Intermittent missing vulnerabilities from Trivy 0.55.0 #7585

mix4242 · 2024-09-24T10:47:55Z

mix4242
Sep 24, 2024

Description

Hi all,

First time posting here, so let me just say thank you for Trivy. It's a great scanner and it's been great using it so far.

Unfortunately, over past month or so, we've started running into an intermittent issue, where Trivy reports 0 vulnerabilities, even though the image has many known vulnerabilities, and the same scan night before worked fine, as does a subsequent scan in the following morning.

The command we use is trivy image --scanners vuln -f json -d <IMAGE_NAME_WITH_SHA>

I attach debug & json outputs that we normally parse & process, from failure during nightly run and success the following morning.

Please can anyone help in resolving this, or suggest how I can debug the problem further?

More info

Apt-installed Trivy is called from a Node wrapper script, which takes the JSON output, parses & processes it, and alerts on new fixable vulnerabilities.
The script runs nightly, at 1am GMT
Script runs inside a container, based on a slim Node 20 base image, which is based on Debian 12. Container runs within a k8s cluster, GKE to be specific
In Trivy output when 0 vulnerabilities are found, DEBUG output does not contain any warnings, errors etc. It is very unclear as to why it suddenly fails to find vulnerabilities
Actions:
- I have updated Trivy to 0.55.2 and re-deployed
- I have added a call to trivy clean --all after 0 vulnerabilities are discovered, and a immediate re-scan, will need to wait for another failure to get result from this

Desired Behavior

When I rerun the scan command trivy image --scanners vuln -f json -d <IMAGE_NAME_WITH_SHA> in the morning following the issue occurring, I get correct output i.e. vulnerabilities found

Actual Behavior

The scan from the command trivy image --scanners vuln -f json -d <IMAGE_NAME_WITH_SHA> finds no vulnerabilities

See the 'Debug Output' below for debug output of trivy.

The Trivy JSON scan result is:

