DmitriyLewen
DmitriyLewen
Hello @tofuatjava Thanks for your report! Your scan target for `1.0.0-SNAPSHOT` has a typo (missing `S` in "SNAP**S**HOT"): > trivy image --debug quay.io/tofuatwork/quarkus-getting-started:1.0.0-SNAPHOT Trivy works correctly with this image. ```...
Hello @fabiorush Thanks for your report! Your image is based on `Debian 9`. This OS version is not currently support and doesn't include [CVE-2021-22883](https://github.com/aquasecurity/vuln-list/blob/7a71cd82433c8e61180bc3850f5c7450f560328b/debian/CVE/CVE-2021-22883.json#L25-L32).([CVE-2021-22883 in Debian DB](https://security-tracker.debian.org/tracker/CVE-2021-22883)). That is why...
Hello @rbrayner I investigated [node:latest](https://hub.docker.com/layers/node/library/node/latest/images/sha256-2eef0e2d04ac0aaa5d7cefbc24a137c42c925d9dffa5a2568cda7618a1378976?context=explore) image. This image doesn't use `dpkg`. It [downloads](https://hub.docker.com/layers/node/library/node/latest/images/sha256-2eef0e2d04ac0aaa5d7cefbc24a137c42c925d9dffa5a2568cda7618a1378976?context=explore) node binary and uses it. Trivy currently only supports parsing `go` binaries. That is why Trivy doesn't...
Hello @AErmie Thanks for your report! I installed `pillow 8.4.0` to `amazonlinux:2` container, but can't reproduce your issue. Can you send result with `-f json --list-all-pkgs` flags? Regards, Dmitriy
Hello @AErmie Thanks for your answer! Trivy found `python-pillow` package name: ``` "Name": "python-pillow", "Version": "2.0.0", "Release": "23.gitd1c6db8.amzn2.0.1", "Arch": "x86_64", "SrcName": "python-pillow", "SrcVersion": "2.0.0", "SrcRelease": "23.gitd1c6db8.amzn2.0.1", ``` [CVE-2022-22815](https://github.com/advisories/GHSA-pw3c-h7wp-cvhx) and [CVE-2022-22817](https://github.com/advisories/GHSA-8vj2-vxx3-667w)...
@AErmie can i get your image or your dockerfile(or part of dockerfile) where you can reproduce this issue? I need it to investigate this issue
Okay, thank you! I will check and write to you.
@AErmie sorry for confuse you before. For packages installed from `rpm/yum` Trivy uses OS Databases: [data-sourse](https://aquasecurity.github.io/trivy/v0.27.1/docs/vulnerability/detection/data-source/) [Amazon Linux Security Center](https://alas.aws.amazon.com/alas2.html) is used for amazon linux 2. For example: your container...
Hello @AErmie When you use `trivy image` flag, Trivy scans all files in the image and gets OS packages(rpm, dpkg and etc.) and some language packages([list of languages and supported...
I think Grype also gets vulnerabilities from GitHub database, when scanning image based on amazon linux 2. For this image, Trivy only uses the Amazon database for Python packages installed...