rootfs does not find JAR's #7906

tomuben · 2024-11-12T14:05:12Z

tomuben
Nov 12, 2024

IDs

CVE-2024-47554, CVE-2022-29599, CVE-2021-26291, CVE-2021-37714

Description

I observed different behavior when running trivy rootfs .... / versus trivy rootfs ... /usr
The first command does not find Java vulnerabilities under /usr, but the second command does find them. However, when running the first command with option --detection-priority comprehensive, it also finds the vulnerabilities. I would like to understand the different behavior.

Reproduction Steps

1. Build docker image with `docker build -t trivy_bug .` with following Dockerfile:

FROM ubuntu:22.04
ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get update && apt-get install -y openjdk-11-jdk-headless maven  wget apt-transport-https gnupg lsb-release
RUN wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add -
RUN echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | tee -a /etc/apt/sources.list.d/trivy.list
RUN apt-get update && apt-get install trivy

Enter container: docker run -it trivy_bug
Run: trivy rootfs --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db --db-repository public.ecr.aws/aquasecurity/trivy-db -s HIGH,CRITICAL --scanners vuln / -> Does not find vulnerabilities
Run: trivy rootfs --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db --db-repository public.ecr.aws/aquasecurity/trivy-db -s HIGH,CRITICAL --scanners vuln /usr -> Finds vulnerabilities
Run: `trivy rootfs --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db --db-repository public.ecr.aws/aquasecurity/trivy-db -s HIGH,CRITICAL --scanners vuln --detection-priority comprehensive / -> Finds vulnerabilities
...



