13T09:05:08Z    WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.64/docs/scanner/vulnerability#severity-selection for details.

Report Summary

┌──────────────────────────────────────────────────────────────────────────────────┬──────────┬─────────────────┐
│                                      Target                                      │   Type   │ Vulnerabilities │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ sysroot/ostree/repo/objects/1b/54e11f89247be49629775c0856eaef0ea71ed2182c718785- │ gobinary │        2        │
│ 863caca69f39d3.file                                                              │          │                 │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ sysroot/ostree/repo/objects/2d/2578e68e3d116ae7403d54253da4a8dc3b09cb48514b9315- │ gobinary │        5        │
│ 4ae8244d208233.file                                                              │          │                 │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ sysroot/ostree/repo/objects/34/40b05b5391508e3859f28591214b44e6ea76ce25b87f93a7- │ gobinary │        2        │
│ b314c994316a6b.file                                                              │          │                 │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ sysroot/ostree/repo/objects/35/d39b507008cf42b990f850985b111162f0f9371ed6e2b12c- │ gobinary │        6        │
│ 61eb469248511a.file                                                              │          │                 │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ sysroot/ostree/repo/objects/46/fb0e3c5ce90a47999bf4736dddae81fca389fb6b8e04f9f2- │ gobinary │        4        │
│ 27ce75848f0ce5.file                                                              │          │                 │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ sysroot/ostree/repo/objects/92/b5a8c465bb743b8b9e8ef0a48d9cc545a739146e90701351- │ gobinary │        2        │
│ 31d29e89fe5abe.file                                                              │          │                 │
└──────────────────────────────────────────────────────────────────────────────────┴──────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


sysroot/ostree/repo/objects/1b/54e11f89247be49629775c0856eaef0ea71ed2182c718785863caca69f39d3.file (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-0913 │ MEDIUM   │ fixed  │ v1.23.9           │ 1.23.10, 1.24.4 │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│         │               │          │        │                   │                 │ in os in syscall...                                          │
│         │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│         ├───────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-4673 │          │        │                   │                 │ net/http: Sensitive headers not cleared on cross-origin      │
│         │               │          │        │                   │                 │ redirect in net/http                                         │
│         │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

sysroot/ostree/repo/objects/2d/2578e68e3d116ae7403d54253da4a8dc3b09cb48514b93154ae8244d208233.file (gobinary)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2025-22869 │ HIGH     │ fixed  │ v0.32.0           │ 0.35.0          │ golang.org/x/crypto/ssh: Denial of Service in the Key        │
│                     │                │          │        │                   │                 │ Exchange of golang.org/x/crypto/ssh                          │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-22869                   │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net    │ CVE-2025-22870 │ MEDIUM   │        │ v0.34.0           │ 0.36.0          │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:     │
│                     │                │          │        │                   │                 │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net    │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-22870                   │
│                     ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-22872 │          │        │                   │ 0.38.0          │ golang.org/x/net/html: Incorrect Neutralization of Input     │
│                     │                │          │        │                   │                 │ During Web Page Generation in x/net in...                    │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-22872                   │
├─────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2025-0913  │          │        │ v1.23.9           │ 1.23.10, 1.24.4 │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│                     │                │          │        │                   │                 │ in os in syscall...                                          │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│                     ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-4673  │          │        │                   │                 │ net/http: Sensitive headers not cleared on cross-origin      │
│                     │                │          │        │                   │                 │ redirect in net/http                                         │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

sysroot/ostree/repo/objects/34/40b05b5391508e3859f28591214b44e6ea76ce25b87f93a7b314c994316a6b.file (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-0913 │ MEDIUM   │ fixed  │ v1.23.9           │ 1.23.10, 1.24.4 │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│         │               │          │        │                   │                 │ in os in syscall...                                          │
│         │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│         ├───────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-4673 │          │        │                   │                 │ net/http: Sensitive headers not cleared on cross-origin      │
│         │               │          │        │                   │                 │ redirect in net/http                                         │
│         │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

sysroot/ostree/repo/objects/35/d39b507008cf42b990f850985b111162f0f9371ed6e2b12c61eb469248511a.file (gobinary)

