wrong info for coredns/coredns

[zhangguanzhang]

Description

I found that when scanning the coredns/coredns image, the scan results were incorrect.

Desired Behavior

，

Actual Behavior

，

Reproduction Steps

wget https://github.com/aquasecurity/trivy/releases/download/v0.65.0/trivy_0.65.0_Linux-64bit.tar.gz
tar zxf trivy_0.65.0_Linux-64bit.tar.gz trivy
./trivy clean --all
trivy image coredns/coredns:1.12.3

will print the result

coredns (gobinary)

Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 2, CRITICAL: 0)

┌────────────────────────────┬─────────────────────┬──────────┬──────────┬────────────────────────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│          Library           │    Vulnerability    │ Severity │  Status  │         Installed Version          │ Fixed Version │                          Title                           │
├────────────────────────────┼─────────────────────┼──────────┼──────────┼────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ github.com/coredns/coredns │ CVE-2023-28452      │ HIGH     │ fixed    │ v0.0.0-20250805163255-463fd1c1b390 │ 1.11.0        │ CoreDNS vulnerable to TuDoor Attacks                     │
│                            │                     │          │          │                                    │               │ https://avd.aquasec.com/nvd/cve-2023-28452               │
│                            ├─────────────────────┤          │          │                                    ├───────────────┼──────────────────────────────────────────────────────────┤
│                            │ CVE-2025-47950      │          │          │                                    │ 1.12.2        │ coredns: CoreDNS Vulnerable to DoQ Memory Exhaustion via │
│                            │                     │          │          │                                    │               │ Stream Amplification                                     │
│                            │                     │          │          │                                    │               │ https://avd.aquasec.com/nvd/cve-2025-47950               │
│                            ├─────────────────────┼──────────┼──────────┤                                    ├───────────────┼──────────────────────────────────────────────────────────┤
│                            │ CVE-2022-2835       │ MEDIUM   │ affected │                                    │               │ coreDNS: DNS Redirection of Internal Services            │
│                            │                     │          │          │                                    │               │ https://avd.aquasec.com/nvd/cve-2022-2835                │
│                            ├─────────────────────┤          │          │                                    ├───────────────┼──────────────────────────────────────────────────────────┤
│                            │ CVE-2022-2837       │          │          │                                    │               │ coreDNS: DNS Redirection of Top-Level Domains            │
│                            │                     │          │          │                                    │               │ https://avd.aquasec.com/nvd/cve-2022-2837                │
│                            ├─────────────────────┤          │          │                                    ├───────────────┼──────────────────────────────────────────────────────────┤
│                            │ CVE-2023-30464      │          │          │                                    │               │ CoreDNS Cache Poisoning via a birthday attack            │
│                            │                     │          │          │                                    │               │ https://avd.aquasec.com/nvd/cve-2023-30464               │
│                            ├─────────────────────┤          ├──────────┤                                    ├───────────────┼──────────────────────────────────────────────────────────┤
│                            │ CVE-2024-0874       │          │ fixed    │                                    │ 1.11.2        │ coredns: CD bit response is cached and served later      │
│                            │                     │          │          │                                    │               │ https://avd.aquasec.com/nvd/cve-2024-0874                │
│                            ├─────────────────────┤          │          │                                    ├───────────────┼──────────────────────────────────────────────────────────┤
│                            │ GHSA-gv9j-4w24-q7vx │          │          │                                    │ 1.6.6         │ Improper random number generation in                     │
│                            │                     │          │          │                                    │               │ github.com/coredns/coredns                               │
│                            │                     │          │          │                                    │               │ https://github.com/advisories/GHSA-gv9j-4w24-q7vx        │
└────────────────────────────┴─────────────────────┴──────────┴──────────┴────────────────────────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

