CVE-2023-45853 already fixed in 1:1.3.dfsg+really1.3.1-1, but still tagged as critical in trivy result

[XinwenXiang]

IDs

CVE-2023-45853

Description

Hi experts
I'm using the python:3.9-slim as my base image, so i do trivy scan for this image.
I got this in my report:

after learning this CVE Vulnerability, I think this has been fixed in latest version: https://security-tracker.debian.org/tracker/CVE-2023-45853

So I upgrade it in my docker file, but i still get this for 1:1.3.dfsg+really1.3.1-1.

So I think this may should not report this Vulnerability after upgrade it.

Reproduction Steps

1.here is my base image:
FROM python:3.9-slim 
RUN echo "deb http://deb.debian.org/debian unstable main contrib non-free" | tee -a /etc/apt/sources.list
RUN apt-get update && apt-cache policy zlib1g
RUN apt-get -t unstable install -y zlib1g=1:1.3.dfsg+really1.3.1-1
2. clean cache: do trivy clear --all
3. do trivy scan: trivy image --format template --template "@template/html.tpl" -o upgrade-zlib1g.html --timeout 20m pythontest:latest

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

2024-09-30T23:19:42+08:00       DEBUG   No plugins loaded
2024-09-30T23:19:42+08:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-09-30T23:19:42+08:00       DEBUG   Cache dir       dir="/home/DIR/xxiang2/.cache/trivy"
2024-09-30T23:19:42+08:00       DEBUG   Cache dir       dir="/home/DIR/xxiang2/.cache/trivy"
2024-09-30T23:19:42+08:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-09-30T23:19:42+08:00       DEBUG   Ignore statuses statuses=[]
2024-09-30T23:19:42+08:00       DEBUG   There is no valid metadata file err="unable to open a file: open /home/DIR/xxiang2/.cache/trivy/db/metadata.json: no such file or directory"
2024-09-30T23:19:42+08:00       INFO    [db] Need to update DB
2024-09-30T23:19:42+08:00       INFO    [db] Downloading DB...  repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-30T23:19:42+08:00       DEBUG   No metadata file
53.86 MiB / 53.86 MiB [---------------------------------------------------------------------------------] 100.00% 13.64 MiB p/s 4.2s
2024-09-30T23:19:48+08:00       DEBUG   Updating database metadata...
2024-09-30T23:19:48+08:00       DEBUG   DB info schema=2 updated_at=2024-09-30T12:18:14.877098783Z next_update=2024-09-30T18:18:14.877098493Z downloaded_at=2024-09-30T15:19:48.402134449Z
2024-09-30T23:19:48+08:00       DEBUG   [pkg] Package types     types=[os library]
2024-09-30T23:19:48+08:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-09-30T23:19:48+08:00       INFO    [vuln] Vulnerability scanning is enabled
2024-09-30T23:19:48+08:00       INFO    [secret] Secret scanning is enabled
2024-09-30T23:19:48+08:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-30T23:19:48+08:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-30T23:19:48+08:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-30T23:19:48+08:00       DEBUG   Initializing scan cache...      type="fs"
2024-09-30T23:19:48+08:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-09-30T23:19:48+08:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-09-30T23:19:48+08:00       DEBUG   [image] Detected image ID       image_id="sha256:f8d285e81b35bf4c786475fac466af129f6ddd74fb4ad24ee0c791949c96d57c"
2024-09-30T23:19:48+08:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:8d853c8add5d1e7b0aafc4b68a3d9fb8e7a0da27970c2acf831fe63be4a0cd2c sha256:fb5ccd0db472b0b9feb557d01e6c39097acc9ad1a502e1e6a29fde48d74eb7b0 sha256:e228adf1886f79aec8c40dff455c30bab317b17ce3ae3dce4fea87d6f18687d2 sha256:9e599118e168a6c61d9766a48fe656725ffdf0ab38d135d49abee6767213efc4 sha256:4d142cb4d0bf136aed70ed4ab34752bba54fa40e259fcfefbef746b0d3993aaf sha256:85984f6ec5cb0330fde3211e70975cfeb26c8464bbd82179f1c07d86de46c25b sha256:e001d7338b7ff0c83d9beaa14a97794e209af1ac432e6bc6c81ad051d3deed4f sha256:490cb5f91460c94b6f7eec0da4d06aae58736ea39423384e7e47f531377a04ee sha256:74ecf4b88ee2280116614a3f5f05d280f6fa45e3394f11d12594a518ff4b3f93 sha256:c177768a564fd9d2bdea5e560090cefb915ca6404434158046c68044c704564f sha256:aa029d80025b27800aae3c24c82ae13df56dd105e8c30275e0c017e7e5238851 sha256:5a27673ae9225daa4a3106a88db38afb468d4c39057a179f271f51e96c9f7877 sha256:7491c24e5118626a7be994b41873f0fecce01ff639281e9bfb77c77cecfc113b sha256:c9e8a51c1afbe24fdceea3ce8440d3f9eb370ffa36dcbffc0685b4f3901aa185 sha256:e63708b2862ea852c69dae87a14249c2bd70d069b196f34f3dc6eb4bda180c41 sha256:1ea934752fcab690e037e687367abf47da8c4e638fa2fb2d883c8e8271c21969 sha256:396fa5fa9d5aab284b5552f9c93bad87848efa142acab0e5c20fdafc967e1f0f]
