Trivy is showing vulnerabilities for the software versions which does not exists in my image

[amey-datametica]

I am creating a docker image using newer versions of following software =

1. log4j-api [ 2.15.x is the actually used version while creating the image]

But,
The trivy scan report is still showing the old version.
I tried updating the trivy database but same issue.

Example output from the output.json file =

---

{
"VulnerabilityID": "CVE-2021-44228",
"PkgName": "org.apache.logging.log4j:log4j-api",
"InstalledVersion": "2.13.3",
"FixedVersion": "2.15.0",
"Layer": {
"DiffID": "sha256:d96e6d94b58a002ed35e011b25fe3b3dea44e2afc0ac59a539ec676a2978851d"
},

I checked full log of my Jenkins build.
I don't have any reference of the old version i.e. log4j-api-2.13.3

Pls suggest how to fix this issue thank you.

Regards,
Amey.

[AndreyLevchenko]

Hi Amey
Thank you for reporting this.
Most probably it's some transitive dependency. There is a lot of jar files which include their dependencies. All included dependencies are scanned by Trivy. I can suggest to go through all dependency jars and check if they include log4j-api