### Target

Filesystem

### Scanner

Vulnerability

### Target OS

Ubuntu 22.04

### Debug Output

```bash
root@583613954de1:/# trivy rootfs --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db --db-repository public.ecr.aws/aquasecurity/trivy-db -s HIGH,CRITICAL --scanners vuln --debug /
2024-11-12T13:59:56Z	DEBUG	No plugins loaded
2024-11-12T13:59:56Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-12T13:59:56Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-11-12T13:59:56Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-11-12T13:59:56Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-12T13:59:56Z	INFO	Adding schema version to the DB repository for backward compatibility	repository="public.ecr.aws/aquasecurity/trivy-java-db:1"
2024-11-12T13:59:56Z	DEBUG	Parsed severities	severities=[HIGH CRITICAL]
2024-11-12T13:59:56Z	DEBUG	Ignore statuses	statuses=[]
2024-11-12T13:59:56Z	DEBUG	[vulndb] There is no valid metadata file	err="unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory"
2024-11-12T13:59:56Z	INFO	[vulndb] Need to update DB
2024-11-12T13:59:56Z	DEBUG	[vulndb] No metadata file
2024-11-12T13:59:56Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-12T13:59:56Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
55.39 MiB / 55.39 MiB [---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 37.27 MiB p/s 1.7s
2024-11-12T13:59:59Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-11-12T13:59:59Z	DEBUG	Updating database metadata...
2024-11-12T13:59:59Z	DEBUG	DB info	schema=2 updated_at=2024-11-12T12:17:49.02979874Z next_update=2024-11-13T12:17:49.029798369Z downloaded_at=2024-11-12T13:59:59.788147942Z
2024-11-12T13:59:59Z	DEBUG	[pkg] Package types	types=[os library]
2024-11-12T13:59:59Z	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-11-12T13:59:59Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-12T13:59:59Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-11-12T13:59:59Z	DEBUG	Initializing scan cache...	type="memory"
2024-11-12T13:59:59Z	DEBUG	Skipping path	path="dev"
2024-11-12T13:59:59Z	DEBUG	Skipping path	path="proc"
2024-11-12T13:59:59Z	DEBUG	Skipping path	path="sys"
2024-11-12T13:59:59Z	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/aquasecurity/trivy"
2024-11-12T13:59:59Z	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="github.com/aquasecurity/trivy" -ldflags=[-s -w -extldflags '-static' -X github.com/aquasecurity/trivy/pkg/version/app.ver=0.57.0]
2024-11-12T13:59:59Z	INFO	[javadb] Downloading Java DB...
2024-11-12T13:59:59Z	INFO	[javadb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-java-db:1"
660.27 MiB / 660.27 MiB [--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 51.34 MiB p/s 13s
2024-11-12T14:00:14Z	INFO	[javadb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-java-db:1"
2024-11-12T14:00:14Z	INFO	[javadb] Java DB is cached for 3 days. If you want to update the database more frequently, "trivy clean --java-db" command clears the DB cache.
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/lib/jvm/java-11-openjdk-amd64/lib/jrt-fs.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/ca-certificates-java/ca-certificates-java.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/atinject-jsr330-api-1.0.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="ca-certificates-java.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/commons-cli.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="jrt-fs.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/commons-io.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="commons-cli.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/commons-lang3.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="atinject-jsr330-api-1.0.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/geronimo-annotation-1.3-spec.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/cdi-api.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="geronimo-annotation-1.3-spec.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/geronimo-interceptor-3.0-spec.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="commons-io.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="cdi-api.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/guava.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="geronimo-interceptor-3.0-spec.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/aopalliance-1.0.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/guice-assistedinject.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/guice-grapher.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="aopalliance-1.0.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] POM was determined in a heuristic way	file="aopalliance-1.0.jar" artifact="aopalliance:aopalliance:1.0"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="guice-grapher.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/guice-jndi.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="commons-lang3.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/guice-jmx.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/guice-multibindings.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="guice-assistedinject.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="guice-jndi.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/guice-servlet.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/guice-no-aop-4.2.3.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="guice-jmx.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/guice-spring.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="guice-multibindings.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="guice-servlet.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/guice-throwingproviders.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/guice.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="guice-spring.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/hawtjni-runtime.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="hawtjni-runtime.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/jansi-native.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="guice-throwingproviders.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/jansi.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/jcl-over-slf4j.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="jcl-over-slf4j.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/jsr305-0.1~+svn49.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="jansi.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/jul-to-slf4j.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="jsr305-0.1~+svn49.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="jul-to-slf4j.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven-resolver-api.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/log4j-over-slf4j.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="guice.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven-resolver-connector-basic.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="guice-no-aop-4.2.3.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven-resolver-api.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven-resolver-impl.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven-resolver-connector-basic.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven-resolver-test-util.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven-resolver-spi.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven-resolver-impl.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven-resolver-transport-classpath.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven-resolver-spi.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven-resolver-transport-file.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven-resolver-test-util.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven-resolver-transport-wagon.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven-resolver-transport-classpath.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven-resolver-util.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="log4j-over-slf4j.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven-shared-utils.