Trivy is not reporting CVE-2025-30399 in .NET container

[tomkerkhove]

IDs

CVE-2025-30399

Description

Trivy is not reporting CVE-2025-30399 in .NET container that is running version that is subject to it.

As per Alpine coverage & .NET coverage, it should report known vulnerabilities with a fix.

Reproduction Steps

1. Run "trivy image mcr.microsoft.com/azure-api-management/gateway:2.9.1"
2. https://github.com/advisories/GHSA-266m-wp2v-x7mq is not flagged

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

~  trivy image mcr.microsoft.com/azure-api-management/gateway:2.9.1
2025-09-05T10:42:39+02:00       INFO    [vuln] Vulnerability scanning is enabled
2025-09-05T10:42:39+02:00       INFO    [secret] Secret scanning is enabled
2025-09-05T10:42:39+02:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-09-05T10:42:39+02:00       INFO    [secret] Please see also https://trivy.dev/v0.65/docs/scanner/secret#recommendation for faster secret detection
2025-09-05T10:42:44+02:00       INFO    Detected OS     family="alpine" version="3.20.6"
2025-09-05T10:42:44+02:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.20" repository="3.20" pkg_num=90
2025-09-05T10:42:44+02:00       INFO    Number of language-specific files       num=3
2025-09-05T10:42:44+02:00       INFO    [dotnet-core] Detecting vulnerabilities...

Report Summary

┌──────────────────────────────────────────────────────────────────────────────────┬─────────────┬─────────────────┬─────────┐
│                                      Target                                      │    Type     │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────────────────────────────────────────────┼─────────────┼─────────────────┼─────────┤
│ mcr.microsoft.com/azure-api-management/gateway:2.9.1 (alpine 3.20.6)             │   alpine    │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼─────────────┼─────────────────┼─────────┤
│ app/Gateway.Host.AspNetCore.deps.json                                            │ dotnet-core │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼─────────────┼─────────────────┼─────────┤
│ usr/share/dotnet/shared/Microsoft.AspNetCore.App/8.0.15/Microsoft.AspNetCore.Ap- │ dotnet-core │        0        │    -    │
│ p.deps.json                                                                      │             │                 │         │
├──────────────────────────────────────────────────────────────────────────────────┼─────────────┼─────────────────┼─────────┤
│ usr/share/dotnet/shared/Microsoft.NETCore.App/8.0.15/Microsoft.NETCore.App.deps- │ dotnet-core │        0        │    -    │
│ .json                                                                            │             │                 │         │
└──────────────────────────────────────────────────────────────────────────────────┴─────────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


📣 Notices:
  - Version 0.66.0 of Trivy is now available, current version is 0.65.0

To suppress version checks, run Trivy scans with the --skip-version-check flag

Version

~  trivy --version
Version: 0.65.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-09-05 06:30:47.074373351 +0000 UTC
  NextUpdate: 2025-09-06 06:30:47.07437308 +0000 UTC
  DownloadedAt: 2025-09-05 08:42:19.1349901 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @tomkerkhove
Thanks for your report!

Can you send file name with vulnerable package?

Regards, Dmitriy

[DmitriyLewen]

you can use -f json --list-all-pkgs flag and see all found packages in Packages array.

[tomkerkhove]

Thanks, that helped! Here are the download exported results.

Note that it includes Microsoft.NETCore.App.Runtime.linux-musl-x64 which is reported in GHSA-266m-wp2v-x7mq (simplified):

{
  "SchemaVersion": 2,
  "CreatedAt": "2025-09-05T14:22:00.8527814+02:00",
  "ArtifactName": "mcr.microsoft.com/azure-api-management/gateway:2.9.1",
  "ArtifactType": "container_image",
  "Results": [
    {
      "Target": "usr/share/dotnet/shared/Microsoft.NETCore.App/8.0.15/Microsoft.NETCore.App.deps.json",
      "Class": "lang-pkgs",
      "Type": "dotnet-core",
      "Packages": [
        {
          "ID": "Microsoft.NETCore.App.Runtime.linux-musl-x64/8.0.15",
          "Name": "Microsoft.NETCore.App.Runtime.linux-musl-x64",
          "Identifier": {
            "PURL": "pkg:nuget/[email protected]",
            "UID": "7650e7d13df5cb8f"
          },
          "Version": "8.0.15",
          "Layer": {
            "Digest": "sha256:49faa56a01aabd6e521bd4acc85131469d33768e201eaccd6f05b943e481129c",
            "DiffID": "sha256:681379a9d94484399b15720a5ed71fda840e2c4765cf40b6ebf67da078bc86ba"
          },
          "Locations": [
            {
              "StartLine": 730,
              "EndLine": 735
            }
          ]
        }
      ]
    }
  ]
}

[tomkerkhove]

Was this the information you are looking for @DmitriyLewen? Not asking for an answer already, but just to see if you need more of me :)

[DmitriyLewen]

I’ve found the problem.
Your file contains the package Microsoft.NETCore.App.Runtime.linux-musl-x64 (NET),
but the GitHub advisory database contains Microsoft.NetCore.App.Runtime.linux-musl-x64 (Net).

That’s why Trivy doesn’t detect the vulnerability.

[tomkerkhove]

Thank you very much, Dmitriy!

[DmitriyLewen]

track #9451