Trivy JSON scan result

{
  "SchemaVersion": 2,
  "CreatedAt": "2024-09-24T01:11:12.992959047Z",
  "ArtifactName": "docker.solidatus.com/supported/solidatus@sha256:b9f1b901d8d964de768349255f4d0a598cf5af58863a93d256eff533cf21f66d",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "debian",
      "Name": "11.11"
    },
    "ImageID": "sha256:31d909d13012297366f48bd9c6cc7ea3808c34cbc28f0e0b53894143ca11ae6c",
    "DiffIDs": [
      "sha256:6d190562115fea8651d83aeb5fe522b8ad03887859fbdb70f53d26fa26a1ed9e",
      "sha256:ee626944e28771336396bc15b18f6deeaa463a22eb5122b3eef7fef56e3cfe00",
      "sha256:3de8a9ea117aad2537c1ff9f9660e5c1f40710943c36565e5b6f9008279dfad4",
      "sha256:fcbfc0c626a40fa00aa8d7a1f58bcf54aa6d1d37f18a5d990567c03335e9cf70",
      "sha256:ba1efe64dd383a7376c384a423bf03c95a1f5bf6da92ccaa5b54f0343be1951d",
      "sha256:0ef111120cb0744e76129ab20f9be9d2dcf282a994b449b3ef9aee043f8e1ab6",
      "sha256:d9f5b9d5d4c8798fd2c1923ece7ff1ed0c2bed0097df3b4fe3129f7cf6ef46c4",
      "sha256:6de24070149596ee8a22ccdc68602abd004708ccb7cb23bb7b3c0984412c624f",
      "sha256:56e9720fc9e140c66d4733b1d3b17ac9970b45a9db8b92cbdbe72cb052ab70bb",
      "sha256:04d85239818430d4cce2ebe1ba2551aa2fe3ec9a7c34d2ef0d0c383f5b14d9a7",
      "sha256:b4576958566b019d24b86e111391fd87ed9aebdaf8de3c70cbc4c5b01016d237",
      "sha256:72504d1b0b539c5d34b6b5d201fb28fd61911b878d0451779230944b61514af1",
      "sha256:a658812877400928cb6537c66b2af6227c0a997355f227d829d14970f54f9b3b",
      "sha256:6fa7e99466ba31e761103dda44fc4b6a59bd2e25aab3e1abd464322e11aa920a",
      "sha256:9de253ae3993909f373786b2c5b26e4408ee11ade720950412ba14d19632aa08",
      "sha256:660e122082bce7466c047db19da4a7c148d686d96f8244c0c5ca4f69256c0b7a",
      "sha256:7da0dd26f893dc5254aec1db01db90625487d74221b4732a7cd22138d1188da4",
      "sha256:8f2a64922666d8d0418d8cd238a17b73f20b7cf44b73d7bbdc48de272fd11440"
    ],
    "RepoDigests": [
      "docker.solidatus.com/supported/solidatus@sha256:b9f1b901d8d964de768349255f4d0a598cf5af58863a93d256eff533cf21f66d"
    ],
    "ImageConfig": {
      "architecture": "amd64",
      "created": "2024-09-10T16:35:03.274274981Z",
      "history": [
        {
          "created": "2024-09-04T22:31:09.517375516Z",
          "created_by": "/bin/sh -c #(nop) ADD file:1b8ac8ec2b2cbdfc9682f076e7e579579d6df6235ed23b2e63f8eec671c52e92 in / "
        },
        {
          "created": "2024-09-04T22:31:09.829566517Z",
          "created_by": "/bin/sh -c #(nop)  CMD [\"bash\"]",
          "empty_layer": true
        },
        {
          "created": "2024-09-05T00:31:14.58654305Z",
          "created_by": "ENV ASPNETCORE_URLS=http://+:80 DOTNET_RUNNING_IN_CONTAINER=true",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-09-05T00:31:14.58654305Z",
          "created_by": "RUN /bin/sh -c apt-get update     \u0026\u0026 apt-get install -y --no-install-recommends         ca-certificates                 libc6         libgcc1         libgssapi-krb5-2         libicu67         libssl1.1         libstdc++6         zlib1g     \u0026\u0026 rm -rf /var/lib/apt/lists/* # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-05T00:31:21.193042949Z",
          "created_by": "ENV DOTNET_VERSION=6.0.33",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-09-05T00:31:21.193042949Z",
          "created_by": "COPY /dotnet /usr/share/dotnet # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-05T00:31:22.447545469Z",
          "created_by": "RUN /bin/sh -c ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-05T00:31:28.383782624Z",
          "created_by": "ENV ASPNET_VERSION=6.0.33",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-09-05T00:31:28.383782624Z",
          "created_by": "COPY /shared/Microsoft.AspNetCore.App /usr/share/dotnet/shared/Microsoft.AspNetCore.App # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T02:52:34.455347532Z",
          "created_by": "LABEL author=Solidatus",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-09-10T02:52:34.455347532Z",
          "created_by": "RUN /bin/sh -c groupadd -g 3737 solidatus # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T02:52:34.755971519Z",
          "created_by": "RUN /bin/sh -c useradd -r -g 3737 -u 3737 -m solidatus # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:52.089277516Z",
          "created_by": "RUN /bin/sh -c echo \"Created by Solidatus on `date` version 6.1.3-prod744\" \u003e /etc/vendor_security_label.txt # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:52.676452841Z",
          "created_by": "RUN /bin/sh -c echo \"Solidatus strives to produce safe \u0026 secure software and to patch vulnerabilities in a timely manner. While we've worked hard to minimise the number of vulnerabilities present in this image, some may be unavoidable due to lack of fixes being available.\" \u003e\u003e /etc/vendor_security_label.txt # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:53.24809791Z",
          "created_by": "RUN /bin/sh -c echo \"Each image is scanned and a vulnerability report is produced, where any fixable-but-unaddressed vulnerabilities are risk assessed.\" \u003e\u003e /etc/vendor_security_label.txt # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:53.696335025Z",
          "created_by": "RUN /bin/sh -c echo \"Only builds with acceptable risk levels are released. Please reach out to obtain the vulnerability report for this image or to find out our vulnerability fix SLAs.\" \u003e\u003e /etc/vendor_security_label.txt # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:54.140154154Z",
          "created_by": "RUN /bin/sh -c echo $BUILD_VCS_NUMBER \u003e /etc/commit_hash.txt # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:54.149386857Z",
          "created_by": "WORKDIR /app",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:56.101785914Z",
          "created_by": "COPY /Solidatus . # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:56.483315413Z",
          "created_by": "RUN /bin/sh -c mkdir /app/backups # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:56.902161133Z",
          "created_by": "RUN /bin/sh -c mkdir /app/logs # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:35:00.126166092Z",
          "created_by": "RUN /bin/sh -c chown -R 3737:3737 /app # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:35:03.274274981Z",
          "created_by": "RUN /bin/sh -c chmod -R g=u /app # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:35:03.274274981Z",
          "created_by": "USER solidatus",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-09-10T16:35:03.274274981Z",
          "created_by": "ENV ASPNETCORE_URLS=http://+:8080",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-09-10T16:35:03.274274981Z",
          "created_by": "EXPOSE map[8080/tcp:{}]",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-09-10T16:35:03.274274981Z",
          "created_by": "ENTRYPOINT [\"dotnet\" \"Solidatus.Web.dll\"]",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        }
      ],
      "os": "linux",
      "rootfs": {
        "type": "layers",
        "diff_ids": [
          "sha256:6d190562115fea8651d83aeb5fe522b8ad03887859fbdb70f53d26fa26a1ed9e",
          "sha256:ee626944e28771336396bc15b18f6deeaa463a22eb5122b3eef7fef56e3cfe00",
          "sha256:3de8a9ea117aad2537c1ff9f9660e5c1f40710943c36565e5b6f9008279dfad4",
          "sha256:fcbfc0c626a40fa00aa8d7a1f58bcf54aa6d1d37f18a5d990567c03335e9cf70",
          "sha256:ba1efe64dd383a7376c384a423bf03c95a1f5bf6da92ccaa5b54f0343be1951d",
          "sha256:0ef111120cb0744e76129ab20f9be9d2dcf282a994b449b3ef9aee043f8e1ab6",
          "sha256:d9f5b9d5d4c8798fd2c1923ece7ff1ed0c2bed0097df3b4fe3129f7cf6ef46c4",
          "sha256:6de24070149596ee8a22ccdc68602abd004708ccb7cb23bb7b3c0984412c624f",
          "sha256:56e9720fc9e140c66d4733b1d3b17ac9970b45a9db8b92cbdbe72cb052ab70bb",
          "sha256:04d85239818430d4cce2ebe1ba2551aa2fe3ec9a7c34d2ef0d0c383f5b14d9a7",
          "sha256:b4576958566b019d24b86e111391fd87ed9aebdaf8de3c70cbc4c5b01016d237",
          "sha256:72504d1b0b539c5d34b6b5d201fb28fd61911b878d0451779230944b61514af1",
          "sha256:a658812877400928cb6537c66b2af6227c0a997355f227d829d14970f54f9b3b",
          "sha256:6fa7e99466ba31e761103dda44fc4b6a59bd2e25aab3e1abd464322e11aa920a",
          "sha256:9de253ae3993909f373786b2c5b26e4408ee11ade720950412ba14d19632aa08",
          "sha256:660e122082bce7466c047db19da4a7c148d686d96f8244c0c5ca4f69256c0b7a",
          "sha256:7da0dd26f893dc5254aec1db01db90625487d74221b4732a7cd22138d1188da4",
          "sha256:8f2a64922666d8d0418d8cd238a17b73f20b7cf44b73d7bbdc48de272fd11440"
        ]
      },
      "config": {
        "Entrypoint": [
          "dotnet",
          "Solidatus.Web.dll"
        ],
        "Env": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
          "ASPNETCORE_URLS=http://+:8080",
          "DOTNET_RUNNING_IN_CONTAINER=true",
          "DOTNET_VERSION=6.0.33",
          "ASPNET_VERSION=6.0.33"
        ],
        "Labels": {
          "author": "Solidatus"
        },
        "User": "solidatus",
        "WorkingDir": "/app",
        "ExposedPorts": {
          "8080/tcp": {}
        }
      }
    }
  },
  "Results": [
    {
      "Target": "docker.solidatus.com/supported/solidatus@sha256:b9f1b901d8d964de768349255f4d0a598cf5af58863a93d256eff533cf21f66d (debian 11.11)",
      "Class": "os-pkgs",
      "Type": "debian"
    },
    {
      "Target": "app/Solidatus.Web.deps.json",
      "Class": "lang-pkgs",
      "Type": "dotnet-core"
    },
    {
      "Target": "app/Sync/static/monstache/6.7.10+6/darwin-amd64/monstache",
      "Class": "lang-pkgs",
      "Type": "gobinary"
    },
    {
      "Target": "app/Sync/static/monstache/6.7.10+6/linux-amd64/monstache",
      "Class": "lang-pkgs",
      "Type": "gobinary"
    },
    {
      "Target": "app/Sync/static/monstache/6.7.10+6/windows-amd64/monstache.exe",
      "Class": "lang-pkgs",
      "Type": "gobinary"
    },
    {
      "Target": "usr/share/dotnet/shared/Microsoft.AspNetCore.App/6.0.33/Microsoft.AspNetCore.App.deps.json",
      "Class": "lang-pkgs",
      "Type": "dotnet-core"
    },
    {
      "Target": "usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.33/Microsoft.NETCore.App.deps.json",
      "Class": "lang-pkgs",
      "Type": "dotnet-core"
    }
  ]
}