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven-resolver-transport-file.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven3-artifact.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven-resolver-transport-wagon.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven-resolver-util.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven3-compat.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven3-builder-support.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven3-builder-support.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven3-core.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven3-artifact.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven3-embedder.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven-shared-utils.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven3-compat.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven3-model-builder.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven3-model.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven3-model-builder.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven3-plugin-api.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven3-model.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven3-embedder.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven3-repository-metadata.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven3-plugin-api.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven3-settings-builder.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven3-core.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven3-settings.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven3-resolver-provider.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven3-settings.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/maven3-slf4j-provider.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven3-slf4j-provider.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/plexus-cipher.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven3-settings-builder.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/plexus-classworlds.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven3-resolver-provider.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="plexus-cipher.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="maven3-repository-metadata.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="guava.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/plexus-sec-dispatcher.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/plexus-utils2.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="plexus-classworlds.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="plexus-sec-dispatcher.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/plexus-interpolation.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/plexus-component-annotations.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="plexus-component-annotations.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/slf4j-api.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="plexus-interpolation.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/sisu-inject.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/slf4j-jcl.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="plexus-utils2.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/slf4j-jdk14.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/sisu-plexus.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="slf4j-jcl.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/slf4j-log4j12.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="slf4j-api.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/slf4j-migrator.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="slf4j-migrator.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="slf4j-log4j12.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/slf4j-nop.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/slf4j-simple.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="sisu-plexus.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="sisu-inject.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/wagon-file.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="slf4j-nop.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/wagon-http-shaded-3.3.4.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="wagon-file.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/java/wagon-provider-api.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="slf4j-simple.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/share/maven-repo/org/jsr-305/jsr305/0.1-SNAPSHOT/jsr305-0.1-SNAPSHOT.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="slf4j-jdk14.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="jsr305-0.1-SNAPSHOT.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="wagon-provider-api.jar"
2024-11-12T14:00:14Z	DEBUG	[jar] No such POM in the central repositories	file="wagon-http-shaded-3.3.4.jar"
2024-11-12T14:00:14Z	INFO	Detected OS	family="ubuntu" version="22.04"
2024-11-12T14:00:14Z	INFO	[ubuntu] Detecting vulnerabilities...	os_version="22.04" pkg_num=211
2024-11-12T14:00:14Z	INFO	Number of language-specific files	num=0
2024-11-12T14:00:14Z	DEBUG	[vex] VEX filtering is disabled

583613954de1 (ubuntu 22.04)

Total: 0 (HIGH: 0, CRITICAL: 0)

Version

root@583613954de1:/# trivy --version
Version: 0.57.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-12 12:17:49.02979874 +0000 UTC
  NextUpdate: 2024-11-13 12:17:49.029798369 +0000 UTC
  DownloadedAt: 2024-11-12 13:59:59.788147942 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-11-12 02:39:01.645741382 +0000 UTC
  NextUpdate: 2024-11-15 02:39:01.645741061 +0000 UTC
  DownloadedAt: 2024-11-12 14:00:14.09753337 +0000 UTC

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

Answered by DmitriyLewen

Nov 13, 2024

Hello @tomuben
Thanks for your report!

These jar files installed from apt.
That is why Trivy doesn't check these files.
See https://aquasecurity.github.io/trivy/v0.57/docs/scanner/vulnerability/#handling-software-installed-via-os-packages for more details.

To see these packages - use --detection-priority comprehensive flag:

root@555bbe25142d:/# trivy rootfs --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db --db-repository public.ecr.aws/aquasecurity/trivy-db -s HIGH,CRITICAL --scanners vuln --debug / -f json --list-all-pkgs --pkg-types library --detection-priority comprehensive -q | grep pkg:maven
            "PURL": "pkg:maven/aopalliance/aopalliance@1.0",
            "PURL"…

View full answer

tomuben · 2024-11-12T14:23:21Z

tomuben
Nov 12, 2024
Author

I also uploaded the container image to dockerhub, you can use it with

docker run -it thomasuben/trivy_test:7906

0 replies

DmitriyLewen · 2024-11-13T06:27:00Z

DmitriyLewen
Nov 13, 2024
Maintainer

Hello @tomuben
Thanks for your report!

These jar files installed from apt.
That is why Trivy doesn't check these files.
See https://aquasecurity.github.io/trivy/v0.57/docs/scanner/vulnerability/#handling-software-installed-via-os-packages for more details.

To see these packages - use --detection-priority comprehensive flag:

root@555bbe25142d:/# trivy rootfs --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db --db-repository public.ecr.aws/aquasecurity/trivy-db -s HIGH,CRITICAL --scanners vuln --debug / -f json --list-all-pkgs --pkg-types library --detection-priority comprehensive -q | grep pkg:maven
            "PURL": "pkg:maven/aopalliance/aopalliance@1.0",
            "PURL": "pkg:maven/cglib/cglib@3.2.12",
 ...

Regards, Dmitriy

0 replies

tomuben · 2024-11-13T10:57:57Z

tomuben
Nov 13, 2024
Author

@DmitriyLewen thanks for the explanation.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

rootfs does not find JAR's #7906

{{title}}

Replies: 3 comments

{{title}}

{{title}}

{{title}}

Select a reply

rootfs does not find JAR's #7906

tomuben Nov 12, 2024

IDs

Description

Reproduction Steps

Version

Checklist

Replies: 3 comments

tomuben Nov 12, 2024 Author

DmitriyLewen Nov 13, 2024 Maintainer

tomuben Nov 13, 2024 Author

tomuben
Nov 12, 2024

tomuben
Nov 12, 2024
Author

DmitriyLewen
Nov 13, 2024
Maintainer

tomuben
Nov 13, 2024
Author