CVE-2025-27113 Not Detected in UBI9 image ppc64le (libxml2)

[gauravpbankar13]

IDs

CVE-2025-27113

Description

Trivy is not detecting CVE-2025-27113 , a High severity vulnerability in libxml2, on a custom UBI9 ppc64le image.

I scanned the image with debug mode enabled:

trivy --debug image --timeout 60m ****************-libxml2:latest --format table

Reproduction Steps

1.Start with a UBI 9 base image for the ppc64le architecture.

2.Install libxml2 using Conda within the image or environment.

3. Run Trivy scan with debug and extended timeout enabled:

trivy --debug image --timeout 60m <your-image-with-conda-libxml2>


4.Observe that CVE-2025-27113 is not detected despite libxml2 being installed.

Target

Container Image

Scanner

Vulnerability

Target OS

UBI9 Image

Debug Output

trivy image --timeout 60m localhost/ubi9.3-ppc64le-libxml2:latest --debug
2025-09-30T04:26:51-07:00       DEBUG   No plugins loaded
2025-09-30T04:26:51-07:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-09-30T04:26:51-07:00       DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-09-30T04:26:51-07:00       DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-09-30T04:26:51-07:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-09-30T04:26:51-07:00       DEBUG   Ignore statuses statuses=[]
2025-09-30T04:26:51-07:00       DEBUG   DB update was skipped because the local DB is the latest
2025-09-30T04:26:51-07:00       DEBUG   DB info schema=2 updated_at=2025-09-30T00:34:09.477494039Z next_update=2025-10-01T00:34:09.477493809Z downloaded_at=2025-09-30T05:16:38.593553452Z
2025-09-30T04:26:51-07:00       DEBUG   [pkg] Package types     types=[os library]
2025-09-30T04:26:51-07:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-09-30T04:26:51-07:00       INFO    [vuln] Vulnerability scanning is enabled
2025-09-30T04:26:51-07:00       INFO    [secret] Secret scanning is enabled
2025-09-30T04:26:51-07:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-09-30T04:26:51-07:00       DEBUG   [notification] Running version check
2025-09-30T04:26:51-07:00       INFO    [secret] Please see https://trivy.dev/v0.66/docs/scanner/secret#recommendation for faster secret detection
2025-09-30T04:26:51-07:00       DEBUG   Initializing scan cache...      type="fs"
2025-09-30T04:26:51-07:00       DEBUG   Created process-specific temp directory path="/tmp/trivy-62568"
2025-09-30T04:26:51-07:00       DEBUG   [image] Image found     image="localhost/ubi9.3-ppc64le-libxml2:latest" source="docker"
2025-09-30T04:26:51-07:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-09-30T04:26:51-07:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-09-30T04:26:51-07:00       DEBUG   [image] Detected image ID       image_id="sha256:eba5342f83aa806d699feab0516c4b7f9ea7dae6e0ff8471dbcb1403aaa71c5b"
2025-09-30T04:26:51-07:00       DEBUG   Saving the container image to a local file to obtain the image config...
2025-09-30T04:26:51-07:00       DEBUG   [notification] Version check completed  latest_version="0.67.0"
2025-09-30T04:27:10-07:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:00aa72e8b64cc80c7a9a276fbd4164f861d82c9fee5a32c7917cb8a016768765 sha256:1d99e1d932c37409733f8e00101da169ef12e01f2cdd53622dff2cdaa327a599 sha256:f6c14b8bda71a2d0f95e5a99bb3ee8565f379c93c3cbf447f4140ac37e09f996]
2025-09-30T04:27:10-07:00       DEBUG   [image] Detected base layers    diff_ids=[]
2025-09-30T04:27:10-07:00       INFO    Detected OS     family="redhat" version="9.3"
2025-09-30T04:27:10-07:00       INFO    [redhat] Detecting RHEL/CentOS vulnerabilities...       os_version="9" pkg_num=184
2025-09-30T04:27:10-07:00       INFO    Number of language-specific files       num=2
2025-09-30T04:27:10-07:00       INFO    [conda-pkg] Detecting vulnerabilities...
2025-09-30T04:27:10-07:00       DEBUG   [conda-pkg] Scanning packages for vulnerabilities       file_path=""
2025-09-30T04:27:10-07:00       WARN    Conda package is supported for SBOM, not for vulnerability scanning
2025-09-30T04:27:10-07:00       INFO    [python-pkg] Detecting vulnerabilities...
2025-09-30T04:27:10-07:00       DEBUG   [python-pkg] Scanning packages for vulnerabilities      file_path=""
2025-09-30T04:27:10-07:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.66/docs/scanner/vulnerability#severity-selection for details.
2025-09-30T04:27:10-07:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-09-30T04:27:10-07:00       DEBUG   [vex] VEX filtering is disabled
2025-09-30T04:27:10-07:00       INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Report Summary

