Trivy does not detect all packages; and of those detected Trivy sometimes does not report a vulnerability

[higginsm99]

IDs

CVE-2020-20703, CVE-2021-3903, CVE-2021-3927, CVE-2021-3928, CVE-2021-3968, CVE-2021-3973, CVE-2021-3974, CVE-2021-4136, CVE-2021-4166, CVE-2021-4173, CVE-2021-4187, CVE-2021-46059, CVE-2022-0213, CVE-2022-0351, CVE-2022-0413, CVE-2022-1616, CVE-2022-1619, CVE-2022-1620, CVE-2022-1674, CVE-2022-1720, CVE-2022-1725, CVE-2022-2042, CVE-2022-2124, CVE-2022-2125, CVE-2022-2126, CVE-2022-2129, CVE-2022-2175, CVE-2022-2182, CVE-2022-2183, CVE-2022-2206, CVE-2022-2207, CVE-2022-2208, CVE-2022-2210, CVE-2022-2257, CVE-2022-2284, CVE-2022-2285, CVE-2022-2286, CVE-2022-2287, CVE-2022-2304, CVE-2022-2343, CVE-2022-2344, CVE-2022-2345, CVE-2022-2522, CVE-2022-2817, CVE-2022-2819, CVE-2022-2845, CVE-2022-2849, CVE-2022-2862, CVE-2022-2874, CVE-2022-2889, CVE-2022-2923, CVE-2022-2946, CVE-2022-2980, CVE-2022-2982, CVE-2022-3016, CVE-2022-3037, CVE-2022-3099, CVE-2022-3134, CVE-2022-3153, CVE-2022-3234, CVE-2022-3235, CVE-2022-3256, CVE-2022-3278, CVE-2022-3296, CVE-2022-3297, CVE-2022-3324, CVE-2022-3352, CVE-2022-3705, CVE-2022-4141, CVE-2022-4292, CVE-2022-4293, CVE-2023-0049, CVE-2023-0051, CVE-2023-0054, CVE-2023-0288, CVE-2023-0433, CVE-2023-0512, CVE-2023-1127, CVE-2023-1170, CVE-2023-1175, CVE-2023-1264, CVE-2023-2609, CVE-2023-2610, CVE-2023-46246, CVE-2023-4734, CVE-2023-4735, CVE-2023-4738, CVE-2023-4751, CVE-2023-4752, CVE-2023-4781, CVE-2023-48231, CVE-2023-48232, CVE-2023-48233, CVE-2023-48234, CVE-2023-48235, CVE-2023-48236, CVE-2023-48237, CVE-2023-48706, CVE-2023-5344, CVE-2023-5441, CVE-2023-5535, CVE-2024-22667

Description

Syft scan of a newly built and patched Rocky 9.3 distro (with GUI) reports circa 6000 packages, Trivy only reports circa 1300 packages of the same system.

Grype reports over 300 vulnerabilities when processing the Syft SBOM, whereas Grype reports less than 10 vulnerabilities when processing the Trivy SBOM.

Example - looking at the Vim package 8.2.2637-20.el9_1, Trivy does not detect any issues with Vim whereas Grype reports 102 vulnerabilities.

Question 1 - Why does Trivy only report a 1/4 of the packages found by Syft?
Question 2 - Why does Trivy not report the vulnerabilities Grype found with Vim?

syft-fs-scan-report.txt
trivy-fs-scan-report.txt
debug.txt

Reproduction Steps

1. Syft / -o cyclonedx-json > syft-fs-scan.sbom
2. Trivy fs / --skip-dirs /run --scanners vuln -f cyclonedx -o trivy-fs-scan.sbom
3. Grype syft-fs-scan.sbom > syft-fs-scan-report.txt
4. Grype trivy-fs-scan.sbom > trivy-fs-scan-report.txt

Target

Filesystem

Scanner

Vulnerability

Target OS

Rocky 9.3

Debug Output

Too Big - see decription attachment

Version

Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-14 06:11:56.293707646 +0000 UTC
  NextUpdate: 2024-03-14 12:11:56.293707266 +0000 UTC
  DownloadedAt: 2024-03-14 12:13:38.276553606 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-03-11 00:50:00.808963767 +0000 UTC
  NextUpdate: 2024-03-14 00:50:00.808963647 +0000 UTC
  DownloadedAt: 2024-03-11 20:09:34.473911342 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @higginsm99
Thanks for your report!

Syft scan of a newly built and patched Rocky 9.3 distro (with GUI) reports circa 6000 packages, Trivy only reports circa 1300 packages of the same system.

Do you mean package or vulnerabilities?
If Trivy doesn't detect any supported os or language packages - can you send some examples.