2024-09-30T23:19:48+08:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:8d853c8add5d1e7b0aafc4b68a3d9fb8e7a0da27970c2acf831fe63be4a0cd2c sha256:fb5ccd0db472b0b9feb557d01e6c39097acc9ad1a502e1e6a29fde48d74eb7b0 sha256:e228adf1886f79aec8c40dff455c30bab317b17ce3ae3dce4fea87d6f18687d2 sha256:9e599118e168a6c61d9766a48fe656725ffdf0ab38d135d49abee6767213efc4]
2024-09-30T23:19:48+08:00       DEBUG   [image] Missing image ID in cache       image_id="sha256:f8d285e81b35bf4c786475fac466af129f6ddd74fb4ad24ee0c791949c96d57c"
2024-09-30T23:19:48+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:fb5ccd0db472b0b9feb557d01e6c39097acc9ad1a502e1e6a29fde48d74eb7b0"
2024-09-30T23:19:48+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:4d142cb4d0bf136aed70ed4ab34752bba54fa40e259fcfefbef746b0d3993aaf"
2024-09-30T23:19:48+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:e228adf1886f79aec8c40dff455c30bab317b17ce3ae3dce4fea87d6f18687d2"
2024-09-30T23:19:48+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:8d853c8add5d1e7b0aafc4b68a3d9fb8e7a0da27970c2acf831fe63be4a0cd2c"
2024-09-30T23:19:48+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:9e599118e168a6c61d9766a48fe656725ffdf0ab38d135d49abee6767213efc4"
2024-09-30T23:19:52+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:85984f6ec5cb0330fde3211e70975cfeb26c8464bbd82179f1c07d86de46c25b"
2024-09-30T23:19:52+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:e001d7338b7ff0c83d9beaa14a97794e209af1ac432e6bc6c81ad051d3deed4f"
2024-09-30T23:19:52+08:00       DEBUG   [dpkg] Unable to parse the available file       file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-30T23:19:52+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:490cb5f91460c94b6f7eec0da4d06aae58736ea39423384e7e47f531377a04ee"
2024-09-30T23:19:52+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:74ecf4b88ee2280116614a3f5f05d280f6fa45e3394f11d12594a518ff4b3f93"
2024-09-30T23:19:52+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:c177768a564fd9d2bdea5e560090cefb915ca6404434158046c68044c704564f"
2024-09-30T23:19:52+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:aa029d80025b27800aae3c24c82ae13df56dd105e8c30275e0c017e7e5238851"
2024-09-30T23:19:52+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:5a27673ae9225daa4a3106a88db38afb468d4c39057a179f271f51e96c9f7877"
2024-09-30T23:19:52+08:00       DEBUG   [dpkg] Unable to parse the available file       file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-30T23:19:52+08:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms       name="pip" version="23.0.1"
2024-09-30T23:19:52+08:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms       name="setuptools" version="58.1.0"
2024-09-30T23:19:52+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:7491c24e5118626a7be994b41873f0fecce01ff639281e9bfb77c77cecfc113b"
2024-09-30T23:19:52+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:c9e8a51c1afbe24fdceea3ce8440d3f9eb370ffa36dcbffc0685b4f3901aa185"
2024-09-30T23:19:52+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:e63708b2862ea852c69dae87a14249c2bd70d069b196f34f3dc6eb4bda180c41"
2024-09-30T23:19:52+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:1ea934752fcab690e037e687367abf47da8c4e638fa2fb2d883c8e8271c21969"
2024-09-30T23:19:53+08:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:396fa5fa9d5aab284b5552f9c93bad87848efa142acab0e5c20fdafc967e1f0f"
2024-09-30T23:19:53+08:00       DEBUG   [dpkg] Unable to parse the available file       file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-30T23:19:53+08:00       DEBUG   [dpkg] Unable to parse the available file       file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-30T23:19:53+08:00       DEBUG   [dpkg] Unable to parse the available file       file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-30T23:19:54+08:00       DEBUG   No secrets found in container image config
2024-09-30T23:19:54+08:00       INFO    Detected OS     family="debian" version="12.7"
2024-09-30T23:19:54+08:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=106
2024-09-30T23:19:54+08:00       INFO    Number of language-specific files       num=1
2024-09-30T23:19:54+08:00       INFO    [python-pkg] Detecting vulnerabilities...
2024-09-30T23:19:54+08:00       DEBUG   [python-pkg] Scanning packages for vulnerabilities      file_path=""
2024-09-30T23:19:54+08:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.55/docs/scanner/vulnerability#severity-selection for details.
2024-09-30T23:19:54+08:00       DEBUG   [vex] VEX filtering is disabled

Version

0.55.2

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Duplicate of #6059