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-45336 │ MEDIUM   │ fixed  │ v1.23.1           │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly    │
│         │                │          │        │                   │                              │ sent after cross-domain redirect                             │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-45341 │          │        │                   │                              │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│         │                │          │        │                   │                              │ bypass URI name...                                           │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-0913  │          │        │                   │ 1.23.10, 1.24.4              │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│         │                │          │        │                   │                              │ in os in syscall...                                          │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│         ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-22866 │          │        │                   │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│         │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-22871 │          │        │                   │ 1.23.8, 1.24.2               │ net/http: Request smuggling due to acceptance of invalid     │
│         │                │          │        │                   │                              │ chunked data in net/http...                                  │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22871                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-4673  │          │        │                   │ 1.23.10, 1.24.4              │ net/http: Sensitive headers not cleared on cross-origin      │
│         │                │          │        │                   │                              │ redirect in net/http                                         │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

sysroot/ostree/repo/objects/46/fb0e3c5ce90a47999bf4736dddae81fca389fb6b8e04f9f227ce75848f0ce5.file (gobinary)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2025-22870 │ MEDIUM   │ fixed  │ v0.34.0           │ 0.36.0          │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:     │
│                  │                │          │        │                   │                 │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net    │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-22870                   │
│                  ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2025-22872 │          │        │                   │ 0.38.0          │ golang.org/x/net/html: Incorrect Neutralization of Input     │
│                  │                │          │        │                   │                 │ During Web Page Generation in x/net in...                    │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-22872                   │
├──────────────────┼────────────────┤          │        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib           │ CVE-2025-0913  │          │        │ v1.23.9           │ 1.23.10, 1.24.4 │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│                  │                │          │        │                   │                 │ in os in syscall...                                          │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│                  ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                  │ CVE-2025-4673  │          │        │                   │                 │ net/http: Sensitive headers not cleared on cross-origin      │
│                  │                │          │        │                   │                 │ redirect in net/http                                         │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

sysroot/ostree/repo/objects/92/b5a8c465bb743b8b9e8ef0a48d9cc545a739146e9070135131d29e89fe5abe.file (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-0913 │ MEDIUM   │ fixed  │ v1.23.9           │ 1.23.10, 1.24.4 │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│         │               │          │        │                   │                 │ in os in syscall...                                          │
│         │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│         ├───────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-4673 │          │        │                   │                 │ net/http: Sensitive headers not cleared on cross-origin      │
│         │               │          │        │                   │                 │ redirect in net/http                                         │
│         │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

Reproduction Steps

1. install trivy_0.64.1_Linux-ARM.tar.gz
2. execute trivy image --scanners vuln quay.io/almalinuxorg/atomic-desktop-kde