Reproduction Steps

This occurs intermittently, having occurred so on the 2nd, 9th & 24th of this month, September 2024.
Occurs during our nightly re-scans of around 5 images at ~1am.
The next morning, rescans work without issue.
Unable to reproduce on demand :(

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

2024-09-24T01:11:12Z	DEBUG	No plugins loaded
2024-09-24T01:11:12Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-09-24T01:11:12Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-09-24T01:11:12Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-09-24T01:11:12Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-09-24T01:11:12Z	DEBUG	Ignore statuses	statuses=[]
2024-09-24T01:11:12Z	DEBUG	DB update was skipped because the local DB is the latest
2024-09-24T01:11:12Z	DEBUG	DB info	schema=2 updated_at=2024-09-24T00:18:25.586046967Z next_update=2024-09-24T06:18:25.586046817Z downloaded_at=2024-09-24T01:05:23.91941952Z
2024-09-24T01:11:12Z	DEBUG	[pkg] Package types	types=[os library]
2024-09-24T01:11:12Z	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-09-24T01:11:12Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-24T01:11:12Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-24T01:11:12Z	DEBUG	Initializing scan cache...	type="fs"
2024-09-24T01:11:12Z	DEBUG	[image] Detected image ID	image_id="sha256:31d909d13012297366f48bd9c6cc7ea3808c34cbc28f0e0b53894143ca11ae6c"
2024-09-24T01:11:12Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:6d190562115fea8651d83aeb5fe522b8ad03887859fbdb70f53d26fa26a1ed9e sha256:ee626944e28771336396bc15b18f6deeaa463a22eb5122b3eef7fef56e3cfe00 sha256:3de8a9ea117aad2537c1ff9f9660e5c1f40710943c36565e5b6f9008279dfad4 sha256:fcbfc0c626a40fa00aa8d7a1f58bcf54aa6d1d37f18a5d990567c03335e9cf70 sha256:ba1efe64dd383a7376c384a423bf03c95a1f5bf6da92ccaa5b54f0343be1951d sha256:0ef111120cb0744e76129ab20f9be9d2dcf282a994b449b3ef9aee043f8e1ab6 sha256:d9f5b9d5d4c8798fd2c1923ece7ff1ed0c2bed0097df3b4fe3129f7cf6ef46c4 sha256:6de24070149596ee8a22ccdc68602abd004708ccb7cb23bb7b3c0984412c624f sha256:56e9720fc9e140c66d4733b1d3b17ac9970b45a9db8b92cbdbe72cb052ab70bb sha256:04d85239818430d4cce2ebe1ba2551aa2fe3ec9a7c34d2ef0d0c383f5b14d9a7 sha256:b4576958566b019d24b86e111391fd87ed9aebdaf8de3c70cbc4c5b01016d237 sha256:72504d1b0b539c5d34b6b5d201fb28fd61911b878d0451779230944b61514af1 sha256:a658812877400928cb6537c66b2af6227c0a997355f227d829d14970f54f9b3b sha256:6fa7e99466ba31e761103dda44fc4b6a59bd2e25aab3e1abd464322e11aa920a sha256:9de253ae3993909f373786b2c5b26e4408ee11ade720950412ba14d19632aa08 sha256:660e122082bce7466c047db19da4a7c148d686d96f8244c0c5ca4f69256c0b7a sha256:7da0dd26f893dc5254aec1db01db90625487d74221b4732a7cd22138d1188da4 sha256:8f2a64922666d8d0418d8cd238a17b73f20b7cf44b73d7bbdc48de272fd11440]
2024-09-24T01:11:12Z	DEBUG	[image] Detected base layers	diff_ids=[sha256:6d190562115fea8651d83aeb5fe522b8ad03887859fbdb70f53d26fa26a1ed9e]
2024-09-24T01:11:12Z	INFO	Detected OS	family="debian" version="11.11"
2024-09-24T01:11:12Z	INFO	[debian] Detecting vulnerabilities...	os_version="11" pkg_num=99
2024-09-24T01:11:12Z	INFO	Number of language-specific files	num=6
2024-09-24T01:11:12Z	INFO	[dotnet-core] Detecting vulnerabilities...
2024-09-24T01:11:12Z	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.33/Microsoft.NETCore.App.deps.json"
2024-09-24T01:11:12Z	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="usr/share/dotnet/shared/Microsoft.AspNetCore.App/6.0.33/Microsoft.AspNetCore.App.deps.json"
2024-09-24T01:11:12Z	INFO	[gobinary] Detecting vulnerabilities...
2024-09-24T01:11:12Z	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="app/Sync/static/monstache/6.7.10+6/darwin-amd64/monstache"
2024-09-24T01:11:12Z	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/rwynn/monstache/v6"
2024-09-24T01:11:12Z	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="app/Sync/static/monstache/6.7.10+6/linux-amd64/monstache"
2024-09-24T01:11:12Z	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/rwynn/monstache/v6"
2024-09-24T01:11:12Z	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="app/Sync/static/monstache/6.7.10+6/windows-amd64/monstache.exe"
2024-09-24T01:11:12Z	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/rwynn/monstache/v6"
2024-09-24T01:11:12Z	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="app/Solidatus.Web.deps.json"
2024-09-24T01:11:12Z	DEBUG	[vex] VEX filtering is disabled

Operating System

Debian GNU/Linux 12 (bookworm) (in container on k8s)

Version

Version: 0.55.0

Checklist

Run trivy clean --all
Read the troubleshooting

mix4242 · 2024-09-24T10:51:46Z

mix4242
Sep 24, 2024
Author

Supplementing 'Desired Behavior' section as was getting character limit:

When I rerun the scan command trivy image --scanners vuln -f json -d <IMAGE_NAME_WITH_SHA> in the morning following the issue occurring, I get correct output i.e. vulnerabilities found:

Trivy debug output

2024-09-24T07:25:28Z	DEBUG	No plugins loaded
2024-09-24T07:25:28Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-09-24T07:25:28Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-09-24T07:25:28Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-09-24T07:25:28Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-09-24T07:25:28Z	DEBUG	Ignore statuses	statuses=[]
2024-09-24T07:25:28Z	DEBUG	DB update was skipped because the local DB is the latest
2024-09-24T07:25:28Z	DEBUG	DB info	schema=2 updated_at=2024-09-24T06:14:03.075540497Z next_update=2024-09-24T12:14:03.075540226Z downloaded_at=2024-09-24T07:22:07.827709835Z
2024-09-24T07:25:28Z	DEBUG	[pkg] Package types	types=[os library]
2024-09-24T07:25:28Z	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-09-24T07:25:28Z	INFO	[vuln] Vulnerability scanning is enabled
2024-09-24T07:25:28Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-24T07:25:28Z	DEBUG	Initializing scan cache...	type="fs"
2024-09-24T07:25:29Z	DEBUG	[image] Detected image ID	image_id="sha256:31d909d13012297366f48bd9c6cc7ea3808c34cbc28f0e0b53894143ca11ae6c"
2024-09-24T07:25:29Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:6d190562115fea8651d83aeb5fe522b8ad03887859fbdb70f53d26fa26a1ed9e sha256:ee626944e28771336396bc15b18f6deeaa463a22eb5122b3eef7fef56e3cfe00 sha256:3de8a9ea117aad2537c1ff9f9660e5c1f40710943c36565e5b6f9008279dfad4 sha256:fcbfc0c626a40fa00aa8d7a1f58bcf54aa6d1d37f18a5d990567c03335e9cf70 sha256:ba1efe64dd383a7376c384a423bf03c95a1f5bf6da92ccaa5b54f0343be1951d sha256:0ef111120cb0744e76129ab20f9be9d2dcf282a994b449b3ef9aee043f8e1ab6 sha256:d9f5b9d5d4c8798fd2c1923ece7ff1ed0c2bed0097df3b4fe3129f7cf6ef46c4 sha256:6de24070149596ee8a22ccdc68602abd004708ccb7cb23bb7b3c0984412c624f sha256:56e9720fc9e140c66d4733b1d3b17ac9970b45a9db8b92cbdbe72cb052ab70bb sha256:04d85239818430d4cce2ebe1ba2551aa2fe3ec9a7c34d2ef0d0c383f5b14d9a7 sha256:b4576958566b019d24b86e111391fd87ed9aebdaf8de3c70cbc4c5b01016d237 sha256:72504d1b0b539c5d34b6b5d201fb28fd61911b878d0451779230944b61514af1 sha256:a658812877400928cb6537c66b2af6227c0a997355f227d829d14970f54f9b3b sha256:6fa7e99466ba31e761103dda44fc4b6a59bd2e25aab3e1abd464322e11aa920a sha256:9de253ae3993909f373786b2c5b26e4408ee11ade720950412ba14d19632aa08 sha256:660e122082bce7466c047db19da4a7c148d686d96f8244c0c5ca4f69256c0b7a sha256:7da0dd26f893dc5254aec1db01db90625487d74221b4732a7cd22138d1188da4 sha256:8f2a64922666d8d0418d8cd238a17b73f20b7cf44b73d7bbdc48de272fd11440]
2024-09-24T07:25:29Z	DEBUG	[image] Detected base layers	diff_ids=[sha256:6d190562115fea8651d83aeb5fe522b8ad03887859fbdb70f53d26fa26a1ed9e]
2024-09-24T07:25:29Z	INFO	Detected OS	family="debian" version="11.11"
2024-09-24T07:25:29Z	INFO	[debian] Detecting vulnerabilities...	os_version="11" pkg_num=99
2024-09-24T07:25:29Z	INFO	Number of language-specific files	num=6
2024-09-24T07:25:29Z	INFO	[dotnet-core] Detecting vulnerabilities...
2024-09-24T07:25:29Z	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.33/Microsoft.NETCore.App.deps.json"
2024-09-24T07:25:29Z	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="usr/share/dotnet/shared/Microsoft.AspNetCore.App/6.0.33/Microsoft.AspNetCore.App.deps.json"
2024-09-24T07:25:29Z	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="app/Solidatus.Web.deps.json"
2024-09-24T07:25:29Z	INFO	[gobinary] Detecting vulnerabilities...
2024-09-24T07:25:29Z	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="app/Sync/static/monstache/6.7.10+6/darwin-amd64/monstache"
2024-09-24T07:25:29Z	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/rwynn/monstache/v6"
2024-09-24T07:25:29Z	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="app/Sync/static/monstache/6.7.10+6/linux-amd64/monstache"
2024-09-24T07:25:29Z	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/rwynn/monstache/v6"
2024-09-24T07:25:29Z	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="app/Sync/static/monstache/6.7.10+6/windows-amd64/monstache.exe"
2024-09-24T07:25:29Z	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/rwynn/monstache/v6"
2024-09-24T07:25:29Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.55/docs/scanner/vulnerability#severity-selection for details.
2024-09-24T07:25:29Z	DEBUG	[vex] VEX filtering is disabled

