Java native image not reporting vulnerabilities #2836
Description
Description
When compiling a project as a native image, even if there is a BOM layer containing the dependencies, they get ignored and are not reported.
What did you expect to happen?
I expect the same output in the native image and in the regular image.
What happened instead?
Ignores all the Java code.
Output of run with -debug:
➜ ~ trivy image --debug 'native-trivy-demo:0.0.1-SNAPSHOT'
2022-09-06T17:15:25.247+0200 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-09-06T17:15:25.291+0200 DEBUG cache dir: /Users/rcallejarios/Library/Caches/trivy
2022-09-06T17:15:25.292+0200 DEBUG DB update was skipped because the local DB is the latest
2022-09-06T17:15:25.292+0200 DEBUG DB Schema: 2, UpdatedAt: 2022-09-06 12:12:56.495473442 +0000 UTC, NextUpdate: 2022-09-06 18:12:56.495473142 +0000 UTC, DownloadedAt: 2022-09-06 14:57:30.410549 +0000 UTC
2022-09-06T17:15:25.293+0200 INFO Vulnerability scanning is enabled
2022-09-06T17:15:25.293+0200 DEBUG Vulnerability type: [os library]
2022-09-06T17:15:25.293+0200 INFO Secret scanning is enabled
2022-09-06T17:15:25.293+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-06T17:15:25.293+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2022-09-06T17:15:25.307+0200 DEBUG No secret config detected: trivy-secret.yaml
2022-09-06T17:15:25.307+0200 DEBUG Image ID: sha256:8ef3541e5e3a8357f4a534af8b92623af000699e24243ec052ab5ac479cb9e14
2022-09-06T17:15:25.307+0200 DEBUG Diff IDs: [sha256:326fd01a8050a4a649ff7814cd9717d46c01538591a129ed435ab5e46bd0508f sha256:e8c18dc357f51e68934c5b2cd1d96f645c1a3f5211d6b34589bcc651e4e15329 sha256:7bb78388a8bb41810ef5dc3711d5763b70954d7414c8d604463c12d1ccedcacc sha256:f97bf240080d566cdc873c0a3aba958c29096fb5563ed2a4d58d80dd590db9b3 sha256:ac32dbb1d0029fcc6b210f80493df27e7c641e79d87d79c4b5d4d2de77c29f04 sha256:9497805c7bd5df192c4ccf7cf9c4496963c1c008141fe134765e23a3800fa4cf sha256:90c2fc367aa710e8b05419807ea844cbd72d97fbad68c64a83145ae0635fcb4e sha256:76dc679a925b81efc75002d9dfd2fe7bec4c6ab4004e0215f810adc954905894]
2022-09-06T17:15:25.307+0200 DEBUG Base Layers: []
2022-09-06T17:15:25.310+0200 DEBUG Missing image ID in cache: sha256:8ef3541e5e3a8357f4a534af8b92623af000699e24243ec052ab5ac479cb9e14
2022-09-06T17:15:25.311+0200 DEBUG Missing diff ID in cache: sha256:ac32dbb1d0029fcc6b210f80493df27e7c641e79d87d79c4b5d4d2de77c29f04
2022-09-06T17:15:25.311+0200 DEBUG Missing diff ID in cache: sha256:f97bf240080d566cdc873c0a3aba958c29096fb5563ed2a4d58d80dd590db9b3
2022-09-06T17:15:26.527+0200 INFO Detected OS: ubuntu
2022-09-06T17:15:26.527+0200 INFO Detecting Ubuntu vulnerabilities...
2022-09-06T17:15:26.527+0200 DEBUG ubuntu: os version: 18.04
2022-09-06T17:15:26.527+0200 DEBUG ubuntu: the number of packages: 8
2022-09-06T17:15:26.530+0200 INFO Number of language-specific files: 2
2022-09-06T17:15:26.530+0200 INFO Detecting gobinary vulnerabilities...