Grype reports over 300 vulnerabilities when processing the Syft SBOM, whereas Grype reports less than 10 vulnerabilities when processing the Trivy SBOM.

I don't know what database is used Grype. But Trivy uses Vendor OS advisories (https://aquasecurity.github.io/trivy/v0.49/docs/scanner/vulnerability/#data-source-selection).
It is more likely Rocky db doesn't contain these vulnerabilities.

Regards, Dmitriy

[higginsm99]

Hi I meant packages – see attached SBOMs and screen shots from Dependency Track. Grype and Dependency Track detect over 300 vulnerabilities in the packages reported in the Syft SBOM, and less than 10 vulnerabilities in the packages reported in the Trivy SBOM. WRT to Grype – its db is built from NVD and Github Security Advisories. You should also note that Grype reporting mirrors that which OWASP Dependency Track reports, but Dependency Track does not use Grype…Dependency Track uses NVD, GHSA as well as online resources such as OSSindex, Snyk and VulnDB (some of these are commercial and need a paid account) Rgds Mark From: DmitriyLewen ***@***.******@***.***>> Sent: Friday, March 15, 2024 5:43 AM To: aquasecurity/trivy ***@***.******@***.***>> Cc: Higgins, Mark ***@***.******@***.***>>; Mention ***@***.******@***.***>> Subject: Re: [aquasecurity/trivy] Trivy does not detect all packages; and of those detected Trivy sometimes does not report a vulnerability (Discussion #6325) EXTERNAL SENDER: Do not click any links or open any attachments unless you trust the sender and know the content is safe. EXPÉDITEUR EXTERNE: Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que vous ayez l'assurance que le contenu provient d'une source sûre. Hello @higginsm99<https://urldefense.com/v3/__https:/github.com/higginsm99__;!!AaIhyw!q4BJ9U-rOAg-6ksaTW1V0xMWfoRkDl8kyP8TCuVU25iBMtmU_BLlYdWHc9CBjecDbbVmds3-YJ3911D8psBUlguF$> Thanks for your report! Syft scan of a newly built and patched Rocky 9.3 distro (with GUI) reports circa 6000 packages, Trivy only reports circa 1300 packages of the same system. Do you mean package or vulnerabilities? If Trivy doesn't detect any supported os<https://urldefense.com/v3/__https:/aquasecurity.github.io/trivy/v0.49/docs/coverage/os/*supported-os__;Iw!!AaIhyw!q4BJ9U-rOAg-6ksaTW1V0xMWfoRkDl8kyP8TCuVU25iBMtmU_BLlYdWHc9CBjecDbbVmds3-YJ3911D8psbL6KLD$> or language<https://urldefense.com/v3/__https:/aquasecurity.github.io/trivy/v0.49/docs/coverage/language/*supported-languages__;Iw!!AaIhyw!q4BJ9U-rOAg-6ksaTW1V0xMWfoRkDl8kyP8TCuVU25iBMtmU_BLlYdWHc9CBjecDbbVmds3-YJ3911D8piZCe8sp$> packages - can you send some examples. Grype reports over 300 vulnerabilities when processing the Syft SBOM, whereas Grype reports less than 10 vulnerabilities when processing the Trivy SBOM. I don't know what database is used Grype. But Trivy uses Vendor OS advisories (https://aquasecurity.github.io/trivy/v0.49/docs/scanner/vulnerability/#data-source-selection<https://urldefense.com/v3/__https:/aquasecurity.github.io/trivy/v0.49/docs/scanner/vulnerability/*data-source-selection__;Iw!!AaIhyw!q4BJ9U-rOAg-6ksaTW1V0xMWfoRkDl8kyP8TCuVU25iBMtmU_BLlYdWHc9CBjecDbbVmds3-YJ3911D8pjswaUFa$>). It is more likely Rocky db doesn't contain these vulnerabilities. Regards, Dmitriy — Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/aquasecurity/trivy/discussions/6325*discussioncomment-8796458__;Iw!!AaIhyw!q4BJ9U-rOAg-6ksaTW1V0xMWfoRkDl8kyP8TCuVU25iBMtmU_BLlYdWHc9CBjecDbbVmds3-YJ3911D8ps2aH_my$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AP3E4CW3JNFMAPNNPXBVZB3YYKC6JAVCNFSM6AAAAABEWCDXHGVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DOOJWGQ2TQ__;!!AaIhyw!q4BJ9U-rOAg-6ksaTW1V0xMWfoRkDl8kyP8TCuVU25iBMtmU_BLlYdWHc9CBjecDbbVmds3-YJ3911D8pgywF63l$>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[DmitriyLewen]

I meant packages – see attached SBOMs and screen shots from Dependency Track. Grype and Dependency Track detect over 300 vulnerabilities in the packages reported in the Syft SBOM, and less than 10 vulnerabilities in the packages reported in the Trivy SBOM.