Trivy JSON scan result

{
  "SchemaVersion": 2,
  "CreatedAt": "2024-09-24T07:25:29.208561686Z",
  "ArtifactName": "docker.solidatus.com/supported/solidatus@sha256:b9f1b901d8d964de768349255f4d0a598cf5af58863a93d256eff533cf21f66d",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "debian",
      "Name": "11.11"
    },
    "ImageID": "sha256:31d909d13012297366f48bd9c6cc7ea3808c34cbc28f0e0b53894143ca11ae6c",
    "DiffIDs": [
      "sha256:6d190562115fea8651d83aeb5fe522b8ad03887859fbdb70f53d26fa26a1ed9e",
      "sha256:ee626944e28771336396bc15b18f6deeaa463a22eb5122b3eef7fef56e3cfe00",
      "sha256:3de8a9ea117aad2537c1ff9f9660e5c1f40710943c36565e5b6f9008279dfad4",
      "sha256:fcbfc0c626a40fa00aa8d7a1f58bcf54aa6d1d37f18a5d990567c03335e9cf70",
      "sha256:ba1efe64dd383a7376c384a423bf03c95a1f5bf6da92ccaa5b54f0343be1951d",
      "sha256:0ef111120cb0744e76129ab20f9be9d2dcf282a994b449b3ef9aee043f8e1ab6",
      "sha256:d9f5b9d5d4c8798fd2c1923ece7ff1ed0c2bed0097df3b4fe3129f7cf6ef46c4",
      "sha256:6de24070149596ee8a22ccdc68602abd004708ccb7cb23bb7b3c0984412c624f",
      "sha256:56e9720fc9e140c66d4733b1d3b17ac9970b45a9db8b92cbdbe72cb052ab70bb",
      "sha256:04d85239818430d4cce2ebe1ba2551aa2fe3ec9a7c34d2ef0d0c383f5b14d9a7",
      "sha256:b4576958566b019d24b86e111391fd87ed9aebdaf8de3c70cbc4c5b01016d237",
      "sha256:72504d1b0b539c5d34b6b5d201fb28fd61911b878d0451779230944b61514af1",
      "sha256:a658812877400928cb6537c66b2af6227c0a997355f227d829d14970f54f9b3b",
      "sha256:6fa7e99466ba31e761103dda44fc4b6a59bd2e25aab3e1abd464322e11aa920a",
      "sha256:9de253ae3993909f373786b2c5b26e4408ee11ade720950412ba14d19632aa08",
      "sha256:660e122082bce7466c047db19da4a7c148d686d96f8244c0c5ca4f69256c0b7a",
      "sha256:7da0dd26f893dc5254aec1db01db90625487d74221b4732a7cd22138d1188da4",
      "sha256:8f2a64922666d8d0418d8cd238a17b73f20b7cf44b73d7bbdc48de272fd11440"
    ],
    "RepoDigests": [
      "docker.solidatus.com/supported/solidatus@sha256:b9f1b901d8d964de768349255f4d0a598cf5af58863a93d256eff533cf21f66d"
    ],
    "ImageConfig": {
      "architecture": "amd64",
      "created": "2024-09-10T16:35:03.274274981Z",
      "history": [
        {
          "created": "2024-09-04T22:31:09.517375516Z",
          "created_by": "/bin/sh -c #(nop) ADD file:1b8ac8ec2b2cbdfc9682f076e7e579579d6df6235ed23b2e63f8eec671c52e92 in / "
        },
        {
          "created": "2024-09-04T22:31:09.829566517Z",
          "created_by": "/bin/sh -c #(nop)  CMD [\"bash\"]",
          "empty_layer": true
        },
        {
          "created": "2024-09-05T00:31:14.58654305Z",
          "created_by": "ENV ASPNETCORE_URLS=http://+:80 DOTNET_RUNNING_IN_CONTAINER=true",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-09-05T00:31:14.58654305Z",
          "created_by": "RUN /bin/sh -c apt-get update     \u0026\u0026 apt-get install -y --no-install-recommends         ca-certificates                 libc6         libgcc1         libgssapi-krb5-2         libicu67         libssl1.1         libstdc++6         zlib1g     \u0026\u0026 rm -rf /var/lib/apt/lists/* # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-05T00:31:21.193042949Z",
          "created_by": "ENV DOTNET_VERSION=6.0.33",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-09-05T00:31:21.193042949Z",
          "created_by": "COPY /dotnet /usr/share/dotnet # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-05T00:31:22.447545469Z",
          "created_by": "RUN /bin/sh -c ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-05T00:31:28.383782624Z",
          "created_by": "ENV ASPNET_VERSION=6.0.33",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-09-05T00:31:28.383782624Z",
          "created_by": "COPY /shared/Microsoft.AspNetCore.App /usr/share/dotnet/shared/Microsoft.AspNetCore.App # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T02:52:34.455347532Z",
          "created_by": "LABEL author=Solidatus",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-09-10T02:52:34.455347532Z",
          "created_by": "RUN /bin/sh -c groupadd -g 3737 solidatus # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T02:52:34.755971519Z",
          "created_by": "RUN /bin/sh -c useradd -r -g 3737 -u 3737 -m solidatus # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:52.089277516Z",
          "created_by": "RUN /bin/sh -c echo \"Created by Solidatus on `date` version 6.1.3-prod744\" \u003e /etc/vendor_security_label.txt # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:52.676452841Z",
          "created_by": "RUN /bin/sh -c echo \"Solidatus strives to produce safe \u0026 secure software and to patch vulnerabilities in a timely manner. While we've worked hard to minimise the number of vulnerabilities present in this image, some may be unavoidable due to lack of fixes being available.\" \u003e\u003e /etc/vendor_security_label.txt # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:53.24809791Z",
          "created_by": "RUN /bin/sh -c echo \"Each image is scanned and a vulnerability report is produced, where any fixable-but-unaddressed vulnerabilities are risk assessed.\" \u003e\u003e /etc/vendor_security_label.txt # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:53.696335025Z",
          "created_by": "RUN /bin/sh -c echo \"Only builds with acceptable risk levels are released. Please reach out to obtain the vulnerability report for this image or to find out our vulnerability fix SLAs.\" \u003e\u003e /etc/vendor_security_label.txt # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:54.140154154Z",
          "created_by": "RUN /bin/sh -c echo $BUILD_VCS_NUMBER \u003e /etc/commit_hash.txt # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:54.149386857Z",
          "created_by": "WORKDIR /app",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:56.101785914Z",
          "created_by": "COPY /Solidatus . # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:56.483315413Z",
          "created_by": "RUN /bin/sh -c mkdir /app/backups # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:34:56.902161133Z",
          "created_by": "RUN /bin/sh -c mkdir /app/logs # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:35:00.126166092Z",
          "created_by": "RUN /bin/sh -c chown -R 3737:3737 /app # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:35:03.274274981Z",
          "created_by": "RUN /bin/sh -c chmod -R g=u /app # buildkit",
          "comment": "buildkit.dockerfile.v0"
        },
        {
          "created": "2024-09-10T16:35:03.274274981Z",
          "created_by": "USER solidatus",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-09-10T16:35:03.274274981Z",
          "created_by": "ENV ASPNETCORE_URLS=http://+:8080",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-09-10T16:35:03.274274981Z",
          "created_by": "EXPOSE map[8080/tcp:{}]",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        },
        {
          "created": "2024-09-10T16:35:03.274274981Z",
