trivy.exe fails to scan ELF binary? #9443

MaineK00n · 2025-09-05T07:38:41Z

MaineK00n
Sep 5, 2025

Description

While scanning trivy itself with trivy, I found that trivy.exe (Windows binary) fails to scan trivy (ELF binary).
I have confirmed that scanning trivy (ELF) works correctly when using either:

trivy (ELF) to scan trivy (ELF)
trivy (ELF) to scan trivy.exe (PE)
trivy.exe (PE) to scan trivy.exe (PE)

The issue only occurs when trivy.exe tries to scan trivy (ELF).

Desired Behavior

trivy.exe should be able to scan trivy (ELF).

Actual Behavior

trivy.exe fails to scan trivy (ELF).

Reproduction Steps

Linux

download trivy and trivy.exe

curl -sL https://github.com/aquasecurity/trivy/releases/download/v0.66.0/trivy_0.66.0_Linux-64bit.tar.gz | tar zxf - trivy

curl -sL -o trivy.zip https://github.com/aquasecurity/trivy/releases/download/v0.66.0/trivy_0.66.0_windows-64bit.zip
unzip -j trivy.zip "trivy.exe" -d .
rm trivy.zip

trivy scan trivy

$ ./trivy rootfs trivy --debug
2025-09-05T16:21:54+09:00	DEBUG	No plugins loaded
2025-09-05T16:21:54+09:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-05T16:21:54+09:00	DEBUG	Cache dir	dir="/home/vagrant/.cache/trivy"
2025-09-05T16:21:54+09:00	DEBUG	Cache dir	dir="/home/vagrant/.cache/trivy"
2025-09-05T16:21:54+09:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-05T16:21:54+09:00	DEBUG	Ignore statuses	statuses=[]
2025-09-05T16:21:54+09:00	DEBUG	DB update was skipped because the local DB is the latest
2025-09-05T16:21:54+09:00	DEBUG	DB info	schema=2 updated_at=2025-09-05T00:30:52.636009464Z next_update=2025-09-06T00:30:52.636009303Z downloaded_at=2025-09-05T06:18:37.427983043Z
2025-09-05T16:21:54+09:00	DEBUG	[pkg] Package types	types=[os library]
2025-09-05T16:21:54+09:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-09-05T16:21:54+09:00	INFO	[vuln] Vulnerability scanning is enabled
2025-09-05T16:21:54+09:00	INFO	[secret] Secret scanning is enabled
2025-09-05T16:21:54+09:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-09-05T16:21:54+09:00	INFO	[secret] Please see https://trivy.dev/v0.66/docs/scanner/secret#recommendation for faster secret detection
2025-09-05T16:21:54+09:00	DEBUG	Initializing scan cache...	type="memory"
2025-09-05T16:21:54+09:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-09-05T16:21:54+09:00	DEBUG	[notification] Running version check
2025-09-05T16:21:54+09:00	DEBUG	[fs] Analyzing...	root="trivy"
2025-09-05T16:21:54+09:00	DEBUG	[fs] Random cache key will be used	err="failed to open git repository: stat /home/vagrant/Downloads/trivy/.git: not a directory"
2025-09-05T16:21:54+09:00	DEBUG	Created process-specific temp directory	path="/tmp/trivy-4011606"
2025-09-05T16:21:54+09:00	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="github.com/aquasecurity/trivy" -ldflags=[-s -w -extldflags -static -X github.com/aquasecurity/trivy/pkg/version/app.ver=0.66.0]
2025-09-05T16:21:54+09:00	DEBUG	OS is not detected.
2025-09-05T16:21:54+09:00	DEBUG	Detected OS: unknown
2025-09-05T16:21:54+09:00	INFO	Number of language-specific files	num=1
2025-09-05T16:21:54+09:00	INFO	[gobinary] Detecting vulnerabilities...
2025-09-05T16:21:54+09:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="trivy"
2025-09-05T16:21:54+09:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.66/docs/scanner/vulnerability#severity-selection for details.
2025-09-05T16:21:54+09:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-09-05T16:21:54+09:00	DEBUG	[vex] VEX filtering is disabled