It would be great if you could create some example using the RockyLinux docker image.

[higginsm99]

See attached Syft detects 145 packages and Trivy detects 146 packages in the Docker RockyLinux:9.3 image…Vim 8.2 is present in the RockyLinux image but Trivy does report it as being vulnerable. Rgds Mark From: DmitriyLewen ***@***.***> Sent: Friday, March 15, 2024 5:43 AM To: aquasecurity/trivy ***@***.***> Cc: Higgins, Mark ***@***.***>; Mention ***@***.***> Subject: Re: [aquasecurity/trivy] Trivy does not detect all packages; and of those detected Trivy sometimes does not report a vulnerability (Discussion #6325) EXTERNAL SENDER: Do not click any links or open any attachments unless you trust the sender and know the content is safe. EXPÉDITEUR EXTERNE: Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que vous ayez l'assurance que le contenu provient d'une source sûre. Hello @higginsm99<https://urldefense.com/v3/__https:/github.com/higginsm99__;!!AaIhyw!q4BJ9U-rOAg-6ksaTW1V0xMWfoRkDl8kyP8TCuVU25iBMtmU_BLlYdWHc9CBjecDbbVmds3-YJ3911D8psBUlguF$> Thanks for your report! Syft scan of a newly built and patched Rocky 9.3 distro (with GUI) reports circa 6000 packages, Trivy only reports circa 1300 packages of the same system. Do you mean package or vulnerabilities? If Trivy doesn't detect any supported os<https://urldefense.com/v3/__https:/aquasecurity.github.io/trivy/v0.49/docs/coverage/os/*supported-os__;Iw!!AaIhyw!q4BJ9U-rOAg-6ksaTW1V0xMWfoRkDl8kyP8TCuVU25iBMtmU_BLlYdWHc9CBjecDbbVmds3-YJ3911D8psbL6KLD$> or language<https://urldefense.com/v3/__https:/aquasecurity.github.io/trivy/v0.49/docs/coverage/language/*supported-languages__;Iw!!AaIhyw!q4BJ9U-rOAg-6ksaTW1V0xMWfoRkDl8kyP8TCuVU25iBMtmU_BLlYdWHc9CBjecDbbVmds3-YJ3911D8piZCe8sp$> packages - can you send some examples. Grype reports over 300 vulnerabilities when processing the Syft SBOM, whereas Grype reports less than 10 vulnerabilities when processing the Trivy SBOM. I don't know what database is used Grype. But Trivy uses Vendor OS advisories (https://aquasecurity.github.io/trivy/v0.49/docs/scanner/vulnerability/#data-source-selection<https://urldefense.com/v3/__https:/aquasecurity.github.io/trivy/v0.49/docs/scanner/vulnerability/*data-source-selection__;Iw!!AaIhyw!q4BJ9U-rOAg-6ksaTW1V0xMWfoRkDl8kyP8TCuVU25iBMtmU_BLlYdWHc9CBjecDbbVmds3-YJ3911D8pjswaUFa$>). It is more likely Rocky db doesn't contain these vulnerabilities. Regards, Dmitriy — Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/aquasecurity/trivy/discussions/6325*discussioncomment-8796458__;Iw!!AaIhyw!q4BJ9U-rOAg-6ksaTW1V0xMWfoRkDl8kyP8TCuVU25iBMtmU_BLlYdWHc9CBjecDbbVmds3-YJ3911D8ps2aH_my$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AP3E4CW3JNFMAPNNPXBVZB3YYKC6JAVCNFSM6AAAAABEWCDXHGVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DOOJWGQ2TQ__;!!AaIhyw!q4BJ9U-rOAg-6ksaTW1V0xMWfoRkDl8kyP8TCuVU25iBMtmU_BLlYdWHc9CBjecDbbVmds3-YJ3911D8pgywF63l$>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[DmitriyLewen]

Can you check https://errata.rockylinux.org (filter by vim) and write the missing CVEs?