2022-09-06T17:15:26.530+0200 DEBUG Detecting library vulnerabilities, type: gobinary, path: cnb/lifecycle/launcher
2022-09-06T17:15:26.532+0200 DEBUG Detecting library vulnerabilities, type: gobinary, path: layers/paketo-buildpacks_ca-certificates/helper/helper
native-trivy-demo:0.0.1-SNAPSHOT (ubuntu 18.04)
Total: 3 (UNKNOWN: 0, LOW: 3, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libc6 │ CVE-2009-5155 │ LOW │ 2.27-3ubuntu1.6 │ │ glibc: parse_reg_exp in posix/regcomp.c misparses │
│ │ │ │ │ │ alternatives leading to denial of service or... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2009-5155 │
│ ├────────────────┤ │ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2015-8985 │ │ │ │ glibc: potential denial of service in pop_fail_stack() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2015-8985 │
│ ├────────────────┤ │ ├───────────────┼────────────────────────────────────────────────────────────┤
│ │ CVE-2016-20013 │ │ │ │ sha256crypt and sha512crypt through 0.6 allow attackers to │
│ │ │ │ │ │ cause a denial of... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-20013 │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
➜ ~ trivy image --debug 'regular-trivy-demo:0.0.1-SNAPSHOT'
2022-09-06T17:16:29.258+0200 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-09-06T17:16:29.297+0200 DEBUG cache dir: /Users/rcallejarios/Library/Caches/trivy
2022-09-06T17:16:29.298+0200 DEBUG DB update was skipped because the local DB is the latest
2022-09-06T17:16:29.298+0200 DEBUG DB Schema: 2, UpdatedAt: 2022-09-06 12:12:56.495473442 +0000 UTC, NextUpdate: 2022-09-06 18:12:56.495473142 +0000 UTC, DownloadedAt: 2022-09-06 14:57:30.410549 +0000 UTC
2022-09-06T17:16:29.298+0200 INFO Vulnerability scanning is enabled
2022-09-06T17:16:29.298+0200 DEBUG Vulnerability type: [os library]
2022-09-06T17:16:29.298+0200 INFO Secret scanning is enabled
2022-09-06T17:16:29.298+0200 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-06T17:16:29.298+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2022-09-06T17:16:29.311+0200 DEBUG No secret config detected: trivy-secret.yaml
2022-09-06T17:16:29.312+0200 DEBUG Image ID: sha256:8abcf83fe22427f1827b67ea11af206ae9d5ef72398ab22262a09fa729515957
2022-09-06T17:16:29.312+0200 DEBUG Diff IDs: [sha256:1a996540f50f2464d3e1e09c47dde9ef3673a2fdec7b70716a60c0df0c0ada51 sha256:bcee057186ad4ec678be8f83a72145f9f97e8023c6c9e3c3732e05ef594c5eb4 sha256:959a0969cd4b8a2335b304f4a424c266057d4f10b78c3ba7571201a3da3492fe sha256:35462b7febfbbc6ba00ea954c0fcec5defb80f6c30adb450b57b6ea4db2df0a8 sha256:5b8b907a28e64fe5a96b0d9583e4beeb0d491fa4e27dbf8cb84713eb9c725f49 sha256:7bb78388a8bb41810ef5dc3711d5763b70954d7414c8d604463c12d1ccedcacc sha256:4a967a6f20309fd6888e0c4192bd3270c19c5d36c64ef307825364035fe3250e sha256:ec0381c8f32136ad9564b114b2271d1181e0c181957acb6707e6ff4713a7a89d sha256:0cf3b19112288f5a96a8364f905f3ba0185aa178eca09da491492c7f6d4b6a1f sha256:7fbc97c38fad01ae2b8189c8d9a0a0149932192accc4ad253b0f8186d0793e9a sha256:28d31c76bca111ac2ced4d4c9c794d03956c291ea19d7749b4a1197290d3a2e5 sha256:33df858545b5408f86e2adc84c9d6696fd3f3ab16065d01a9c3e3366de12a462 sha256:fcc507beb4ccdbc112909bcf999e90802212e4fc86afa20617a863e89081a6da sha256:cad26987c35259156fa118544caa381f653a14bdefb3ce71d8c353e73f134fcb sha256:38df0160fe65226601bf9c881afe8a8bfd24bb11ad8ba0319950e9390b585800 sha256:a258d333203171b7ab72537f4bf60896e7df648a268e66314416303702db90f7 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:8f3c298a4ba4d3f75c03ec2de32fe8b7f166bc6b0e6bcea6570baea98633be4a sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:9497805c7bd5df192c4ccf7cf9c4496963c1c008141fe134765e23a3800fa4cf sha256:4095cdf96410ef09a8dcfdc518235e7096e0cb0225bbcb2dd5a2430a0d0da0b0 sha256:1dc94a70dbaa2171fb086500a5d27797f779219b126b0a1eebb9180c2792e80e]
2022-09-06T17:16:29.312+0200 DEBUG Base Layers: []
2022-09-06T17:16:29.319+0200 INFO Detected OS: ubuntu
2022-09-06T17:16:29.319+0200 INFO Detecting Ubuntu vulnerabilities...
2022-09-06T17:16:29.319+0200 DEBUG ubuntu: os version: 18.04
2022-09-06T17:16:29.319+0200 DEBUG ubuntu: the number of packages: 97
2022-09-06T17:16:29.328+0200 INFO Number of language-specific files: 5
2022-09-06T17:16:29.328+0200 INFO Detecting gobinary vulnerabilities...