Report Summary

┌────────┬──────────┬─────────────────┬─────────┐
│ Target │   Type   │ Vulnerabilities │ Secrets │
├────────┼──────────┼─────────────────┼─────────┤
│ trivy  │ gobinary │        2        │    -    │
└────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


trivy (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬─────────────────┬───────────────────────────────────────────────────────────┐
│               Library               │    Vulnerability    │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                           │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼─────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/go-viper/mapstructure/v2 │ GHSA-2464-8j7c-4cjm │ MEDIUM   │ fixed  │ v2.3.0            │ 2.4.0           │ go-viper's mapstructure May Leak Sensitive Information in │
│                                     │                     │          │        │                   │                 │ Logs When Processing Malformed Data...                    │
│                                     │                     │          │        │                   │                 │ https://github.com/advisories/GHSA-2464-8j7c-4cjm         │
├─────────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼─────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib                              │ CVE-2025-47907      │ HIGH     │        │ v1.24.4           │ 1.23.12, 1.24.6 │ database/sql: Postgres Scan Race Condition                │
│                                     │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-47907                │
└─────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴─────────────────┴───────────────────────────────────────────────────────────┘
2025-09-05T16:21:54+09:00	DEBUG	Cleaning up temp directory	path="/tmp/trivy-4011606"

trivy scan trivy.exe

$ ./trivy rootfs trivy.exe --debug
2025-09-05T16:22:24+09:00	DEBUG	No plugins loaded
2025-09-05T16:22:24+09:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-05T16:22:24+09:00	DEBUG	Cache dir	dir="/home/vagrant/.cache/trivy"
2025-09-05T16:22:24+09:00	DEBUG	Cache dir	dir="/home/vagrant/.cache/trivy"
2025-09-05T16:22:24+09:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-05T16:22:24+09:00	DEBUG	Ignore statuses	statuses=[]
2025-09-05T16:22:24+09:00	DEBUG	DB update was skipped because the local DB is the latest
2025-09-05T16:22:24+09:00	DEBUG	DB info	schema=2 updated_at=2025-09-05T00:30:52.636009464Z next_update=2025-09-06T00:30:52.636009303Z downloaded_at=2025-09-05T06:18:37.427983043Z
2025-09-05T16:22:24+09:00	DEBUG	[pkg] Package types	types=[os library]
2025-09-05T16:22:24+09:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-09-05T16:22:24+09:00	INFO	[vuln] Vulnerability scanning is enabled
2025-09-05T16:22:24+09:00	INFO	[secret] Secret scanning is enabled
2025-09-05T16:22:24+09:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-09-05T16:22:24+09:00	INFO	[secret] Please see https://trivy.dev/v0.66/docs/scanner/secret#recommendation for faster secret detection
2025-09-05T16:22:24+09:00	DEBUG	Initializing scan cache...	type="memory"
2025-09-05T16:22:24+09:00	DEBUG	[notification] Running version check
2025-09-05T16:22:24+09:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-09-05T16:22:24+09:00	DEBUG	[fs] Analyzing...	root="trivy.exe"
2025-09-05T16:22:24+09:00	DEBUG	[fs] Random cache key will be used	err="failed to open git repository: stat /home/vagrant/Downloads/trivy.exe/.git: not a directory"
2025-09-05T16:22:24+09:00	DEBUG	Created process-specific temp directory	path="/tmp/trivy-4011896"
2025-09-05T16:22:24+09:00	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="github.com/aquasecurity/trivy" -ldflags=[-s -w -extldflags -static -X github.com/aquasecurity/trivy/pkg/version/app.ver=0.66.0]
2025-09-05T16:22:24+09:00	DEBUG	OS is not detected.
2025-09-05T16:22:24+09:00	DEBUG	Detected OS: unknown
2025-09-05T16:22:24+09:00	INFO	Number of language-specific files	num=1
2025-09-05T16:22:24+09:00	INFO	[gobinary] Detecting vulnerabilities...
2025-09-05T16:22:24+09:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="trivy.exe"
2025-09-05T16:22:24+09:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.66/docs/scanner/vulnerability#severity-selection for details.
2025-09-05T16:22:24+09:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-09-05T16:22:24+09:00	DEBUG	[vex] VEX filtering is disabled