          "created_by": "ENTRYPOINT [\"dotnet\" \"Solidatus.Web.dll\"]",
          "comment": "buildkit.dockerfile.v0",
          "empty_layer": true
        }
      ],
      "os": "linux",
      "rootfs": {
        "type": "layers",
        "diff_ids": [
          "sha256:6d190562115fea8651d83aeb5fe522b8ad03887859fbdb70f53d26fa26a1ed9e",
          "sha256:ee626944e28771336396bc15b18f6deeaa463a22eb5122b3eef7fef56e3cfe00",
          "sha256:3de8a9ea117aad2537c1ff9f9660e5c1f40710943c36565e5b6f9008279dfad4",
          "sha256:fcbfc0c626a40fa00aa8d7a1f58bcf54aa6d1d37f18a5d990567c03335e9cf70",
          "sha256:ba1efe64dd383a7376c384a423bf03c95a1f5bf6da92ccaa5b54f0343be1951d",
          "sha256:0ef111120cb0744e76129ab20f9be9d2dcf282a994b449b3ef9aee043f8e1ab6",
          "sha256:d9f5b9d5d4c8798fd2c1923ece7ff1ed0c2bed0097df3b4fe3129f7cf6ef46c4",
          "sha256:6de24070149596ee8a22ccdc68602abd004708ccb7cb23bb7b3c0984412c624f",
          "sha256:56e9720fc9e140c66d4733b1d3b17ac9970b45a9db8b92cbdbe72cb052ab70bb",
          "sha256:04d85239818430d4cce2ebe1ba2551aa2fe3ec9a7c34d2ef0d0c383f5b14d9a7",
          "sha256:b4576958566b019d24b86e111391fd87ed9aebdaf8de3c70cbc4c5b01016d237",
          "sha256:72504d1b0b539c5d34b6b5d201fb28fd61911b878d0451779230944b61514af1",
          "sha256:a658812877400928cb6537c66b2af6227c0a997355f227d829d14970f54f9b3b",
          "sha256:6fa7e99466ba31e761103dda44fc4b6a59bd2e25aab3e1abd464322e11aa920a",
          "sha256:9de253ae3993909f373786b2c5b26e4408ee11ade720950412ba14d19632aa08",
          "sha256:660e122082bce7466c047db19da4a7c148d686d96f8244c0c5ca4f69256c0b7a",
          "sha256:7da0dd26f893dc5254aec1db01db90625487d74221b4732a7cd22138d1188da4",
          "sha256:8f2a64922666d8d0418d8cd238a17b73f20b7cf44b73d7bbdc48de272fd11440"
        ]
      },
      "config": {
        "Entrypoint": [
          "dotnet",
          "Solidatus.Web.dll"
        ],
        "Env": [
          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
          "ASPNETCORE_URLS=http://+:8080",
          "DOTNET_RUNNING_IN_CONTAINER=true",
          "DOTNET_VERSION=6.0.33",
          "ASPNET_VERSION=6.0.33"
        ],
        "Labels": {
          "author": "Solidatus"
        },
        "User": "solidatus",
        "WorkingDir": "/app",
        "ExposedPorts": {
          "8080/tcp": {}
        }
      }
    }
  },
  "Results": [
    {
      "Target": "docker.solidatus.com/supported/solidatus@sha256:b9f1b901d8d964de768349255f4d0a598cf5af58863a93d256eff533cf21f66d (debian 11.11)",
      "Class": "os-pkgs",
      "Type": "debian",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2011-3374",
          "PkgID": "apt@2.2.4",
          "PkgName": "apt",
          "PkgIdentifier": {
            "PURL": "pkg:deb/debian/apt@2.2.4?arch=amd64\u0026distro=debian-11.11",
            "UID": "e06458ca93cb111"
          },
          "InstalledVersion": "2.2.4",
          "Status": "affected",
          "Layer": {
            "Digest": "sha256:6533c3eba3f3cd4c840877f9245b26929fc8c22a39f42c872aa314c32c6d654b",
            "DiffID": "sha256:6d190562115fea8651d83aeb5fe522b8ad03887859fbdb70f53d26fa26a1ed9e"
          },
          "SeveritySource": "debian",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2011-3374",
          "DataSource": {
            "ID": "debian",
            "Name": "Debian Security Tracker",
            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
          },
          "Title": "It was found that apt-key in apt, all versions, do not correctly valid ...",
          "Description": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.",
          "Severity": "LOW",
          "CweIDs": [
            "CWE-347"
          ],
          "VendorSeverity": {
            "debian": 1,
            "nvd": 1
          },
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
              "V2Score": 4.3,
              "V3Score": 3.7
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/cve-2011-3374",
            "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480",
            "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html",
            "https://seclists.org/fulldisclosure/2011/Sep/221",
            "https://security-tracker.debian.org/tracker/CVE-2011-3374",
            "https://snyk.io/vuln/SNYK-LINUX-APT-116518",
            "https://ubuntu.com/security/CVE-2011-3374"
          ],
          "PublishedDate": "2019-11-26T00:15:11.03Z",
          "LastModifiedDate": "2021-02-09T16:08:18.683Z"
        }, ...
      ]
    },
    {
      "Target": "app/Solidatus.Web.deps.json",
      "Class": "lang-pkgs",
      "Type": "dotnet-core",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2024-39694",
          "PkgID": "IdentityServer4/4.1.2",
          "PkgName": "IdentityServer4",
          "PkgIdentifier": {
            "PURL": "pkg:nuget/IdentityServer4@4.1.2",
            "UID": "ff328fa9fc8d4a58"
          },
          "InstalledVersion": "4.1.2",
          "Status": "affected",
          "Layer": {
            "Digest": "sha256:432fff1826a53373a2a789690fc8936ec361be3cc86af3526bddfc8ab029af6a",
            "DiffID": "sha256:6fa7e99466ba31e761103dda44fc4b6a59bd2e25aab3e1abd464322e11aa920a"
          },
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-39694",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory NuGet",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget"
          },
          "Title": "IdentityServer Open Redirect vulnerability",
          "Description": "Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. It is possible for an attacker to craft malicious Urls that certain functions in IdentityServer will incorrectly treat as local and trusted. If such a Url is returned as a redirect, some browsers will follow it to a third-party, untrusted site. Note: by itself, this vulnerability does **not** allow an attacker to obtain user credentials, authorization codes, access tokens, refresh tokens, or identity tokens. An attacker could however exploit this vulnerability as part of a phishing attack designed to steal user credentials. This vulnerability is fixed in 7.0.6, 6.3.10, 6.2.5, 6.1.8, and 6.0.5. Duende.IdentityServer 5.1 and earlier and all versions of IdentityServer4 are no longer supported and will not be receiving updates. If upgrading is not possible, use `IUrlHelper.IsLocalUrl` from ASP.NET Core to validate return Urls in user interface code in the IdentityServer host.",
          "Severity": "MEDIUM",
          "CweIDs": [
            "CWE-601"
          ],
          "VendorSeverity": {
            "ghsa": 2
          },
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
              "V3Score": 4.7
            }
          },
          "References": [
            "https://github.com/DuendeSoftware/IdentityServer",
            "https://github.com/DuendeSoftware/IdentityServer/commit/269ca2171fe1e901c87f2f0797bbc7c230db87c6",
            "https://github.com/DuendeSoftware/IdentityServer/commit/765116a2d4fb0671b6eba015e698533900c61c8e",