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

Debug output

trivy image --scanners vuln quay.io/almalinuxorg/atomic-desktop-kde --debug
2025-07-13T09:08:58Z    DEBUG   No plugins loaded
2025-07-13T09:08:58Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-07-13T09:08:58Z    DEBUG   Cache dir       dir="/var/home/rriemann/.cache/trivy"
2025-07-13T09:08:58Z    DEBUG   Cache dir       dir="/var/home/rriemann/.cache/trivy"
2025-07-13T09:08:58Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-07-13T09:08:58Z    DEBUG   Ignore statuses statuses=[]
2025-07-13T09:08:58Z    DEBUG   DB update was skipped because the local DB is the latest
2025-07-13T09:08:58Z    DEBUG   DB info schema=2 updated_at=2025-07-12T18:28:37.127999054Z next_update=2025-07-13T18:28:37.127998863Z downloaded_at=2025-07-12T21:49:04.946457297Z
2025-07-13T09:08:58Z    DEBUG   [pkg] Package types     types=[os library]
2025-07-13T09:08:58Z    DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-07-13T09:08:58Z    INFO    [vuln] Vulnerability scanning is enabled
2025-07-13T09:08:58Z    DEBUG   Initializing scan cache...      type="fs"
2025-07-13T09:08:58Z    DEBUG   [notification] Running version check
2025-07-13T09:08:58Z    DEBUG   [notification] Version check completed  latest_version="0.64.1"
2025-07-13T09:08:59Z    DEBUG   [image] Detected image ID       image_id="sha256:9f2d7af65bdea53138a5f3b4ed998678da9a57aa0ad22ecd9a0150ba87d13215"
2025-07-13T09:08:59Z    DEBUG   [image] Detected diff ID        diff_ids=[sha256:537e7f83733badf20e8bc96eef60c746df61dc9b598949e02773c853ed67bf64 sha256:c5a0785144b4ca915cc8f334d9b12ca89f3c06a4098ef758322cd5af42ed7ca9 sha256:d49dba9262ba157f4e92f8fe29a71d58c9b2fa97426fbd3ea876677ef2a89538 sha256:92dd43727fc7a028e10e7e69b43286632fbd1e48858a5f550e1552c670655b4a sha256:3f651e2808135cc37b09c9357bad9f1893c3223d3d7c07710ab5044d97192c65 sha256:9c36de520998a9b2a09c440ad23f90194184913772e9666635182d35327983c8 sha256:aec913357e7b93800897218098afe1460343cbce16eb536c149d44fda7e6cfaa sha256:f130ca70a321f78d4d08d300808d1d6f7e11e2bded93636db76f4ba668e3dcf1 sha256:692178dc2ca1849eae258674888d8c1175b6c9cc5dc79ab85c307e47406e8e8e sha256:9bc5895941c054ab6e7c6a82361b1aee821e61680f9c25fc2a534f8f41ab6654 sha256:9d681d82166229a57b759e0d309e20f4b552d94ffa3711ac2096c34ab61e8bcd sha256:d8e207fdfa41db90fe3c6647bb94ceab8e54187c9bd1f605caa2ca0d09a3b0ad sha256:090ef5630fadbd011d9c395cceb2f43ffb51a5d66367d2e38adfada9b6fabbbd sha256:27172d119e0d9ccf29731ec1a788a67790fbe4a1371f2419d541e1a2b64668fd sha256:c93a2b87f00b6773ca8addaa07a232922663d4824e49a1fadaf42ef2e52f8cf9 sha256:3537b595e725f42d8dd313faacf341029cf75652e7e544290c5b638dfc57596b sha256:689f75e83751973b575750a400ddcae272dd549896d5f09233adc3dc7dbbc755 sha256:33d1cd6d34ee87b62028fa55c34515e4184bfa49f1180e98e01d09077964fbf1 sha256:0b4f9bf60bd946a22d3f0d0ba21f226e5a4dbaae3ea05f1cffb88b5ff0d8ea06 sha256:07b8044a043d1f6655370ac66289873ac14c63ee0c61cab11103022d814fac7d sha256:9a3807e711227b7d4e31cd322933579875462783976511f0fd1ddaab20fb1be8 sha256:86475a000c3959373f781f7b1f4b88e172c7c73e3ecc0dd4b7923a4d95cad712 sha256:8674854992bddea922ea6434110a5ec7c8d836f5b8107d1d6926edcbdacef3f8 sha256:065bb82a34f78b2d8fc63cfaf89ed696b176691a49fb1f561de4343d39c0e3b8 sha256:94cf6e0f6d7e5417cba7e5e54f864f3c7da697404e3e155edbc7a0a6c6b86bae