Trivy does not detect vulnerabilities on ubuntu kernel

[wagde-orca]

Description

I am running trivy 0.65.0 in rootfs mode on a full filesystem of ubuntu 22 running with kernel 5.15 (linux-image-5.15.0-1004-aws) and when scanning for vulnerabilities running this command
trivy rootfs /mnt/ubuntu22/ --scanners vuln --format json --output trivy_res.json --debug --list-all-pkgs
I see no vulnerabilities detected on the linux-image package.... but I see detections on linux-headers, linux-modules, ....
for example: CVE-2025-38041, I see it is detected on on
"PkgID": "[email protected]",
"PkgID": "[email protected]",
"PkgID": "[email protected]",
"PkgID": "[email protected]",
but not detected neither on
"ID": "[email protected]",
nor
"ID": "[email protected]",

Desired Behavior

I expect to see the CVEs that are affecting the kernel to be reported on the linux-image package (one of them)

Actual Behavior

I see the CVEs only in linux-headers, linux-modules packages...

Reproduction Steps

1. create filesystem of ubuntu 22 machine
2. trivy rootfs /mnt/ubuntu22/ --scanners vuln --format json --output trivy_res.json --debug --list-all-pkgs

Target

Filesystem

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

,

Operating System

ubuntu 24

Version

trivy -v
Version: 0.65.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-09-01 06:30:00.248265675 +0000 UTC
  NextUpdate: 2025-09-02 06:30:00.248265445 +0000 UTC
  DownloadedAt: 2025-09-01 09:53:55.911168423 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-09-01 00:57:56.443215508 +0000 UTC
  NextUpdate: 2025-09-04 00:57:56.443215348 +0000 UTC
  DownloadedAt: 2025-09-01 09:54:24.609133227 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[wagde-orca]

if needed, I can provide a rootfs that reproduces the issue

[wagde-orca]

to reproduce it easily on aws instance

1. launch ubuntu 22 aws instance
2. install trivy

  wget https://github.com/aquasecurity/trivy/releases/download/v0.65.0/trivy_0.65.0_Linux-64bit.deb
  dpkg -i trivy_0.65.0_Linux-64bit.deb

3. run trivy on the rootfs
   trivy rootfs / --format json --output trivy_res.json --scanners vuln --list-all-pkgs --pkg-types os --debug
4. check the results json and look for CVE-2022-50090, which according to https://ubuntu.com/security/CVE-2022-50090,
   the running kernel (6.8) is affected, but it is not reported on the linux image package. it is only reported on headers, modules, tools, ...

[DmitriyLewen]

Hello @wagde-orca
Can you send linux-image and linux-image-aws packages from Trivy json report (Packages array?)

[wagde-orca]

@DmitriyLewen thanx for looking into it.
these are the relevant packages I guess

 {
          "ID": "[email protected]~22.04.1",
          "Name": "linux-aws",
          "Identifier": {
            "PURL": "pkg:deb/ubuntu/[email protected]~22.04.1?arch=amd64\u0026distro=ubuntu-22.04",
            "UID": "14607d20233e8802"
          },
          "Version": "6.8.0",
          "Release": "1035.37~22.04.1",
          "Arch": "amd64",
          "SrcName": "linux-meta-aws-6.8",
          "SrcVersion": "6.8.0",
          "SrcRelease": "1035.37~22.04.1",
          "Licenses": [
            "GPL-2.0-or-later"
          ],
          "Maintainer": "Ubuntu Kernel Team \[email protected]\u003e",
          "DependsOn": [
            "[email protected]~22.04.1",
            "[email protected]~22.04.1"
          ],
          "InstalledFiles": [
            "/usr/share/doc/linux-aws/copyright"
          ]
        },
        {
          "ID": "[email protected]~22.04.1",
          "Name": "linux-image-6.8.0-1035-aws",
          "Identifier": {
            "PURL": "pkg:deb/ubuntu/[email protected]~22.04.1?arch=amd64\u0026distro=ubuntu-22.04",
            "UID": "30ae2d41c66a7d07"
          },
          "Version": "6.8.0",
          "Release": "1035.37~22.04.1",
          "Arch": "amd64",
          "SrcName": "linux-signed-aws-6.8",
          "SrcVersion": "6.8.0",
          "SrcRelease": "1035.37~22.04.1",
          "Licenses": [
            "GPL-2.0-only"
          ],
          "Maintainer": "Canonical Kernel Team \[email protected]\u003e",
          "DependsOn": [
            "kmod@29-1ubuntu1",
            "[email protected]+22.04.1",
            "[email protected]~22.04.1"
          ],
          "InstalledFiles": [
            "/boot/vmlinuz-6.8.0-1035-aws",
            "/usr/share/doc/linux-image-6.8.0-1035-aws/changelog.Debian.gz",
            "/usr/share/doc/linux-image-6.8.0-1035-aws/copyright"
          ]
        },
        {
          "ID": "[email protected]~22.04.1",
          "Name": "linux-image-aws",
          "Identifier": {
            "PURL": "pkg:deb/ubuntu/[email protected]~22.04.1?arch=amd64\u0026distro=ubuntu-22.04",
            "UID": "67981ed06b20c047"
          },
          "Version": "6.8.0",
          "Release": "1035.37~22.04.1",
          "Arch": "amd64",
          "SrcName": "linux-meta-aws-6.8",
          "SrcVersion": "6.8.0",
          "SrcRelease": "1035.37~22.04.1",
          "Licenses": [
            "GPL-2.0-or-later"
          ],
          "Maintainer": "Ubuntu Kernel Team \[email protected]\u003e",
          "DependsOn": [
            "[email protected]~22.04.1",
            "microcode-initrd@2build1"
          ],
          "InstalledFiles": [
            "/usr/share/doc/linux-image-aws/changelog.Debian.gz",
            "/usr/share/doc/linux-image-aws/copyright"
          ]
        },

and of course we have the linux-headers, modules, tools packages....