            "https://github.com/DuendeSoftware/IdentityServer/commit/d0d8eab35ad9183b14925496803ed8b36658d0a1",
            "https://github.com/DuendeSoftware/IdentityServer/commit/f04cf0be859b93f43563f8f812eb92206ad94011",
            "https://github.com/DuendeSoftware/IdentityServer/commit/fe817b499933d6ed6141b153492d7335c28b184a",
            "https://github.com/DuendeSoftware/IdentityServer/security/advisories/GHSA-ff4q-64jc-gx98",
            "https://github.com/IdentityServer/IdentityServer4/security/advisories/GHSA-55p7-v223-x366",
            "https://nvd.nist.gov/vuln/detail/CVE-2024-39694"
          ],
          "PublishedDate": "2024-07-31T16:15:04.207Z",
          "LastModifiedDate": "2024-08-01T12:42:36.933Z"
        }, ...
      ]
    },
    {
      "Target": "app/Sync/static/monstache/6.7.10+6/darwin-amd64/monstache",
      "Class": "lang-pkgs",
      "Type": "gobinary",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2024-34156",
          "PkgName": "stdlib",
          "PkgIdentifier": {
            "PURL": "pkg:golang/stdlib@1.21.11",
            "UID": "4e11ad97e70e3b2d"
          },
          "InstalledVersion": "1.21.11",
          "FixedVersion": "1.22.7, 1.23.1",
          "Status": "fixed",
          "Layer": {
            "Digest": "sha256:432fff1826a53373a2a789690fc8936ec361be3cc86af3526bddfc8ab029af6a",
            "DiffID": "sha256:6fa7e99466ba31e761103dda44fc4b6a59bd2e25aab3e1abd464322e11aa920a"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34156",
          "DataSource": {
            "ID": "govulndb",
            "Name": "The Go Vulnerability Database",
            "URL": "https://pkg.go.dev/vuln/"
          },
          "Title": "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion",
          "Description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.",
          "Severity": "HIGH",
          "VendorSeverity": {
            "bitnami": 3,
            "oracle-oval": 3,
            "redhat": 3
          },
          "CVSS": {
            "bitnami": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2024-34156",
            "https://go.dev/cl/611239",
            "https://go.dev/issue/69139",
            "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk",
            "https://linux.oracle.com/cve/CVE-2024-34156.html",
            "https://linux.oracle.com/errata/ELSA-2024-6947.html",
            "https://nvd.nist.gov/vuln/detail/CVE-2024-34156",
            "https://pkg.go.dev/vuln/GO-2024-3106",
            "https://www.cve.org/CVERecord?id=CVE-2024-34156"
          ],
          "PublishedDate": "2024-09-06T21:15:12.02Z",
          "LastModifiedDate": "2024-09-09T15:35:07.573Z"
        }, ...
      ]
    },
    {
      "Target": "app/Sync/static/monstache/6.7.10+6/linux-amd64/monstache",
      "Class": "lang-pkgs",
      "Type": "gobinary",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2024-34156",
          "PkgName": "stdlib",
          "PkgIdentifier": {
            "PURL": "pkg:golang/stdlib@1.21.11",
            "UID": "f12dca74b108efa8"
          },
          "InstalledVersion": "1.21.11",
          "FixedVersion": "1.22.7, 1.23.1",
          "Status": "fixed",
          "Layer": {
            "Digest": "sha256:432fff1826a53373a2a789690fc8936ec361be3cc86af3526bddfc8ab029af6a",
            "DiffID": "sha256:6fa7e99466ba31e761103dda44fc4b6a59bd2e25aab3e1abd464322e11aa920a"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34156",
          "DataSource": {
            "ID": "govulndb",
            "Name": "The Go Vulnerability Database",
            "URL": "https://pkg.go.dev/vuln/"
          },
          "Title": "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion",
          "Description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.",
          "Severity": "HIGH",
          "VendorSeverity": {
            "bitnami": 3,
            "oracle-oval": 3,
            "redhat": 3
          },
          "CVSS": {
            "bitnami": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2024-34156",
            "https://go.dev/cl/611239",
            "https://go.dev/issue/69139",
            "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk",
            "https://linux.oracle.com/cve/CVE-2024-34156.html",
            "https://linux.oracle.com/errata/ELSA-2024-6947.html",
            "https://nvd.nist.gov/vuln/detail/CVE-2024-34156",
            "https://pkg.go.dev/vuln/GO-2024-3106",
            "https://www.cve.org/CVERecord?id=CVE-2024-34156"
          ],
          "PublishedDate": "2024-09-06T21:15:12.02Z",
          "LastModifiedDate": "2024-09-09T15:35:07.573Z"
        }, ...
      ]
    },
    {
      "Target": "app/Sync/static/monstache/6.7.10+6/windows-amd64/monstache.exe",
      "Class": "lang-pkgs",
      "Type": "gobinary",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2024-34156",
          "PkgName": "stdlib",
          "PkgIdentifier": {
            "PURL": "pkg:golang/stdlib@1.21.11",
            "UID": "91d54b853ee513d6"
          },
          "InstalledVersion": "1.21.11",
          "FixedVersion": "1.22.7, 1.23.1",
          "Status": "fixed",
          "Layer": {
            "Digest": "sha256:432fff1826a53373a2a789690fc8936ec361be3cc86af3526bddfc8ab029af6a",
            "DiffID": "sha256:6fa7e99466ba31e761103dda44fc4b6a59bd2e25aab3e1abd464322e11aa920a"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-34156",
          "DataSource": {
            "ID": "govulndb",
            "Name": "The Go Vulnerability Database",
            "URL": "https://pkg.go.dev/vuln/"
          },
          "Title": "encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion",
          "Description": "Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.",
          "Severity": "HIGH",
          "VendorSeverity": {
            "bitnami": 3,
            "oracle-oval": 3,
            "redhat": 3
          },
          "CVSS": {
            "bitnami": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2024-34156",
            "https://go.dev/cl/611239",
            "https://go.dev/issue/69139",
            "https://groups.google.com/g/golang-dev/c/S9POB9NCTdk",
            "https://linux.oracle.com/cve/CVE-2024-34156.html",
            "https://linux.oracle.com/errata/ELSA-2024-6947.html",
            "https://nvd.nist.gov/vuln/detail/CVE-2024-34156",
            "https://pkg.go.dev/vuln/GO-2024-3106",
            "https://www.cve.org/CVERecord?id=CVE-2024-34156"
          ],
          "PublishedDate": "2024-09-06T21:15:12.02Z",
          "LastModifiedDate": "2024-09-09T15:35:07.573Z"
        }, ...
      ]
    },
    {
      "Target": "usr/share/dotnet/shared/Microsoft.AspNetCore.App/6.0.33/Microsoft.AspNetCore.App.deps.json",
      "Class": "lang-pkgs",
      "Type": "dotnet-core"
    },
    {
      "Target": "usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.33/Microsoft.NETCore.App.deps.json",
      "Class": "lang-pkgs",
      "Type": "dotnet-core"
    }
  ]
}

