trivy icon indicating copy to clipboard operation
trivy copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

This OS version is no longer supported by the distribution: debian bookworm/sid

Open perkael opened this issue 2 years ago • 1 comments

Description

Hi, image scan for debian bookworm/sid (and other testing phase image) it seems that Trivy can't retrieve any OS vulnerabilities. Is this behavior by default or can it be configured?

We'd like to have the list of operating system vulnerabilities also for Test Phase Images.

This is the link to debian test phase image security CVE which seems to be ignored completely https://security-tracker.debian.org/tracker/status/release/testing

Thanks a lot!

Trivy image scan output

trivy image debian:bookworm-20220527

2022-09-06T10:07:43.189+0200 INFO Need to update DB 2022-09-06T10:07:43.189+0200 INFO DB Repository: ghcr.io/aquasecurity/trivy-db 2022-09-06T10:07:43.189+0200 INFO Downloading DB... 33.85 MiB / 33.85 MiB [-------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 5.00 MiB p/s 7.0s 2022-09-06T10:07:51.574+0200 INFO Vulnerability scanning is enabled 2022-09-06T10:07:51.574+0200 INFO Secret scanning is enabled 2022-09-06T10:07:51.574+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning 2022-09-06T10:07:51.574+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.29.2/docs/secret/scanning/#recommendation for faster secret detection 2022-09-06T10:08:14.224+0200 INFO Detected OS: debian 2022-09-06T10:08:14.224+0200 WARN This OS version is not on the EOL list: debian bookworm/sid 2022-09-06T10:08:14.224+0200 INFO Detecting Debian vulnerabilities... 2022-09-06T10:08:14.224+0200 INFO Number of language-specific files: 0 2022-09-06T10:08:14.224+0200 WARN This OS version is no longer supported by the distribution: debian bookworm/sid 2022-09-06T10:08:14.224+0200 WARN The vulnerability detection may be insufficient because security updates are not provided

debian:bookworm-20220527 (debian bookworm/sid)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


## Output of `trivy -v`:

Version: 0.29.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-09-05 12:08:13.488349229 +0000 UTC
  NextUpdate: 2022-09-05 18:08:13.488348729 +0000 UTC
  DownloadedAt: 2022-09-05 12:26:26.557200578 +0000 UTC

perkael avatar Sep 05 '22 14:09 perkael

we're facing the same issue, any suggestion?

neothematrix avatar Sep 12 '22 08:09 neothematrix

I've a debian:bookworm image that fails the scan as well.

There is an open pull-request to address this: https://github.com/aquasecurity/trivy/pull/1764

heydonovan avatar Sep 25 '22 02:09 heydonovan

@heydonovan that's a different issue, that pull requests tries to address the missing "fixed version" field for the detected vulnerabilities. Here the problem is that NO vulnerabilities are detected at all, which is kind of worse!

neothematrix avatar Sep 30 '22 07:09 neothematrix

This issue is stale because it has been labeled with inactivity.

github-actions[bot] avatar Dec 01 '22 00:12 github-actions[bot]