2022-09-06T17:16:29.328+0200 DEBUG Detecting library vulnerabilities, type: gobinary, path: layers/paketo-buildpacks_ca-certificates/helper/helper
2022-09-06T17:16:29.329+0200 DEBUG Detecting library vulnerabilities, type: gobinary, path: layers/paketo-buildpacks_bellsoft-liberica/helper/helper
2022-09-06T17:16:29.330+0200 DEBUG Detecting library vulnerabilities, type: gobinary, path: layers/paketo-buildpacks_spring-boot/helper/helper
2022-09-06T17:16:29.330+0200 DEBUG Detecting library vulnerabilities, type: gobinary, path: cnb/lifecycle/launcher
2022-09-06T17:16:29.330+0200 INFO Detecting jar vulnerabilities...
2022-09-06T17:16:29.330+0200 DEBUG Detecting library vulnerabilities, type: jar, path:
regular-trivy-demo:0.0.1-SNAPSHOT (ubuntu 18.04)
Total: 38 (UNKNOWN: 0, LOW: 34, MEDIUM: 4, HIGH: 0, CRITICAL: 0)
┌──────────────┬────────────────┬──────────┬──────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ coreutils │ CVE-2016-2781 │ LOW │ 8.28-1ubuntu1 │ │ coreutils: Non-privileged session can escape to the parent │
│ │ │ │ │ │ session in chroot │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-2781 │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ gcc-8-base │ CVE-2020-13844 │ MEDIUM │ 8.4.0-1ubuntu1~18.04 │ │ kernel: ARM straight-line speculation vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-13844 │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin │ CVE-2009-5155 │ LOW │ 2.27-3ubuntu1.6 │ │ glibc: parse_reg_exp in posix/regcomp.c misparses │
│ │ │ │ │ │ alternatives leading to denial of service or... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2009-5155 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2015-8985 │ │ │ │ glibc: potential denial of service in pop_fail_stack() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2015-8985 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2016-20013 │ │ │ │ sha256crypt and sha512crypt through 0.6 allow attackers to │
│ │ │ │ │ │ cause a denial of... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-20013 │
├──────────────┼────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ libc6 │ CVE-2009-5155 │ │ │ │ glibc: parse_reg_exp in posix/regcomp.c misparses │
│ │ │ │ │ │ alternatives leading to denial of service or... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2009-5155 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2015-8985 │ │ │ │ glibc: potential denial of service in pop_fail_stack() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2015-8985 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2016-20013 │ │ │ │ sha256crypt and sha512crypt through 0.6 allow attackers to │
│ │ │ │ │ │ cause a denial of... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-20013 │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libgcc1 │ CVE-2020-13844 │ MEDIUM │ 8.4.0-1ubuntu1~18.04 │ │ kernel: ARM straight-line speculation vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-13844 │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libgnutls30 │ CVE-2018-16868 │ LOW │ 3.5.18-1ubuntu1.6 │ │ gnutls: Bleichenbacher-like side channel leakage in PKCS#1 │
│ │ │ │ │ │ v1.5 verification and padding oracle... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-16868 │
├──────────────┼────────────────┤ ├──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libncurses5 │ CVE-2019-17594 │ │ 6.1-1ubuntu1.18.04 │ │ ncurses: heap-based buffer overflow in the _nc_find_entry │
│ │ │ │ │ │ function in tinfo/comp_hash.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17594 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-17595 │ │ │ │ ncurses: heap-based buffer overflow in the fmt_entry │
│ │ │ │ │ │ function in tinfo/comp_hash.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17595 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39537 │ │ │ │ ncurses: heap-based buffer overflow in _nc_captoinfo() in │
│ │ │ │ │ │ captoinfo.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39537 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-29458 │ │ │ │ ncurses: segfaulting OOB read │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │
├──────────────┼────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ libncursesw5 │ CVE-2019-17594 │ │ │ │ ncurses: heap-based buffer overflow in the _nc_find_entry │
│ │ │ │ │ │ function in tinfo/comp_hash.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17594 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-17595 │ │ │ │ ncurses: heap-based buffer overflow in the fmt_entry │
│ │ │ │ │ │ function in tinfo/comp_hash.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17595 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39537 │ │ │ │ ncurses: heap-based buffer overflow in _nc_captoinfo() in │
│ │ │ │ │ │ captoinfo.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39537 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-29458 │ │ │ │ ncurses: segfaulting OOB read │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │
├──────────────┼────────────────┤ ├──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libpcre3 │ CVE-2017-11164 │ │ 2:8.39-9ubuntu0.1 │ │ pcre: OP_KETRMAX feature in the match function in │
│ │ │ │ │ │ pcre_exec.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2017-11164 │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libstdc++6 │ CVE-2020-13844 │ MEDIUM │ 8.4.0-1ubuntu1~18.04 │ │ kernel: ARM straight-line speculation vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-13844 │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libtinfo5 │ CVE-2019-17594 │ LOW │ 6.1-1ubuntu1.18.04 │ │ ncurses: heap-based buffer overflow in the _nc_find_entry │