sha256:cbf049aa8b2f8fe91adac67300962bce0057b3e5bafd768e4321a04ee2ab0df7 sha256:928017b87132ea64194b912915f9fa3d0ef049fab63b0eadb303033a51f6570f sha256:e7698e5cae34ffee4e928a278d41e07800c883c5649c54523a117ff382088a94 sha256:b263bf137fc60202ae9b87536a8a26111d1393272c45fc5379c56797681d9c4a sha256:38c6a9d5bb6a642ba8f8f796599bb1840252b2acfb121ec7a0977a3c72660e74 sha256:01ab74dbc922e63bbbaf9a75dc5367f2b2be313e03cb63e894b945906309f2f9 sha256:08e1510c565af43425de82a723aba9247c889e959d648f06d9298a2f13b2062e sha256:498fe7b2b3b3670278513f3017250c744fcab7fcd8b6171b19050ed8f1187039 sha256:85da0c287f2604d3a929db0f2bbc1657d5ed13678306aeb4e2981551fa64ef73 sha256:be064108e86a73111f1e6b76c3132e19839aa2c83d5bcfa26b06e99251b803b4 sha256:2d9b31da0e65a0fb434723e91b443217e30f24eb4e04e9fb787b2db143ed84df sha256:3144beee6c3ff473d867e52c61fe214a1ab486123f5fc7d9c3992b2cd824daa4 sha256:3cfa2251ba45bef2fd241fe7ec4befbc55197f9d43ceb4e6c77c2873de27aece sha256:a509205b38c969a9601da759dc28f162d12d23edf8e1736b7c91a048958facc9 sha256:5555e35edfc520a0942f2eed9749a37ac8879469c0f5f355d59691461ba82cdf sha256:5c159b73cc9db3a07d79c28341c333cb730eb6cbaa8b11772ae55a757c6eaf64 sha256:971f084a7a2540994ee3ea209f41466ddb56af62367d52ddca896fdb1fe732d0 sha256:c54df611edbf6aa5d699d2d19ba5b0d5b8963609c70d4f5ed18c1f541eaa63f5 sha256:b97788e61bfed8c4d289c35e10dac66ddabd20f95d3961d6b7faef1fed409d1d sha256:d4ce817786673696e0dd8b767e29f798ad3f2cfa369480afe4b10dcc0fef4866 sha256:20dbe6687fa8bd7595782bde749a91da2b568bba802ae2089900c2d290eba591 sha256:c9b8dbf58f88b2409823984ab282c1f5988a3b6b6c70b9da2a343b4d03de7096 sha256:59221d937ccf5fbe89c8d91c55ec6830d715fa4b5c528fe694d2b57bb7fac047 sha256:727abd45dae5dbb0f1020b322eb92442f9efc36b3a940923230457d41d2cc02f sha256:8cf6c9354dd01fe431b2e28734e328c4b719e4617a39a4e3bafe6657211395b9 sha256:b5e7f2e7fa60b9cd5999cafc896b98e17e78f8e1a99947f510c8c2cb6e418d71 sha256:4f1b5ad017ea3f46a9ce531d5e4536ac0dca50a8b11765a562e92e45fbe0b98e sha256:4b85f255651c2ca9071c2c8051fa8b3115effd34884bbf445adaa59aea537f60 sha256:0afbf800a83045cc8c1bd10fe5f907e157543f2f8617052d6e8a05c6a151cb9f sha256:678c99afd13a6ff2600ff100b98172c63e29719fdb2d39e1006a861a455f50b7 sha256:73e0ed230851273f954a3fbf9326183fe047121ec17c56fb2359dfc36f8584f4 sha256:8d8af6336d44e2eb2e000c3e423d6476064cfe10c1b2d0acd1257c439841a791 sha256:32a620564a05666ff41507c680a2ba9087db346679ae61e3efbc9224ff81e7cf sha256:d81186a1360eab929fdd829e04f0c58f349c1e2e6aba8a5b2a385512bd3cf710 sha256:6dd41d03256087708caabab69be30ce5cc594b417395b3df7ebcfef53ab983ec sha256:3b3b80a3cb25f02c184df4ecc020400ed800e28070e03c871014fdc7b72285c3 sha256:bd053d987b0a42da185bb0e13944e855db42c103bfe9cd7f98e08e9a9ed5e3b8 sha256:e164905cd1283b167339b7425a95a82b154137e5bfc18f22f65a219cd264985e sha256:ac6fcc2e40ffb3bde69fc081e6a2d90d7f30eb59a26d97208c441d0e91400bd9 sha256:e83c7a102b9ca013c216a205df3d766619cd203b754de297f0c27715f09926ac sha256:017873e2dad389c8feb872adb9857fa143effc49ef80b215a70467d70ae20802 sha256:bd53215271bbaf06343e4c7efa99edbb5e5b00c4db885e1f4ef1c0cb24fae376 sha256:8840cc869f2b146f8c26c58c40a46d7dfe06c245ec692c3bc4f27f1c5a78a895 sha256:c287c22a36880d78ae8d755f1fd168078333facfdf8c537ce6dad3617a047a5a sha256:4ba68bf4cd81010c43d61d015756332cd15a52eb0c0f7c84cf7cb51da3690823 sha256:cc94af5da8e78997bd8c71eaee81b6540bff9a03edf23eb20dc11f8353d121b1 sha256:3efc116dc5f63ebc2423ca84d2ea2372fe397a835431102ea69b441c0a60c34e sha256:b3febbebbdf8db9dedc8fe73d3a66d9d21a9b9297bee877daaecacb62a6fa1d5 sha256:62d081280cdb5ac32957ecdb3dd512c7018eee6732e5db98694b56b7d8b0879c sha256:d37fc8fa3ce827d9c7f7fc25e45ac471faf97130332e218c3e545ff5a78ab21a sha256:49eeef60057f3fb6bf981480d244913676cecbbb674df518fd4ef2ae9febdb92 sha256:eece647d9d7ff34df1e9406e072d3e1f2a98efc4e335b1a36e46d3a8937ffbb5 sha256:67cfd9a76c68889d081779c8854c69d3563e86033b2fd9041905f74037f00420 sha256:53a78781f28c360dfc32a6e8164804c136d390ecfe54c9857e5613d777e05fb4 sha256:37dcd8afd70c983f73299ed2ed81aa75779b477e45218c335ca3f3d97cdbbc36 sha256:d6779d60f7bd555b9c4060823d197afbfbaa233d1b00ff0312a2b79b0d2e0a95 sha256:68d5246916beb67698beee6edbf0406ffb5bd6dbf0c182dd9d4a4524fecca4b9 sha256:ed577bd365332355b6e23a5b5cea9f4070786427063a338e40826a4be631070f sha256:33f55a5b56ab0943a09a958c51a9d7add8a64dd873e8b30bdb393491a307b7c1 sha256:04aa3e723da14f774e517ea1a9c6704f19a47edeb43b479c150c4e4916070547 sha256:ae94dc047e46031abbb67923ca8cf9c36a3a7b2b596d8c6043cedd560ba0ac0d sha256:12787d84fa137cd5649a9005efe98ec9d05ea46245fdc50aecb7dd007f2035b1]
2025-07-13T09:08:59Z    DEBUG   [image] Detected base layers    diff_ids=[]
2025-07-13T09:08:59Z    DEBUG   OS is not detected.
2025-07-13T09:08:59Z    DEBUG   Detected OS: unknown
2025-07-13T09:08:59Z    INFO    Number of language-specific files       num=6
2025-07-13T09:08:59Z    INFO    [gobinary] Detecting vulnerabilities...
2025-07-13T09:08:59Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="sysroot/ostree/repo/objects/1b/54e11f89247be49629775c0856eaef0ea71ed2182c718785863caca69f39d3.file"
2025-07-13T09:08:59Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="sysroot/ostree/repo/objects/2d/2578e68e3d116ae7403d54253da4a8dc3b09cb48514b93154ae8244d208233.file"
2025-07-13T09:08:59Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="github.com/containers/skopeo"
2025-07-13T09:08:59Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="sysroot/ostree/repo/objects/34/40b05b5391508e3859f28591214b44e6ea76ce25b87f93a7b314c994316a6b.file"
2025-07-13T09:08:59Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="github.com/containers/podman/v5"
2025-07-13T09:08:59Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="sysroot/ostree/repo/objects/35/d39b507008cf42b990f850985b111162f0f9371ed6e2b12c61eb469248511a.file"
2025-07-13T09:08:59Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="sysroot/ostree/repo/objects/46/fb0e3c5ce90a47999bf4736dddae81fca389fb6b8e04f9f227ce75848f0ce5.file"
2025-07-13T09:08:59Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="github.com/containers/podman/v5"
2025-07-13T09:08:59Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="sysroot/ostree/repo/objects/92/b5a8c465bb743b8b9e8ef0a48d9cc545a739146e9070135131d29e89fe5abe.file"
2025-07-13T09:08:59Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="github.com/containers/podman/v5"
2025-07-13T09:08:59Z    WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.64/docs/scanner/vulnerability#severity-selection for details.
2025-07-13T09:08:59Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-07-13T09:08:59Z    DEBUG   [vex] VEX filtering is disabled