Report Summary

┌───────────┬──────────┬─────────────────┬─────────┐
│  Target   │   Type   │ Vulnerabilities │ Secrets │
├───────────┼──────────┼─────────────────┼─────────┤
│ trivy.exe │ gobinary │        2        │    -    │
└───────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


trivy.exe (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬─────────────────┬───────────────────────────────────────────────────────────┐
│               Library               │    Vulnerability    │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                           │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼─────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/go-viper/mapstructure/v2 │ GHSA-2464-8j7c-4cjm │ MEDIUM   │ fixed  │ v2.3.0            │ 2.4.0           │ go-viper's mapstructure May Leak Sensitive Information in │
│                                     │                     │          │        │                   │                 │ Logs When Processing Malformed Data...                    │
│                                     │                     │          │        │                   │                 │ https://github.com/advisories/GHSA-2464-8j7c-4cjm         │
├─────────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼─────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib                              │ CVE-2025-47907      │ HIGH     │        │ v1.24.4           │ 1.23.12, 1.24.6 │ database/sql: Postgres Scan Race Condition                │
│                                     │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-47907                │
└─────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴─────────────────┴───────────────────────────────────────────────────────────┘
2025-09-05T16:22:24+09:00	DEBUG	Cleaning up temp directory	path="/tmp/trivy-4011896"

Windows

download trivy and trivy.exe

cmd.exe /c 'curl.exe -sL https://github.com/aquasecurity/trivy/releases/download/v0.66.0/trivy_0.66.0_Linux-64bit.tar.gz | tar.exe zxf - trivy'

curl.exe -sL -o trivy.zip https://github.com/aquasecurity/trivy/releases/download/v0.66.0/trivy_0.66.0_windows-64bit.zip
tar.exe zxf trivy.zip trivy.exe
rm trivy.zip

trivy.exe scan trivy.exe

PS C:\Users\vagrant\Downloads> .\trivy.exe rootfs trivy.exe --debug
2025-09-05T00:29:34-07:00       DEBUG   No plugins loaded
2025-09-05T00:29:34-07:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-05T00:29:34-07:00       DEBUG   Cache dir       dir="C:\\Users\\vagrant\\AppData\\Local\\trivy"
2025-09-05T00:29:34-07:00       DEBUG   Cache dir       dir="C:\\Users\\vagrant\\AppData\\Local\\trivy"
2025-09-05T00:29:34-07:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-05T00:29:34-07:00       DEBUG   Ignore statuses statuses=[]
2025-09-05T00:29:34-07:00       DEBUG   DB update was skipped because the local DB is the latest
2025-09-05T00:29:34-07:00       DEBUG   DB info schema=2 updated_at=2025-09-05T00:30:52.636009464Z next_update=2025-09-06T00:30:52.636009303Z downloaded_at=2025-09-05T06:15:20.8838354Z
2025-09-05T00:29:34-07:00       DEBUG   [pkg] Package types     types=[os library]
2025-09-05T00:29:34-07:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-09-05T00:29:34-07:00       DEBUG   [notification] Running version check
2025-09-05T00:29:34-07:00       INFO    [vuln] Vulnerability scanning is enabled
2025-09-05T00:29:34-07:00       INFO    [secret] Secret scanning is enabled
2025-09-05T00:29:34-07:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-09-05T00:29:34-07:00       INFO    [secret] Please see https://trivy.dev/v0.66/docs/scanner/secret#recommendation for faster secret detection
2025-09-05T00:29:34-07:00       DEBUG   Initializing scan cache...      type="memory"
2025-09-05T00:29:34-07:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-09-05T00:29:34-07:00       DEBUG   [fs] Analyzing...       root="trivy.exe"
2025-09-05T00:29:34-07:00       DEBUG   Created process-specific temp directory path="C:\\Users\\vagrant\\AppData\\Local\\Temp\\trivy-3008"
2025-09-05T00:29:34-07:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="github.com/aquasecurity/trivy" -ldflags=[-s -w -extldflags -static -X github.com/aquasecurity/trivy/pkg/version/app.ver=0.66.0]
2025-09-05T00:29:34-07:00       DEBUG   OS is not detected.
2025-09-05T00:29:34-07:00       DEBUG   Detected OS: unknown
2025-09-05T00:29:34-07:00       INFO    Number of language-specific files       num=1
2025-09-05T00:29:34-07:00       INFO    [gobinary] Detecting vulnerabilities...
2025-09-05T00:29:34-07:00       DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="trivy.exe"
2025-09-05T00:29:34-07:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.66/docs/scanner/vulnerability#severity-selection for details.
2025-09-05T00:29:34-07:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-09-05T00:29:34-07:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌───────────┬──────────┬─────────────────┬─────────┐
│  Target   │   Type   │ Vulnerabilities │ Secrets │
├───────────┼──────────┼─────────────────┼─────────┤
│ trivy.exe │ gobinary │        2        │    -    │
└───────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