│ │ │ │ │ │ function in tinfo/comp_hash.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17594 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-17595 │ │ │ │ ncurses: heap-based buffer overflow in the fmt_entry │
│ │ │ │ │ │ function in tinfo/comp_hash.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17595 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39537 │ │ │ │ ncurses: heap-based buffer overflow in _nc_captoinfo() in │
│ │ │ │ │ │ captoinfo.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39537 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-29458 │ │ │ │ ncurses: segfaulting OOB read │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │
├──────────────┼────────────────┤ ├──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ locales │ CVE-2009-5155 │ │ 2.27-3ubuntu1.6 │ │ glibc: parse_reg_exp in posix/regcomp.c misparses │
│ │ │ │ │ │ alternatives leading to denial of service or... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2009-5155 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2015-8985 │ │ │ │ glibc: potential denial of service in pop_fail_stack() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2015-8985 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2016-20013 │ │ │ │ sha256crypt and sha512crypt through 0.6 allow attackers to │
│ │ │ │ │ │ cause a denial of... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-20013 │
├──────────────┼────────────────┤ ├──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ login │ CVE-2013-4235 │ │ 1:4.5-1ubuntu2.3 │ │ shadow-utils: TOCTOU race conditions by copying and removing │
│ │ │ │ │ │ directory trees │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2013-4235 │
├──────────────┼────────────────┤ ├──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ ncurses-base │ CVE-2019-17594 │ │ 6.1-1ubuntu1.18.04 │ │ ncurses: heap-based buffer overflow in the _nc_find_entry │
│ │ │ │ │ │ function in tinfo/comp_hash.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17594 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-17595 │ │ │ │ ncurses: heap-based buffer overflow in the fmt_entry │
│ │ │ │ │ │ function in tinfo/comp_hash.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17595 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39537 │ │ │ │ ncurses: heap-based buffer overflow in _nc_captoinfo() in │
│ │ │ │ │ │ captoinfo.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39537 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-29458 │ │ │ │ ncurses: segfaulting OOB read │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │
├──────────────┼────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ ncurses-bin │ CVE-2019-17594 │ │ │ │ ncurses: heap-based buffer overflow in the _nc_find_entry │
│ │ │ │ │ │ function in tinfo/comp_hash.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17594 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-17595 │ │ │ │ ncurses: heap-based buffer overflow in the fmt_entry │
│ │ │ │ │ │ function in tinfo/comp_hash.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17595 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-39537 │ │ │ │ ncurses: heap-based buffer overflow in _nc_captoinfo() in │
│ │ │ │ │ │ captoinfo.c │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-39537 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2022-29458 │ │ │ │ ncurses: segfaulting OOB read │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29458 │
├──────────────┼────────────────┤ ├──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ passwd │ CVE-2013-4235 │ │ 1:4.5-1ubuntu2.3 │ │ shadow-utils: TOCTOU race conditions by copying and removing │
│ │ │ │ │ │ directory trees │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2013-4235 │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ perl-base │ CVE-2020-16156 │ MEDIUM │ 5.26.1-6ubuntu0.5 │ │ perl-CPAN: Bypass of verification of signatures in CHECKSUMS │
│ │ │ │ │ │ files │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-16156 │
└──────────────┴────────────────┴──────────┴──────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-09-06T17:16:29.365+0200 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Java (jar)
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌─────────────────────────────────────────────┬────────────────┬──────────┬───────────────────┬────────────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────┼──────────────────────────────────────────────────────────┤
│ com.fasterxml.jackson.core:jackson-databind │ CVE-2020-36518 │ HIGH │ 2.13.0 │ 2.12.6.1, 2.13.2.1 │ jackson-databind: denial of service via a large depth of │
│ (jackson-databind-2.13.0.jar) │ │ │ │ │ nested objects │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-36518 │
└─────────────────────────────────────────────┴────────────────┴──────────┴───────────────────┴────────────────────┴──────────────────────────────────────────────────────────┘
Output of trivy -v:
➜ ~ trivy -v
Version: 0.31.3
Vulnerability DB:
Version: 2
UpdatedAt: 2022-09-06 12:12:56.495473442 +0000 UTC
NextUpdate: 2022-09-06 18:12:56.495473142 +0000 UTC
DownloadedAt: 2022-09-06 14:57:30.410549 +0000 UTC
Additional details (base image name, container registry info...):
Created a repo with a reproducible samples and the SBOM for each image downloaded:
https://github.com/Albertoimpl/trivi-native-image-report
To build the image for each project the command is:
./gradlew bootBuildImage