┌──────────────────────────────────────────────────────────────────────────────────┬────────────┬─────────────────┬─────────┐
│                                      Target                                      │    Type    │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ localhost/ubi9.3-ppc64le-libxml2:latest (redhat 9.3)                             │   redhat   │       328       │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/envs/myenv/conda-meta/_libgcc_mutex-0.1-main.json                      │ conda-pkg  │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/envs/myenv/conda-meta/_openmp_mutex-5.1-1_gnu.json                     │ conda-pkg  │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/envs/myenv/conda-meta/icu-73.1-h4a02239_0.json                         │ conda-pkg  │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/envs/myenv/conda-meta/libgcc-ng-11.2.0-h1234567_1.json                 │ conda-pkg  │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/envs/myenv/conda-meta/libgomp-11.2.0-h1234567_1.json                   │ conda-pkg  │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/envs/myenv/conda-meta/libstdcxx-ng-11.2.0-h1234567_1.json              │ conda-pkg  │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/envs/myenv/conda-meta/libxml2-2.10.4-h18e3229_1.json                   │ conda-pkg  │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/envs/myenv/conda-meta/xz-5.4.2-hf118e41_0.json                         │ conda-pkg  │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/envs/myenv/conda-meta/zlib-1.2.13-hf118e41_0.json                      │ conda-pkg  │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/Brotli-1.0.9.dist-info/METADATA           │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/PySocks-1.7.1.dist-info/METADATA          │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/archspec-0.2.1.dist-info/METADATA         │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/boltons-23.0.0.dist-info/METADATA         │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/certifi-2023.7.22.dist-info/METADATA      │ python-pkg │        1        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/cffi-1.15.1.dist-info/METADATA            │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/charset_normalizer-2.0.4.dist-info/METAD- │ python-pkg │        0        │    -    │
│ ATA                                                                              │            │                 │         │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/conda-23.10.0.dist-info/METADATA          │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/conda_content_trust-0.2.0.dist-info/META- │ python-pkg │        0        │    -    │
│ DATA                                                                             │            │                 │         │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/conda_libmamba_solver-23.11.1.dist-info/- │ python-pkg │        0        │    -    │
│ METADATA                                                                         │            │                 │         │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/conda_package_handling-2.2.0.dist-info/M- │ python-pkg │        0        │    -    │
│ ETADATA                                                                          │            │                 │         │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/conda_package_streaming-0.9.0.dist-info/- │ python-pkg │        0        │    -    │
│ METADATA                                                                         │            │                 │         │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/cryptography-41.0.3.dist-info/METADATA    │ python-pkg │        6        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/idna-3.4.dist-info/METADATA               │ python-pkg │        1        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/jsonpatch-1.32.dist-info/METADATA         │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/jsonpointer-2.1-py3.6.egg-info/PKG-INFO   │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/libmambapy-1.5.3.dist-info/METADATA       │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/packaging-23.1.dist-info/METADATA         │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/pip-23.3-py3.11.egg-info/PKG-INFO         │ python-pkg │        1        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/pluggy-1.0.0.dist-info/METADATA           │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/pyOpenSSL-23.2.0.dist-info/METADATA       │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/pycosat-0.6.6.dist-info/METADATA          │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/pycparser-2.21.dist-info/METADATA         │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/requests-2.31.0.dist-info/METADATA        │ python-pkg │        2        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/ruamel.yaml-0.17.21.dist-info/METADATA    │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/setuptools-68.0.0-py3.11.egg-info/PKG-IN- │ python-pkg │        2        │    -    │
│ FO                                                                               │            │                 │         │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/tqdm-4.65.0.dist-info/METADATA            │ python-pkg │        1        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/truststore-0.8.0.dist-info/METADATA       │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/urllib3-1.26.18.dist-info/METADATA        │ python-pkg │        2        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/wheel-0.41.2.dist-info/METADATA           │ python-pkg │        0        │    -    │
├──────────────────────────────────────────────────────────────────────────────────┼────────────┼─────────────────┼─────────┤
│ opt/conda/lib/python3.11/site-packages/zstandard-0.19.0.dist-info/METADATA       │ python-pkg │        0        │    -    │
└──────────────────────────────────────────────────────────────────────────────────┴────────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

Version

trivy --version
Version: 0.66.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-09-30 00:34:09.477494039 +0000 UTC
  NextUpdate: 2025-10-01 00:34:09.477493809 +0000 UTC
  DownloadedAt: 2025-09-30 05:16:38.593553452 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-09-29 00:47:44.879936012 +0000 UTC
  NextUpdate: 2025-10-02 00:47:44.879935646 +0000 UTC
  DownloadedAt: 2025-09-29 15:44:02.542289147 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[gauravpbankar13]

Hi not able to paste all logs in the description so adding log file for the reference.
libxml2-trivy-scan.log

[DmitriyLewen]

Hello @gauravpbankar13

2.Install libxml2 using Conda within the image or environment.

https://trivy.dev/latest/docs/coverage/others/conda/

Trivy doesn't support scan vulnerabilities for conda packages.

Regards, Dmitriy