trivy.exe (gobinary)
====================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬─────────────────┬───────────────────────────────────────────────────────────┐
│               Library               │    Vulnerability    │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                           │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼─────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/go-viper/mapstructure/v2 │ GHSA-2464-8j7c-4cjm │ MEDIUM   │ fixed  │ v2.3.0            │ 2.4.0           │ go-viper's mapstructure May Leak Sensitive Information in │
│                                     │                     │          │        │                   │                 │ Logs When Processing Malformed Data...                    │
│                                     │                     │          │        │                   │                 │ https://github.com/advisories/GHSA-2464-8j7c-4cjm         │
├─────────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼─────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib                              │ CVE-2025-47907      │ HIGH     │        │ v1.24.4           │ 1.23.12, 1.24.6 │ database/sql: Postgres Scan Race Condition                │
│                                     │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-47907                │
└─────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴─────────────────┴───────────────────────────────────────────────────────────┘
2025-09-05T00:29:34-07:00       DEBUG   Cleaning up temp directory      path="C:\\Users\\vagrant\\AppData\\Local\\Temp\\trivy-3008"

trivy.exe scan trivy

PS C:\Users\vagrant\Downloads> .\trivy.exe rootfs trivy --debug
2025-09-05T00:29:56-07:00       DEBUG   No plugins loaded
2025-09-05T00:29:56-07:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-05T00:29:56-07:00       DEBUG   Cache dir       dir="C:\\Users\\vagrant\\AppData\\Local\\trivy"
2025-09-05T00:29:56-07:00       DEBUG   Cache dir       dir="C:\\Users\\vagrant\\AppData\\Local\\trivy"
2025-09-05T00:29:56-07:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-05T00:29:56-07:00       DEBUG   Ignore statuses statuses=[]
2025-09-05T00:29:56-07:00       DEBUG   DB update was skipped because the local DB is the latest
2025-09-05T00:29:56-07:00       DEBUG   DB info schema=2 updated_at=2025-09-05T00:30:52.636009464Z next_update=2025-09-06T00:30:52.636009303Z downloaded_at=2025-09-05T06:15:20.8838354Z
2025-09-05T00:29:56-07:00       DEBUG   [pkg] Package types     types=[os library]
2025-09-05T00:29:56-07:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-09-05T00:29:56-07:00       INFO    [vuln] Vulnerability scanning is enabled
2025-09-05T00:29:56-07:00       INFO    [secret] Secret scanning is enabled
2025-09-05T00:29:56-07:00       DEBUG   [notification] Running version check
2025-09-05T00:29:56-07:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-09-05T00:29:56-07:00       INFO    [secret] Please see https://trivy.dev/v0.66/docs/scanner/secret#recommendation for faster secret detection
2025-09-05T00:29:56-07:00       DEBUG   Initializing scan cache...      type="memory"
2025-09-05T00:29:56-07:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-09-05T00:29:56-07:00       DEBUG   [fs] Analyzing...       root="trivy"
2025-09-05T00:29:56-07:00       DEBUG   Created process-specific temp directory path="C:\\Users\\vagrant\\AppData\\Local\\Temp\\trivy-5444"
2025-09-05T00:29:56-07:00       DEBUG   OS is not detected.
2025-09-05T00:29:56-07:00       DEBUG   Detected OS: unknown
2025-09-05T00:29:56-07:00       INFO    Number of language-specific files       num=0
2025-09-05T00:29:56-07:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-09-05T00:29:56-07:00       DEBUG   [vex] VEX filtering is disabled
2025-09-05T00:29:56-07:00       WARN    [report] Supported files for scanner(s) not found.      scanners=[vuln]
2025-09-05T00:29:56-07:00       INFO    [report] No issues detected with scanner(s).    scanners=[secret]

Report Summary

┌────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────┼──────┼─────────────────┼─────────┤
│   -    │  -   │        -        │    -    │
└────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2025-09-05T00:29:56-07:00       DEBUG   Cleaning up temp directory      path="C:\\Users\\vagrant\\AppData\\Local\\Temp\\trivy-5444

