trivy
trivy copied to clipboard
aquasecurity
Trivy warns "failed to get the vulnerability" about a rejected CVE, CVE-2021-20095
Description
When running trivy, a consistent error I'm getting across lots of Docker images is:
Error while getting vulnerability details: failed to get the vulnerability "CVE-2021-20095": no vulnerability details for CVE-2021-20095
I got that error a few days ago using trivy-0.30.2 and a then-current DB, and then again just now with trivy-0.30.4 after making sure I fetched a fresh DB.
If you check out that CVE, its status is REJECTED: https://nvd.nist.gov/vuln/detail/CVE-2021-20095
There's no information there about why, but I think it was a duplicate of https://nvd.nist.gov/vuln/detail/CVE-2021-42771; see more info below that corobrates that.
What did you expect to happen?
trivy to run to completion without errors.
What happened instead?
The above error (along with otherwise successful completion).
Output of run with -debug:
$ trivy image --debug --skip-update --offline-scan -f json --input [image.tar]
...
2022-07-28T20:36:05.833-0600 WARN Error while getting vulnerability details: failed to get the vulnerability "CVE-2021-20095": no vulnerability details for CVE-2021-20095
2022-07-28T20:36:05.833-0600 WARN Error while getting vulnerability details: failed to get the vulnerability "CVE-2021-20095": no vulnerability details for CVE-2021-20095
...
I cannot share the full output, but here's a snippet of the resulting json that mentions CVE-2021-20095:
{
"VulnerabilityID": "CVE-2021-20095",
"VendorIDs": [
"RHSA-2021:4151"
],
"PkgName": "python2",
"InstalledVersion": "2.7.18-4.module+el8.4.0+9577+0b56c8de",
"FixedVersion": "2.7.18-7.module+el8.5.0+12203+77770ab7",
"Layer": {
"DiffID": "sha256:7cd3f8de903a013ee7f4d6ee792562196e45273f9075c5a244883301e88ad5ae"
},
"SeveritySource": "redhat",
"Severity": "MEDIUM"
},
And here's one for CVE-2021-42771 that mentions CVE-2021-20095 in the same Title:
{
"VulnerabilityID": "CVE-2021-42771",
"VendorIDs": [
"RHSA-2021:4151"
],
"PkgName": "python2",
"InstalledVersion": "2.7.18-4.module+el8.4.0+9577+0b56c8de",
"FixedVersion": "2.7.18-7.module+el8.5.0+12203+77770ab7",
"Layer": {
"DiffID": "sha256:7cd3f8de903a013ee7f4d6ee792562196e45273f9075c5a244883301e88ad5ae"
},
"SeveritySource": "redhat",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-42771",
"Title": "CVE-2021-20095 CVE-2021-42771 python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary code",
"Description": "Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.",
"Severity": "MEDIUM",
"CweIDs": [
"CWE-22"
],
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 7.8
},
"nvd": {
"V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V2Score": 7.2,
"V3Score": 7.8
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 7.8
}
},
(These repeat later for python2-libs.)
Output of trivy -v:
$ trivy -v
Version:
Vulnerability DB:
Version: 2
UpdatedAt: 2022-07-29 00:11:12.52345116 +0000 UTC
NextUpdate: 2022-07-29 06:11:12.52345066 +0000 UTC
DownloadedAt: 0001-01-01 00:00:00 +0000 UTC
Additional details (base image name, container registry info...):
Hello @hlein Thanks for your report!
I was able to reproduce your issue and we are working on it.
Regards, Dmitriy
Hi,
I am also facing same issue with trivy 0.30.4
Error while getting vulnerability details: failed to get the vulnerability "CVE-2022-3209": no vulnerability details for CVE-2022-3209
I have exactly the same problem "Error while getting vulnerability details: failed to get the vulnerability "CVE-2022-3209": no vulnerability details for CVE-2022-3209", the scan fails as if it would have vulnerabilities but this is not true
@roDew, I'm getting what you got:
postgres:14.5-alpine (alpine 3.16.2)
====================================
Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
┌─────────┬───────────────┬──────────┬───────────────────┬───────────────┬───────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────┼───────────────┼──────────┼───────────────────┼───────────────┼───────┤
│ libxml2 │ CVE-2022-3209 │ UNKNOWN │ 2.9.14-r0 │ 2.9.14-r1 │ │
└─────────┴───────────────┴──────────┴───────────────────┴───────────────┴───────┘
However, it's beginning to look like it's a typo: CVE-2022-3209 doesn't exist but CVE-2022-3209 does.
- https://nvd.nist.gov/vuln/detail/CVE-2022-2309 - libxml2
- https://nvd.nist.gov/vuln/detail/CVE-2022-3209 - not found
Other databases also have the typo:
- https://security.snyk.io/vuln/SNYK-ALPINE314-LIBXML2-2987454 - CVE-2022-3209
- https://www.redpacketsecurity.com/alpine-linux-libxml2-unspecified-cve-2022-3209/
- https://security.alpinelinux.org/vuln/CVE-2022-3209
Don't know where it came from, but it'd be nice if it were fixed. :-)
Hello @roDew
We are still working on this issue. There are some problems with integrating changes into Trivy-db without creating a new schema for it.
Regards, Dmitriy
One solution I've seen is to cram a json object into a text field, and use that to define new fields.
This issue is stale because it has been labeled with inactivity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