0 replies

DmitriyLewen · 2024-10-01T08:24:47Z

DmitriyLewen
Oct 1, 2024
Maintainer

hello @mix4242
This is very strange case.

Is it possible to catch both cases, but add the --list-all-packages flag to ensure that Trivy detects the packages correctly?

1 reply

mix4242 Oct 2, 2024
Author

Hi @DmitriyLewen :)

Thanks for the response. It is so strange!

I have added the recommended --list-all-pkgs flag & will reply with output when we run into the issue again.

mix4242 · 2024-11-12T07:25:23Z

mix4242
Nov 12, 2024
Author

I believe I have identified the cause of my problems to multiple Trivy processes running and scanning in parallel.

Bit of further background. The software I was working on is somewhat related to Harbor's Trivy adapter, in that it is also a Harbor adapter for vuln scanning and it also wraps Trivy. The differences are that it further wraps Google's Artifact Registry vuln scanning (as Go vulns were not being picked up by Trivy), is written in Node (TS) and it's architecture was not based on the aforementioned public adapter as we thought we could get away with something much simpler. Over time and lessons learnt, it has become a bit more similar, in that there are multiple processing queues and multiple workers doing the processing for each queue. This allowed for parallel execution of scanning, so we thought hells yeah, let's get this thing flying!

Unfortunately, from my log analysis, the errors seemed to always occur right after two scans were started at the same time and overlapped.

After setting the worker size to 1, for the queue doing the scanning, the problems have stopped and we have not experienced any for a number of weeks now.

I am not sure if this is a known issue/limitation, but truth be told I haven't had the time to research this further as I've been moved to a different project.

Anyways, once again, thanks for Trivy! It's great! And thanks for your help 🙏🏻

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Intermittent missing vulnerabilities from Trivy 0.55.0 #7585

{{title}}

Replies: 3 comments 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Intermittent missing vulnerabilities from Trivy 0.55.0 #7585

mix4242 Sep 24, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 3 comments · 1 reply

mix4242 Sep 24, 2024 Author

DmitriyLewen Oct 1, 2024 Maintainer

mix4242 Oct 2, 2024 Author

mix4242 Nov 12, 2024 Author

mix4242
Sep 24, 2024

Replies: 3 comments 1 reply

mix4242
Sep 24, 2024
Author

DmitriyLewen
Oct 1, 2024
Maintainer

mix4242 Oct 2, 2024
Author

mix4242
Nov 12, 2024
Author