Target

Filesystem

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

PS C:\Users\vagrant\Downloads> .\trivy.exe rootfs trivy --debug
2025-09-05T00:29:56-07:00       DEBUG   No plugins loaded
2025-09-05T00:29:56-07:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-05T00:29:56-07:00       DEBUG   Cache dir       dir="C:\\Users\\vagrant\\AppData\\Local\\trivy"
2025-09-05T00:29:56-07:00       DEBUG   Cache dir       dir="C:\\Users\\vagrant\\AppData\\Local\\trivy"
2025-09-05T00:29:56-07:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-05T00:29:56-07:00       DEBUG   Ignore statuses statuses=[]
2025-09-05T00:29:56-07:00       DEBUG   DB update was skipped because the local DB is the latest
2025-09-05T00:29:56-07:00       DEBUG   DB info schema=2 updated_at=2025-09-05T00:30:52.636009464Z next_update=2025-09-06T00:30:52.636009303Z downloaded_at=2025-09-05T06:15:20.8838354Z
2025-09-05T00:29:56-07:00       DEBUG   [pkg] Package types     types=[os library]
2025-09-05T00:29:56-07:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-09-05T00:29:56-07:00       INFO    [vuln] Vulnerability scanning is enabled
2025-09-05T00:29:56-07:00       INFO    [secret] Secret scanning is enabled
2025-09-05T00:29:56-07:00       DEBUG   [notification] Running version check
2025-09-05T00:29:56-07:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-09-05T00:29:56-07:00       INFO    [secret] Please see https://trivy.dev/v0.66/docs/scanner/secret#recommendation for faster secret detection
2025-09-05T00:29:56-07:00       DEBUG   Initializing scan cache...      type="memory"
2025-09-05T00:29:56-07:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-09-05T00:29:56-07:00       DEBUG   [fs] Analyzing...       root="trivy"
2025-09-05T00:29:56-07:00       DEBUG   Created process-specific temp directory path="C:\\Users\\vagrant\\AppData\\Local\\Temp\\trivy-5444"
2025-09-05T00:29:56-07:00       DEBUG   OS is not detected.
2025-09-05T00:29:56-07:00       DEBUG   Detected OS: unknown
2025-09-05T00:29:56-07:00       INFO    Number of language-specific files       num=0
2025-09-05T00:29:56-07:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-09-05T00:29:56-07:00       DEBUG   [vex] VEX filtering is disabled
2025-09-05T00:29:56-07:00       WARN    [report] Supported files for scanner(s) not found.      scanners=[vuln]
2025-09-05T00:29:56-07:00       INFO    [report] No issues detected with scanner(s).    scanners=[secret]

Report Summary

┌────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────┼──────┼─────────────────┼─────────┤
│   -    │  -   │        -        │    -    │
└────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2025-09-05T00:29:56-07:00       DEBUG   Cleaning up temp directory      path="C:\\Users\\vagrant\\AppData\\Local\\Temp\\trivy-5444

Operating System

windows 11 24H2

Version

PS C:\Users\vagrant\Downloads> .\trivy.exe --version
Version: 0.66.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-09-05 00:30:52.636009464 +0000 UTC
  NextUpdate: 2025-09-06 00:30:52.636009303 +0000 UTC
  DownloadedAt: 2025-09-05 06:15:20.8838354 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

MaineK00n · 2025-09-05T08:06:09Z

MaineK00n
Sep 5, 2025
Author

It seems that other ELF binaries cannot be scanned either.

$ curl -sL https://github.com/future-architect/vuls/releases/download/v0.33.4/vuls_0.33.4_linux_amd64.tar.gz | tar zxf - vuls
$ ./trivy rootfs vuls
2025-09-05T16:55:45+09:00	INFO	[vuln] Vulnerability scanning is enabled
2025-09-05T16:55:45+09:00	INFO	[secret] Secret scanning is enabled
2025-09-05T16:55:45+09:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-09-05T16:55:45+09:00	INFO	[secret] Please see https://trivy.dev/v0.66/docs/scanner/secret#recommendation for faster secret detection
2025-09-05T16:55:45+09:00	INFO	Number of language-specific files	num=1
2025-09-05T16:55:45+09:00	INFO	[gobinary] Detecting vulnerabilities...
2025-09-05T16:55:45+09:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.66/docs/scanner/vulnerability#severity-selection for details.

Report Summary

┌────────┬──────────┬─────────────────┬─────────┐
│ Target │   Type   │ Vulnerabilities │ Secrets │
├────────┼──────────┼─────────────────┼─────────┤
│ vuls   │ gobinary │        2        │    -    │
└────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


vuls (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────┐
│         Library         │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                         Title                          │
├─────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────┤
│ github.com/ulikunitz/xz │ CVE-2025-58058 │ MEDIUM   │ fixed  │ v0.5.12           │ 0.5.15          │ github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks │
│                         │                │          │        │                   │                 │ memory                                                 │
│                         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-58058             │
├─────────────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────┼────────────────────────────────────────────────────────┤
│ stdlib                  │ CVE-2025-47907 │ HIGH     │        │ v1.24.4           │ 1.23.12, 1.24.6 │ database/sql: Postgres Scan Race Condition             │
│                         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2025-47907             │
└─────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────┘