Report Summary

┌──────────────────────────────────────────────────────────────────────────────────┬──────────┬─────────────────┐
│                                      Target                                      │   Type   │ Vulnerabilities │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ sysroot/ostree/repo/objects/1b/54e11f89247be49629775c0856eaef0ea71ed2182c718785- │ gobinary │        2        │
│ 863caca69f39d3.file                                                              │          │                 │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ sysroot/ostree/repo/objects/2d/2578e68e3d116ae7403d54253da4a8dc3b09cb48514b9315- │ gobinary │        5        │
│ 4ae8244d208233.file                                                              │          │                 │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ sysroot/ostree/repo/objects/34/40b05b5391508e3859f28591214b44e6ea76ce25b87f93a7- │ gobinary │        2        │
│ b314c994316a6b.file                                                              │          │                 │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ sysroot/ostree/repo/objects/35/d39b507008cf42b990f850985b111162f0f9371ed6e2b12c- │ gobinary │        6        │
│ 61eb469248511a.file                                                              │          │                 │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ sysroot/ostree/repo/objects/46/fb0e3c5ce90a47999bf4736dddae81fca389fb6b8e04f9f2- │ gobinary │        4        │
│ 27ce75848f0ce5.file                                                              │          │                 │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ sysroot/ostree/repo/objects/92/b5a8c465bb743b8b9e8ef0a48d9cc545a739146e90701351- │ gobinary │        2        │
│ 31d29e89fe5abe.file                                                              │          │                 │
└──────────────────────────────────────────────────────────────────────────────────┴──────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


sysroot/ostree/repo/objects/1b/54e11f89247be49629775c0856eaef0ea71ed2182c718785863caca69f39d3.file (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-0913 │ MEDIUM   │ fixed  │ v1.23.9           │ 1.23.10, 1.24.4 │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│         │               │          │        │                   │                 │ in os in syscall...                                          │
│         │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│         ├───────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-4673 │          │        │                   │                 │ net/http: Sensitive headers not cleared on cross-origin      │
│         │               │          │        │                   │                 │ redirect in net/http                                         │
│         │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

sysroot/ostree/repo/objects/2d/2578e68e3d116ae7403d54253da4a8dc3b09cb48514b93154ae8244d208233.file (gobinary)

Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2025-22869 │ HIGH     │ fixed  │ v0.32.0           │ 0.35.0          │ golang.org/x/crypto/ssh: Denial of Service in the Key        │
│                     │                │          │        │                   │                 │ Exchange of golang.org/x/crypto/ssh                          │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-22869                   │
├─────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net    │ CVE-2025-22870 │ MEDIUM   │        │ v0.34.0           │ 0.36.0          │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:     │
│                     │                │          │        │                   │                 │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net    │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-22870                   │
│                     ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-22872 │          │        │                   │ 0.38.0          │ golang.org/x/net/html: Incorrect Neutralization of Input     │
│                     │                │          │        │                   │                 │ During Web Page Generation in x/net in...                    │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-22872                   │
├─────────────────────┼────────────────┤          │        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib              │ CVE-2025-0913  │          │        │ v1.23.9           │ 1.23.10, 1.24.4 │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│                     │                │          │        │                   │                 │ in os in syscall...                                          │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│                     ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                     │ CVE-2025-4673  │          │        │                   │                 │ net/http: Sensitive headers not cleared on cross-origin      │
│                     │                │          │        │                   │                 │ redirect in net/http                                         │
│                     │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

sysroot/ostree/repo/objects/34/40b05b5391508e3859f28591214b44e6ea76ce25b87f93a7b314c994316a6b.file (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-0913 │ MEDIUM   │ fixed  │ v1.23.9           │ 1.23.10, 1.24.4 │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│         │               │          │        │                   │                 │ in os in syscall...                                          │
│         │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│         ├───────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-4673 │          │        │                   │                 │ net/http: Sensitive headers not cleared on cross-origin      │
│         │               │          │        │                   │                 │ redirect in net/http                                         │
│         │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

sysroot/ostree/repo/objects/35/d39b507008cf42b990f850985b111162f0f9371ed6e2b12c61eb469248511a.file (gobinary)

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-45336 │ MEDIUM   │ fixed  │ v1.23.1           │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly    │
│         │                │          │        │                   │                              │ sent after cross-domain redirect                             │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-45341 │          │        │                   │                              │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│         │                │          │        │                   │                              │ bypass URI name...                                           │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-0913  │          │        │                   │ 1.23.10, 1.24.4              │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│         │                │          │        │                   │                              │ in os in syscall...                                          │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│         ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-22866 │          │        │                   │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│         │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-22871 │          │        │                   │ 1.23.8, 1.24.2               │ net/http: Request smuggling due to acceptance of invalid     │
│         │                │          │        │                   │                              │ chunked data in net/http...                                  │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22871                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-4673  │          │        │                   │ 1.23.10, 1.24.4              │ net/http: Sensitive headers not cleared on cross-origin      │
│         │                │          │        │                   │                              │ redirect in net/http                                         │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

sysroot/ostree/repo/objects/46/fb0e3c5ce90a47999bf4736dddae81fca389fb6b8e04f9f227ce75848f0ce5.file (gobinary)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2025-22870 │ MEDIUM   │ fixed  │ v0.34.0           │ 0.36.0          │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:     │
│                  │                │          │        │                   │                 │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net    │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-22870                   │
│                  ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2025-22872 │          │        │                   │ 0.38.0          │ golang.org/x/net/html: Incorrect Neutralization of Input     │
│                  │                │          │        │                   │                 │ During Web Page Generation in x/net in...                    │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-22872                   │
├──────────────────┼────────────────┤          │        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib           │ CVE-2025-0913  │          │        │ v1.23.9           │ 1.23.10, 1.24.4 │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│                  │                │          │        │                   │                 │ in os in syscall...                                          │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│                  ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│                  │ CVE-2025-4673  │          │        │                   │                 │ net/http: Sensitive headers not cleared on cross-origin      │
│                  │                │          │        │                   │                 │ redirect in net/http                                         │
│                  │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

sysroot/ostree/repo/objects/92/b5a8c465bb743b8b9e8ef0a48d9cc545a739146e9070135131d29e89fe5abe.file (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2025-0913 │ MEDIUM   │ fixed  │ v1.23.9           │ 1.23.10, 1.24.4 │ Inconsistent handling of O_CREATE|O_EXCL on Unix and Windows │
│         │               │          │        │                   │                 │ in os in syscall...                                          │
│         │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-0913                    │
│         ├───────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-4673 │          │        │                   │                 │ net/http: Sensitive headers not cleared on cross-origin      │
│         │               │          │        │                   │                 │ redirect in net/http                                         │
│         │               │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-4673                    │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