[wagde-orca]

this small diff

diff --git a/pkg/fanal/analyzer/pkg/dpkg/dpkg.go b/pkg/fanal/analyzer/pkg/dpkg/dpkg.go
index 098e97800..58460354e 100644
--- a/pkg/fanal/analyzer/pkg/dpkg/dpkg.go
+++ b/pkg/fanal/analyzer/pkg/dpkg/dpkg.go
@@ -248,7 +248,7 @@ func (a dpkgAnalyzer) parseDpkgPkg(header textproto.MIMEHeader) *types.Package {
 		for i, n := range srcCapture {
 			md[dpkgSrcCaptureRegexpNames[i]] = strings.TrimSpace(n)
 		}
-		pkg.SrcName = md["name"]
+		pkg.SrcName = strings.NewReplacer("linux-signed", "linux", "linux-meta", "linux").Replace(md["name"])
 		pkg.SrcVersion = md["version"]
 	}

works and we get CVEs on linux-image.... maybe it is not perfect but it is a start

[DmitriyLewen]

Hello @wagde-orca
I investigate this case again.

"PkgID": "[email protected]",
but not detected neither on
"ID": "[email protected]",

So I have one question — why do you think that [email protected] is a vulnerable package?
Let’s check the status file:

root@8b415dffd3f4:/# cat var/lib/dpkg/status | grep -E "Package: linux-image-5.15.0-1004-aws|Package: linux-modules-5.15.0-1004-aws" -A 10
Package: linux-image-5.15.0-1004-aws
Status: install ok installed
Priority: optional
Section: kernel
Installed-Size: 14563
Maintainer: Canonical Kernel Team <[email protected]>
Architecture: arm64
Source: linux-signed-aws
Version: 5.15.0-1004.6
Provides: fuse-module, linux-image, spl-dkms, spl-modules, zfs-dkms, zfs-modules
Depends: kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-5.15.0-1004-aws
--
Package: linux-modules-5.15.0-1004-aws
Status: install ok installed
Priority: optional
Section: kernel
Installed-Size: 102972
Maintainer: Ubuntu Kernel Team <[email protected]>
Architecture: arm64
Source: linux-aws
Version: 5.15.0-1004.6
Depends: linux-image-5.15.0-1004-aws | linux-image-unsigned-5.15.0-1004-aws
Description: Linux kernel extra modules for version 5.15.0 on ARMv8 SMP

You see that Ubuntu contains two different installed packages (linux-image-5.15.0-1004-aws and linux-modules-5.15.0-1004-aws), which depend on each other.
https://ubuntu.com/security/CVE-2025-38041 states that linux-modules-5.15.0-1004-aws (Source: linux-aws) contains vulnerable code.
But that doesn’t mean that linux-image-5.15.0-1004-aws contains vulnerable code.

[wagde-orca]

I think it is vulnerable because in the ubuntu security tracker there is no entry for linux-signed-aws. it is not a real source package. and practically, now trivy does not report any CVE on the kernel package which does not make sense... kernel is most vulnerable package :-)

moreover, I asked chatgpt and i think, it make sense :-)

1. Why this happens

Security tracker source packages:
Ubuntu’s CVE/security tracker indexes vulnerabilities by source package, not by binary package.
For the kernel, the canonical source packages are things like:

linux

linux-aws

linux-gcp

linux-oracle

Signed kernel packages (linux-signed-*):
Packages like linux-signed-aws are not actual source packages. They are auxiliary packages built around the kernel to provide signed binaries for Secure Boot.
In /var/lib/dpkg/status or /var/log/dpkg.log, you’ll see linux-signed-aws as the source package, but in reality, it is just a wrapper/meta that pulls in linux-image-aws and linux-modules-aws.

The mismatch:
Vulnerability scanners often parse the installed source package from dpkg logs or status. When they see linux-signed-aws, they look for it in the Ubuntu CVE tracker—but it doesn’t exist there. As a result, CVEs in linux-image-aws (tracked under linux-aws) are missed.
On the other hand, linux-modules-aws comes from linux-aws source, which does exist in the tracker, so CVEs are reported properly.

2. How to fix this

You need to normalize the mapping between binary/source packages seen on the system and the source packages used in the security tracker.

Option A: Add a mapping layer in your scanner

If scanner sees linux-signed-aws → normalize it to linux-aws.

Same for other signed variants (linux-signed, linux-signed-gcp, etc.).

This way, CVEs will be matched correctly.

[DmitriyLewen]

thanks for your patience and the explanation!
I now see that it makes sense, and we should probably treat linux-signed-* as the corresponding linux-* package (e.g., linux-signed-aws → linux-aws).
But I’m still not sure about meta-packages.
@knqyf263, what do you think?

[wagde-orca]

Hi @knqyf263
will appreciate your input here

[wagde-orca]

trivy_res_new.tar.gz
this is the full trivy results from my ubuntu 22 aws instance
for example CVE-2025-21887 is missing from the linux-image itself and appears on the other packages