None

Debug Output

$ ./trivy image coredns/coredns:1.12.3 --debug
2025-08-06T17:12:22+08:00	DEBUG	No plugins loaded
2025-08-06T17:12:22+08:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-08-06T17:12:22+08:00	DEBUG	Cache dir	dir="/root/.cache/trivy"
2025-08-06T17:12:22+08:00	DEBUG	Cache dir	dir="/root/.cache/trivy"
2025-08-06T17:12:22+08:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-08-06T17:12:22+08:00	DEBUG	Ignore statuses	statuses=[]
2025-08-06T17:12:22+08:00	DEBUG	DB update was skipped because the local DB is the latest
2025-08-06T17:12:22+08:00	DEBUG	DB info	schema=2 updated_at=2025-08-06T06:25:50.370296309Z next_update=2025-08-07T06:25:50.370296039Z downloaded_at=2025-08-06T09:08:01.649679023Z
2025-08-06T17:12:22+08:00	DEBUG	[pkg] Package types	types=[os library]
2025-08-06T17:12:22+08:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-08-06T17:12:22+08:00	INFO	[vuln] Vulnerability scanning is enabled
2025-08-06T17:12:22+08:00	INFO	[secret] Secret scanning is enabled
2025-08-06T17:12:22+08:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-08-06T17:12:22+08:00	INFO	[secret] Please see also https://trivy.dev/v0.65/docs/scanner/secret#recommendation for faster secret detection
2025-08-06T17:12:22+08:00	DEBUG	Initializing scan cache...	type="fs"
2025-08-06T17:12:22+08:00	DEBUG	[notification] Running version check
2025-08-06T17:12:22+08:00	DEBUG	Created process-specific temp directory	path="/tmp/trivy-1668576"
2025-08-06T17:12:22+08:00	DEBUG	[image] Image found	image="coredns/coredns:1.12.3" source="docker"
2025-08-06T17:12:22+08:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-08-06T17:12:22+08:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-08-06T17:12:22+08:00	DEBUG	[image] Detected image ID	image_id="sha256:0392ee038903218dcdc9765e0a0970ea34d07da25da8ccefb17b254be1355d6c"
2025-08-06T17:12:22+08:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:f464af4b9b251ebe8a7c2f186aff656f0892f6cb159837a6ce8fd63842e83e35 sha256:8fa10c0194df9b7c054c90dbe482585f768a54428fc90a5b78a0066a123b1bba sha256:48c0fb67386ed713921fcc0468be23231d0872fa67ccc8ea3929df4656b6ddfc sha256:114dde0fefebbca13165d0da9c500a66190e497a82a53dcaabc3172d630be1e9 sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368 sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc sha256:6f1cdceb6a3146f0ccb986521156bef8a422cdbb0863396f7f751f575ba308f4 sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1 sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849 sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3 sha256:bfe9137a1b044e8097cdfcb6899137a8a984ed70931ed1e8ef0cf7e023a139fc sha256:30e4d765862bc694a968fe6da181e94dcaf0cf375a4edbb52a91d7a5391337c1 sha256:45d3c73e419e1e153dd15e009a1ddb032c4b987c0bdf1cbe92123c5781b98a3f]
2025-08-06T17:12:22+08:00	DEBUG	[image] Detected base layers	diff_ids=[]
2025-08-06T17:12:22+08:00	INFO	Detected OS	family="debian" version="12.11"
2025-08-06T17:12:22+08:00	INFO	[debian] Detecting vulnerabilities...	os_version="12" pkg_num=4
2025-08-06T17:12:22+08:00	INFO	Number of language-specific files	num=1
2025-08-06T17:12:22+08:00	INFO	[gobinary] Detecting vulnerabilities...
2025-08-06T17:12:22+08:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="coredns"
2025-08-06T17:12:22+08:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-08-06T17:12:22+08:00	DEBUG	[vex] VEX filtering is disabled

Report Summary

┌───────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                Target                 │   Type   │ Vulnerabilities │ Secrets │
├───────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ coredns/coredns:1.12.3 (debian 12.11) │  debian  │        0        │    -    │
├───────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ coredns                               │ gobinary │        7        │    -    │
└───────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


coredns (gobinary)

Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 2, CRITICAL: 0)