Operating System

Fedora CoreOS

Version

Version: 0.64.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-07-12 18:28:37.127999054 +0000 UTC
  NextUpdate: 2025-07-13 18:28:37.127998863 +0000 UTC
  DownloadedAt: 2025-07-12 21:49:04.946457297 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

knqyf263 · 2025-07-14T06:15:09Z

knqyf263
Jul 14, 2025
Maintainer

Not supported yet. It's not a bug.

0 replies

DmitriyLewen · 2025-07-14T07:03:59Z

DmitriyLewen
Jul 14, 2025
Maintainer

track #9189

0 replies

rriemann · 2025-08-19T08:26:04Z

rriemann
Aug 19, 2025
Author

Hi @DmitriyLewen @wololowarrior,

I tried the new version 0.65 with almalinux 10 support, but I find surprisingly no vulnerabilities. Is alma so good? Please consider to reopen the issue.

trivy --version
Version: 0.65.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-08-19 06:29:14.336660543 +0000 UTC
  NextUpdate: 2025-08-20 06:29:14.336660283 +0000 UTC
  DownloadedAt: 2025-08-19 08:17:53.006843738 +0000 UTC

trivy image --timeout 10m --scanners vuln --distro alma/10 --pkg-types os quay.io/almalinuxorg/atomic-desktop-kde:10
2025-08-19T10:21:34+02:00       INFO    [vuln] Vulnerability scanning is enabled
2025-08-19T10:23:01+02:00       WARN    [report] Supported files for scanner(s) not found.      scanners=[vuln]

Report Summary

┌────────┬──────┬─────────────────┐
│ Target │ Type │ Vulnerabilities │
├────────┼──────┼─────────────────┤
│   -    │  -   │        -        │
└────────┴──────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

22 replies

Conan-Kudo Aug 27, 2025

It's declared in %_db_backend in /usr/lib/rpm/macros.

rriemann Aug 27, 2025
Author

I understand though that extracting those values would mean to parse the logic of the macros and macros.d/macros files, which would mean to replicate parts of the application rpm.

Conan-Kudo Aug 27, 2025

That is correct.

DmitriyLewen Aug 27, 2025
Maintainer

rpm always uses a hardcoded file name depending on the type:
Berkeley DB -> Packages (usr/lib/sysimage/rpm/Packages)
NDB -> Packages.db (usr/lib/sysimage/rpm/Packages.db)
SQLite3 -> rpmdb.sqlite (usr/lib/sysimage/rpm/rpmdb.sqlite`)

right?

Conan-Kudo Aug 27, 2025

That is the hope, yes.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

distro alma/10 (newest release) does not deliver rpm findings #9188

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 3 comments 22 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

distro alma/10 (newest release) does not deliver rpm findings #9188

Uh oh!

Uh oh!

rriemann Jul 13, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 3 comments · 22 replies

Uh oh!

knqyf263 Jul 14, 2025 Maintainer

Uh oh!

DmitriyLewen Jul 14, 2025 Maintainer

Uh oh!

rriemann Aug 19, 2025 Author

Uh oh!

Conan-Kudo Aug 27, 2025

Uh oh!

rriemann Aug 27, 2025 Author

Uh oh!

Conan-Kudo Aug 27, 2025

Uh oh!

DmitriyLewen Aug 27, 2025 Maintainer

Uh oh!

Conan-Kudo Aug 27, 2025

rriemann
Jul 13, 2025

Replies: 3 comments 22 replies

knqyf263
Jul 14, 2025
Maintainer

DmitriyLewen
Jul 14, 2025
Maintainer

rriemann
Aug 19, 2025
Author

rriemann Aug 27, 2025
Author

DmitriyLewen Aug 27, 2025
Maintainer