Detect vulnerabilities of the main software in the image

[knqyf263]

Currently, Trivy detects vulnerabilities of packages installed by package manager such as yum and apt-get. But the main software in the image is usually installed by make install.

For example, redis binary in redis:5.0 is installed by make install. https://github.com/docker-library/redis/blob/d3a0f3d95ac768db44dbcb87ecf88cfc436581d5/5.0/Dockerfile#L64

Apach HTTP Server in httpd:2.4 is installed by make install. https://github.com/docker-library/httpd/blob/6c8e82e20ecefc94c616439f15d14c4bb215b200/2.4/Dockerfile#L131

The problem is that their versioning is different from the versioning of Linux distributions such as Debian and Red Hat. It means we need to use another vulnerability source to detect vulnerabilities. We probably can use NVD and CPE for the purpose, but it is not easy since we have to convert redis to cpe:2.3:a:redislabs:redis:*:*:*:*:*:*:*:*. For now, it looks difficult to convert it automatically and accurately. There are a lot of products out there with similar names.

[netrounds-fredrik]

How about allowing the user to manually provide a list of installed software, maybe as a complement to the list generated by the automatic detection? See proposal in https://github.com/aquasecurity/trivy/issues/293.

[Johannestegner]

This would be a very nice addition, either by just letting us place a formatted file somewhere inside the image in question or by just scanning it directly with Trivy.

Is there any work being done on a feature like this?

[Henrique-Potter]

I have a related issue that could be solved if Trivy could scan dynamic/static links on .so and .a files and imports from header files.

Is it possible?

[Johannestegner]

if Trivy could scan dynamic/static links on .so and .a files and imports from header files.

Not sure if it is possible, but if it is, that would be gold worth! :)

[macedogm]

@knqyf263 is this feature planned to be in Trivy's roadmap? This seems to be an important feature to have, at least IMO. I'm willing to help implement this in my free time if some guidance is provided.

[Urth]

Reading through some of the other tickets it appears binary scanning is part of a commercial license and there are no plans to merge this into the open source version.

I could not find a working solution with SBOM either so as a workaround we're toying with adding entries to the distro package database. The caveats are that the software should be available on the image source distribution, the versions should match distro versioning and the distro needs to publish security advisories for the package.

$ trivy image redis:7.2.4 -q --format json | jq -r '.Results[0].Vulnerabilities[] | select(.PkgName == "redis-server") | [.VulnerabilityID, .Title] | @tsv'

$ cat Dockerfile 
FROM redis:7.2.4

RUN echo "Package: redis-server\nStatus: install ok installed\nVersion: 5:7.2.4\nSource: redis\n\n" >> /var/lib/dpkg/status

$ docker build -t redis:7.2.4-dpkg-db . 
Sending build context to Docker daemon  2.631MB
Step 1/2 : FROM redis:7.2.4
 ---> 9b38108e295d
Step 2/2 : RUN echo "Package: redis-server\nStatus: install ok installed\nVersion: 5:7.2.4\nSource: redis\n\n" >> /var/lib/dpkg/status
 ---> Using cache
 ---> 812c82118fe7
Successfully built 812c82118fe7
Successfully tagged redis:7.2.4-dpkg-db

$ trivy image redis:7.2.4-dpkg-db -q --format json | jq -r '.Results[0].Vulnerabilities[] | select(.PkgName == "redis-server") | [.VulnerabilityID, .Title] | @tsv'
CVE-2024-46981  redis: Redis' Lua library commands may lead to remote code execution
CVE-2024-51741  redis: Redis allows denial-of-service due to malformed ACL selectors
CVE-2020-21468  redis: Segmentation fault in the redis-server component
CVE-2022-3647   redis: crash in sigsegvHandler debug function

[kovacs-levent]

It won’t be implemented. I already tried one time, and it was rejected due to this feature being supported in the “commercial version”, not in the open source version: https://github.com/aquasecurity/trivy/pull/6524

[nabokihms]

These are sad news. Basically, it makes Trivy unreliable. Now I know for sure that part of my images are ignored and not scanned.

1. I tried trivy standalone, and it does not include binary info in SBOM.
2. I tried syft + trivy sbom, and syft collects SBOM correctly, but it completely ignores binaries in SBOM.
3. Finally, I tried syft + grype, and this works perfectly.

 ✔ Vulnerability DB                [updated]  ━━━━━━━━━  [hashing]    B]   te]
 ✔ Scanned for vulnerabilities     [12 vulnerability matches]  nerability matches]
   ├── by severity: 0 critical, 1 high, 11 medium, 0 low, 0 negligible
NAME   INSTALLED  FIXED IN        TYPE    VULNERABILITY   SEVERITY  EPSS           RISK
nginx  1.25.5     1.26.1          binary  CVE-2024-34161  Medium    0.9% (75th)    0.5
nginx  1.25.5     1.26.3, 1.27.4  binary  CVE-2025-23419  Medium    0.5% (65th)    0.2
nginx  1.25.5     1.26.1          binary  CVE-2024-31079  Medium    0.5% (64th)    0.2
nginx  1.25.5     1.26.1          binary  CVE-2024-35200  Medium    0.4% (62nd)    0.2
nginx  1.25.5     1.26.1          binary  CVE-2024-32760  Medium    0.2% (43rd)    0.1
nginx  1.25.5     1.26.2, 1.27.1  binary  CVE-2024-7347   Medium    0.2% (41st)    < 0.1
curl   8.12.1     8.16.0          binary  CVE-2025-9086   High      < 0.1% (22nd)  < 0.1
nginx  1.25.5     1.29.1          binary  CVE-2025-53859  Medium    0.1% (28th)    < 0.1
curl   8.12.1     8.16.0          binary  CVE-2025-10148  Medium    < 0.1% (10th)  < 0.1
curl   8.12.1     8.16.0          binary  CVE-2025-10966  Medium    < 0.1% (6th)   < 0.1
curl   8.12.1     8.14.0          binary  CVE-2025-4947   Medium    < 0.1% (2nd)   < 0.1
curl   8.12.1     8.14.0          binary  CVE-2025-5025   Medium    < 0.1% (3rd)   < 0.1