┌────────────────────────────┬─────────────────────┬──────────┬──────────┬────────────────────────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│          Library           │    Vulnerability    │ Severity │  Status  │         Installed Version          │ Fixed Version │                          Title                           │
├────────────────────────────┼─────────────────────┼──────────┼──────────┼────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ github.com/coredns/coredns │ CVE-2023-28452      │ HIGH     │ fixed    │ v0.0.0-20250805163255-463fd1c1b390 │ 1.11.0        │ CoreDNS vulnerable to TuDoor Attacks                     │
│                            │                     │          │          │                                    │               │ https://avd.aquasec.com/nvd/cve-2023-28452               │
│                            ├─────────────────────┤          │          │                                    ├───────────────┼──────────────────────────────────────────────────────────┤
│                            │ CVE-2025-47950      │          │          │                                    │ 1.12.2        │ coredns: CoreDNS Vulnerable to DoQ Memory Exhaustion via │
│                            │                     │          │          │                                    │               │ Stream Amplification                                     │
│                            │                     │          │          │                                    │               │ https://avd.aquasec.com/nvd/cve-2025-47950               │
│                            ├─────────────────────┼──────────┼──────────┤                                    ├───────────────┼──────────────────────────────────────────────────────────┤
│                            │ CVE-2022-2835       │ MEDIUM   │ affected │                                    │               │ coreDNS: DNS Redirection of Internal Services            │
│                            │                     │          │          │                                    │               │ https://avd.aquasec.com/nvd/cve-2022-2835                │
│                            ├─────────────────────┤          │          │                                    ├───────────────┼──────────────────────────────────────────────────────────┤
│                            │ CVE-2022-2837       │          │          │                                    │               │ coreDNS: DNS Redirection of Top-Level Domains            │
│                            │                     │          │          │                                    │               │ https://avd.aquasec.com/nvd/cve-2022-2837                │
│                            ├─────────────────────┤          │          │                                    ├───────────────┼──────────────────────────────────────────────────────────┤
│                            │ CVE-2023-30464      │          │          │                                    │               │ CoreDNS Cache Poisoning via a birthday attack            │
│                            │                     │          │          │                                    │               │ https://avd.aquasec.com/nvd/cve-2023-30464               │
│                            ├─────────────────────┤          ├──────────┤                                    ├───────────────┼──────────────────────────────────────────────────────────┤
│                            │ CVE-2024-0874       │          │ fixed    │                                    │ 1.11.2        │ coredns: CD bit response is cached and served later      │
│                            │                     │          │          │                                    │               │ https://avd.aquasec.com/nvd/cve-2024-0874                │
│                            ├─────────────────────┤          │          │                                    ├───────────────┼──────────────────────────────────────────────────────────┤
│                            │ GHSA-gv9j-4w24-q7vx │          │          │                                    │ 1.6.6         │ Improper random number generation in                     │
│                            │                     │          │          │                                    │               │ github.com/coredns/coredns                               │
│                            │                     │          │          │                                    │               │ https://github.com/advisories/GHSA-gv9j-4w24-q7vx        │
└────────────────────────────┴─────────────────────┴──────────┴──────────┴────────────────────────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
2025-08-06T17:12:22+08:00	DEBUG	Cleaning up temp directory	path="/tmp/trivy-1668576"
2025-08-06T17:12:22+08:00	DEBUG	[notification] Failed getting response from Trivy api	err="Get \"https://check.trivy.dev/updates\": context canceled"

Operating System

.

Version

Version: 0.65.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-08-06 06:25:50.370296309 +0000 UTC
  NextUpdate: 2025-08-07 06:25:50.370296039 +0000 UTC
  DownloadedAt: 2025-08-06 09:08:01.649679023 +0000 UTC

### Checklist

- [X] Run `trivy clean --all`
- [X] Read [the troubleshooting](https://trivy.dev/latest/docs/references/troubleshooting/)

[nikpivkin]

HI @zhangguanzhang !

What exactly is incorrect in the scan results?

[nikpivkin]

Go binaries are scanned only by rootfs or image commands. See https://trivy.dev/latest/docs/coverage/language/#supported-languages

❯ trivy rootfs coredns -q -f json |jq '.Results[].Vulnerabilities[].VulnerabilityID'
"CVE-2023-28452"
"CVE-2025-47950"
"CVE-2022-2835"
"CVE-2022-2837"
"CVE-2023-30464"
"CVE-2024-0874"
"GHSA-gv9j-4w24-q7vx"

[zhangguanzhang]

Go binaries are scanned only by rootfs or image commands. See https://trivy.dev/latest/docs/coverage/language/#supported-languages

❯ trivy rootfs coredns -q -f json |jq '.Results[].Vulnerabilities[].VulnerabilityID'
"CVE-2023-28452"
"CVE-2025-47950"
"CVE-2022-2835"
"CVE-2022-2837"
"CVE-2023-30464"
"CVE-2024-0874"
"GHSA-gv9j-4w24-q7vx"

The coredns binary is already the latest version, so why are there CVEs from 2023 in the scan results? CVE-2023-28452

[zhangguanzhang]

@nikpivkin PTAL binary is already the latest version. so why are there CVEs from 2023 in the scan results? CVE-2023-28452

[DmitriyLewen]

Hello @zhangguanzhang
github.com/coredns/coredns uses commit number instead of tag for this binary:

➜  go version -m coredns 
coredns: go1.24.5
	path	github.com/coredns/coredns
	mod	github.com/coredns/coredns	v0.0.0-20250805163255-463fd1c1b390	
	...
	build	-ldflags="-s -w -X github.com/coredns/coredns/coremain.GitCommit=463fd1c"
	build	DefaultGODEBUG=gotestjsonbuildtext=1,multipathtcp=0,randseednop=0,rsa1024min=0,tlsmlkem=0,x509rsacrt=0,x509usepolicies=0
	build	CGO_ENABLED=0
	build	GOARCH=arm64
	build	GOOS=linux
	build	GOARM64=v8.0
	build	vcs=git
	build	vcs.revision=463fd1c1b390ef68f638e2f4e09837721b19efba
	build	vcs.time=2025-08-05T16:32:55Z
	build	vcs.modified=false

that is why Trivy shows all vulnerabilities for this package.

Similar case - #9021

[zhangguanzhang]

Thanks for answering my question. I thought it was a bug in trivy. I will look into it.