trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

bug(os): Trivy detects CentOS Stream as CentOS

Open DmitriyLewen opened this issue 3 weeks ago • 4 comments

Description

Trivy checks CentOS version from two files:

  • etc/centos-release file
  • etc/os-release

Trivy doesn't detect OS from centos-release file. But CentOS Stream uses CentOS ID in os-release file:

bash-5.1# cat /etc/centos-release 
CentOS Stream release 9
bash-5.1# cat etc/os-release 
NAME="CentOS Stream"
VERSION="9"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="9"
...

That is why Trivy detects CentOS Stream as CentOS.

Solutions

  • check version: if version <= 8 - CentOS, of version >= 9 - CentOS Stream (8 is latest CentOS version - https://www.redhat.com/en/topics/linux/centos-linux-eol#why-is-it-going-away)

  • check NAME field from /etc/os-release. We will able to detect CentOS Stream and simply report that it’s an unsupported OS for vulnerability detection (the same way we do for Fedora).

  • Alternative way - RedHat and CentOS team stop support CentOS OSes - https://www.redhat.com/en/topics/linux/centos-linux-eol#why-is-it-going-away. So we can don't worry that centos-release file will be removed/updated and scan only this file and don't detect CentOS from os-release file ✅ Pros: - Simple to implement ❌ Cons: - CentOS Stream will not be detected at all

Discussed in https://github.com/aquasecurity/trivy/discussions/9894

DmitriyLewen avatar Dec 08 '25 10:12 DmitriyLewen 

[root@localhost ci-tools]# cat /etc/os-release 
NAME="CentOS Stream"
VERSION="10 (Coughlan)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="10"
PLATFORM_ID="platform:el10"
PRETTY_NAME="CentOS Stream 10 (Coughlan)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:centos:centos:10"
HOME_URL="https://centos.org/"
VENDOR_NAME="CentOS"
VENDOR_URL="https://centos.org/"
BUG_REPORT_URL="https://issues.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 10"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"

xrow avatar Dec 08 '25 11:12 xrow

@DmitriyLewen

A Third Solution which is more like your first one:

CentOS will be always CentOS Stream starting from EL 9 .... There is only CentOS 9 which had a Stream and Non Stream version. CentOS Non Stream <=> RHEL Red Hat will never bring back Non Stream CentOS Versions.

xrow avatar Dec 08 '25 11:12 xrow

@xrow yeah - this is also solution. Added in Description. Thanks!

DmitriyLewen avatar Dec 08 '25 12:12 DmitriyLewen

Hi @DmitriyLewen, i would like to work on it. Could you please assign it to me

amitverse avatar Dec 09 '25 15:12 amitverse

I noticed this issue. Have you tried checking the error logs or console output? That might help narrow down the root cause. I'd be happy to help investigate if you can share more details about your environment (OS, version, etc.).

tysoncung avatar Dec 11 '25 07:12 tysoncung

@tysoncung it is real easy to replicate see https://github.com/aquasecurity/trivy/discussions/9894

xrow avatar Dec 11 '25 07:12 xrow