[higginsm99]

Hi Checked – version of Vim they mention is the one used in the Docker container and my VM of Rocky Linux 9.3. CVEs list (as reported by Grype) CVE-2022-0413 , CVE-2024-22667, CVE-2023-5535 , CVE-2023-5441 , CVE-2023-5344 , CVE-2023-48706, CVE-2023-48237, CVE-2023-48236, CVE-2023-48235, CVE-2023-48234, CVE-2023-48233, CVE-2023-48232, CVE-2023-48231, CVE-2023-4781 , CVE-2023-4752 , CVE-2023-4751 , CVE-2023-4738 , CVE-2023-4735 , CVE-2023-4734 , CVE-2023-46246, CVE-2023-2610 , CVE-2023-2609 , CVE-2023-1264 , CVE-2023-1175 , CVE-2023-1170 , CVE-2023-1127 , CVE-2023-0512 , CVE-2023-0433 , CVE-2023-0288 , CVE-2023-0054 , CVE-2023-0051 , CVE-2023-0049 , CVE-2022-4293 , CVE-2022-4292 , CVE-2022-4141 , CVE-2022-3705 , CVE-2022-3352 , CVE-2022-3324 , CVE-2022-3297 , CVE-2022-3296 , CVE-2022-3278 , CVE-2022-3256 , CVE-2022-3235 , CVE-2022-3234 , CVE-2022-3153 , CVE-2022-3134 , CVE-2022-3099 , CVE-2022-3037 , CVE-2022-3016 , CVE-2022-2982 , CVE-2022-2980 , CVE-2022-2946 , CVE-2022-2923 , CVE-2022-2889 , CVE-2022-2874 , CVE-2022-2862 , CVE-2022-2849 , CVE-2022-2845 , CVE-2022-2819 , CVE-2022-2817 , CVE-2022-2522 , CVE-2022-2345 , CVE-2022-2344 , CVE-2022-2343 , CVE-2022-2304 , CVE-2022-2287 , CVE-2022-2286 , CVE-2022-2285 , CVE-2022-2284 , CVE-2022-2257 , CVE-2022-2210 , CVE-2022-2208 , CVE-2022-2207 , CVE-2022-2206 , CVE-2022-2183 , CVE-2022-2182 , CVE-2022-2175 , CVE-2022-2129 , CVE-2022-2126 , CVE-2022-2125 , CVE-2022-2124 , CVE-2022-2042 , CVE-2022-1725 , CVE-2022-1720 , CVE-2022-1674 , CVE-2022-1620 , CVE-2022-1619 , CVE-2022-1616 , CVE-2022-0351 , CVE-2022-0213 , CVE-2021-4187 , CVE-2021-4173 , CVE-2021-4166 , CVE-2021-4136 , CVE-2021-3974 , CVE-2021-3973 , CVE-2021-3968 , CVE-2021-3928 , CVE-2021-3927 , CVE-2021-3903 , CVE-2020-20703, CVE-2021-46059 Rgds Mark From: DmitriyLewen ***@***.***> Sent: Friday, March 15, 2024 11:18 AM To: aquasecurity/trivy ***@***.***> Cc: Higgins, Mark ***@***.***>; Mention ***@***.***> Subject: Re: [aquasecurity/trivy] Trivy does not detect all packages; and of those detected Trivy sometimes does not report a vulnerability (Discussion #6325) EXTERNAL SENDER: Do not click any links or open any attachments unless you trust the sender and know the content is safe. EXPÉDITEUR EXTERNE: Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe à moins qu’ils ne proviennent d’un expéditeur fiable, ou que vous ayez l'assurance que le contenu provient d'une source sûre. Can you check https://errata.rockylinux.org<https://urldefense.com/v3/__https:/errata.rockylinux.org__;!!AaIhyw!q0Qw7Rrk-67smxXRzt7DI945CARxwOp6YJFmtAlEhzsOT28JuElRSdqRTRy-U4H-kgq9ldvQEqX94vnQAI0jpwRq$> (filter by vim) and write the missing CVEs? — Reply to this email directly, view it on GitHub<https://urldefense.com/v3/__https:/github.com/aquasecurity/trivy/discussions/6325*discussioncomment-8800514__;Iw!!AaIhyw!q0Qw7Rrk-67smxXRzt7DI945CARxwOp6YJFmtAlEhzsOT28JuElRSdqRTRy-U4H-kgq9ldvQEqX94vnQAM79UJd_$>, or unsubscribe<https://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AP3E4CSASWJQWKI2AMIUE3DYYLKGDAVCNFSM6AAAAABEWCDXHGVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DQMBQGUYTI__;!!AaIhyw!q0Qw7Rrk-67smxXRzt7DI945CARxwOp6YJFmtAlEhzsOT28JuElRSdqRTRy-U4H-kgq9ldvQEqX94vnQAGkzs25C$>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[DmitriyLewen]

Vim package 8.2.2637-20.el9_1,

I checked some CVEs from your list.
In most cases Rocky db doesn't contains these CVEs.
there are also cases like - CVE-2022-0413 (https://errata.rockylinux.org/RLSA-2022:0894) - fixed version is vim-2:8.0.1763-16.el8_5.12.src.rpm.

If you sure that this package has these CVEs - please inform Rocky linux team to that they add/fix these vulnerabilities.