PS C:\Users\vagrant\Downloads> cmd.exe /c 'curl.exe -sL https://github.com/future-architect/vuls/releases/download/v0.33.4/vuls_0.33.4_linux_amd64.tar.gz | tar.exe zxf - vuls'
PS C:\Users\vagrant\Downloads> .\trivy.exe rootfs vuls
2025-09-05T01:04:39-07:00       INFO    [vulndb] Need to update DB
2025-09-05T01:04:39-07:00       INFO    [vulndb] Downloading vulnerability DB...
2025-09-05T01:04:39-07:00       INFO    [vulndb] Downloading artifact...        repo="mirror.gcr.io/aquasec/trivy-db:2"
69.97 MiB / 69.97 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 4.76 MiB p/s 15s
2025-09-05T01:04:58-07:00       INFO    [vulndb] Artifact successfully downloaded       repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-09-05T01:04:58-07:00       INFO    [vuln] Vulnerability scanning is enabled
2025-09-05T01:04:58-07:00       INFO    [secret] Secret scanning is enabled
2025-09-05T01:04:58-07:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-09-05T01:04:58-07:00       INFO    [secret] Please see https://trivy.dev/v0.66/docs/scanner/secret#recommendation for faster secret detection
2025-09-05T01:04:58-07:00       INFO    Number of language-specific files       num=0
2025-09-05T01:04:58-07:00       WARN    [report] Supported files for scanner(s) not found.      scanners=[vuln]
2025-09-05T01:04:58-07:00       INFO    [report] No issues detected with scanner(s).    scanners=[secret]

Report Summary

┌────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├────────┼──────┼─────────────────┼─────────┤
│   -    │  -   │        -        │    -    │
└────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

0 replies

DmitriyLewen · 2025-09-05T09:25:48Z

DmitriyLewen
Sep 5, 2025
Maintainer

Hello @MaineK00n
Thanks for your report!

Trivy detects only *.exe binaries in Windows OS:

trivy/pkg/fanal/utils/utils.go

Lines 48 to 63 in a19e0aa

    
           func IsExecutable(fileInfo os.FileInfo) bool { 
        
           	// For Windows 
        
           	if filepath.Ext(fileInfo.Name()) == ".exe" { 
        
           		return true 
        
           	} 
        
           	mode := fileInfo.Mode() 
        
           	if !mode.IsRegular() { 
        
           		return false 
        
           	} 
        
           	// Check unpackaged file 
        
           	if mode.Perm()&0o111 != 0 { 
        
           		return true 
        
           	} 
        
           	return false

IIUC mode.Perm()&0o111 != 0 doesn't work in windows.

It looks like we can use "debug/elf" package in windows.
@knqyf263 wdyt?

3 replies

knqyf263 Sep 8, 2025
Maintainer

How can we detect executable files? Analyzing all files could be expensive.

DmitriyLewen Sep 8, 2025
Maintainer

Yes, I’m also concerned about this.
But excluding the scanning of such files isn’t good either (even if it’s not a very obvious case).

We already have many flags, but we could consider creating a flag to enable/disable costly scanning.

Although we could start with opening a discussion about it.
I think this should be a very rare case.
But if users really need it, we can think further.

knqyf263 Sep 8, 2025
Maintainer

I can’t think of any common use cases at the moment, so we can wait for feedback. As a workaround, even if it’s an ELF file, I believe it will be scanned if the extension is .exe (I know it’s strange).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

trivy.exe fails to scan ELF binary? #9443

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

trivy.exe fails to scan ELF binary? #9443

Uh oh!

Uh oh!

MaineK00n Sep 5, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Linux

Windows

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments · 3 replies

Uh oh!

MaineK00n Sep 5, 2025 Author

Uh oh!

DmitriyLewen Sep 5, 2025 Maintainer

Uh oh!

knqyf263 Sep 8, 2025 Maintainer

Uh oh!

DmitriyLewen Sep 8, 2025 Maintainer

Uh oh!

knqyf263 Sep 8, 2025 Maintainer

MaineK00n
Sep 5, 2025

Replies: 2 comments 3 replies

MaineK00n
Sep 5, 2025
Author

DmitriyLewen
Sep 5, 2025
Maintainer

knqyf263 Sep 8, 2025
Maintainer

DmitriyLewen Sep 8, 2025
Maintainer

knqyf263 Sep 8, 2025
Maintainer