Are you considering checking language versions as well?

[forevermatt]

I really like how this (especially via Trivy) can be used to check for vulnerabilities about the OS and about installed packages (used by PHP, Node.JS, etc.).

Have you considered having it also check the version of the programming language(s) present?

For example, if the Docker container's PHP version is 7.0.0, that could report the CVE-2019-9020 vulnerability.

[jabielecki]

"container's PHP version" or more generally "version of runtime of language X" can be obtained by the same means as any other software. It is not much different from http server for example.

• For example if PHP7 was installed by .deb package, it is covered by this.
• If it was installed by .rpm package, by some other relevant advisory.
• If both above are false, but it was inherited from a well-known public docker-image, maybe all vulnerable image checksums can be somehow scraped? (quite interesting exploration here)
• If it was directly compiled from source to binary, it would require some AI probably.