Trivy doesn't detect redhat vulnerabilties the package with ':' in their resource names #5834
manojkrishnanomula
started this conversation in
False Detection
Replies: 2 comments
-
|
For CVE-2023-3823 in rhel 9 SA: we see 2 components with 2 diff RHSA. php -> RHSA-2024:0387 php:9.1 -> RHSA-2023:5926 reference: https://access.redhat.com/security/cve/cve-2023-3823 |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Those images are not accessible. But I guess reading https://docs.fedoraproject.org/en-US/modularity/ helps you. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
IDs
CVE-2023-3823 , CVE-2021-3618
Description
Redhat reports package names along with the versions sometimes. Those are not detected by trivy.
Many false positives and false negatives may report.
These are the examples
Vulnerability in nginx package in srinuhub/aqua:33082 is being detected eventhough it is not vulnerable.
https://access.redhat.com/security/cve/cve-2021-3618
Vulnerability for php package is not detected in manojkrishna/php:v1 image.
https://access.redhat.com/security/cve/cve-2023-3823
I've observed that we create the buckets against the resource names reported in the redhat, but sometimes they report the version with resource name like nginx:1.20/nginx, php:7.4/php etc. Then the resource name detected by trivy is nginx , php which doesn't match with bucket name so these vulnerabilites are not being reported.
Reproduction Steps
1.Scan the above mentioned images. 2.We don't see the vulnerabilities against the nginx or php packages.Target
Container Image
Scanner
Vulnerability
Target OS
No response
Debug Output
Version
Checklist
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions