False negatives on php:8.1.0-fpm, php:8.2.5-fpm, ...

[valentijnscholten]

IDs

CVE-2024-1874, CVE-2023-3824, CVE-2024-8927, CVE-2023-3823, CVE-2024-8925, CVE-2024-5458, CVE-2024-3096, CVE-2024-2756, CVE-2024-2408, CVE-2023-3247, CVE-2024-9026

Description

When using Trivy on official php images, it fails to report any vulnerabilities present in (old) php versions.

For example for 8.2.5 no vulnerabilities for php are reported. As a reference these are reported by Grype:

php-fpm                    8.2.5                    8.1.28, 8.2.18, 8.3.5    binary  CVE-2024-1874     Critical
php-fpm                    8.2.5                    8.0.30, 8.1.22, 8.2.9    binary  CVE-2023-3824     Critical
php-fpm                    8.2.5                    8.1.30, 8.2.24, 8.3.12   binary  CVE-2024-8927     High
php-fpm                    8.2.5                    8.0.30, 8.1.22, 8.2.9    binary  CVE-2023-3823     High
php-fpm                    8.2.5                    8.1.30, 8.2.24, 8.3.12   binary  CVE-2024-8925     Medium
php-fpm                    8.2.5                    8.1.29, 8.2.20, 8.3.8    binary  CVE-2024-5458     Medium
php-fpm                    8.2.5                    8.1.28, 8.2.18, 8.3.5    binary  CVE-2024-3096     Medium
php-fpm                    8.2.5                    8.1.28, 8.2.18, 8.3.5    binary  CVE-2024-2756     Medium
php-fpm                    8.2.5                    8.1.29, 8.2.20, 8.3.8    binary  CVE-2024-2408     Medium
php-fpm                    8.2.5                    8.0.29, 8.1.20, 8.2.7    binary  CVE-2023-3247     Medium
php-fpm                    8.2.5                    8.1.30, 8.2.24, 8.3.12   binary  CVE-2024-9026     Low

Reproduction Steps

When calling `trivy --format cyclonedx image php:8.2.5-fpm` the resulting sbom also does not contain any php dependencies.

Similar things happen on php:8.1.0-fpm.

Am I missing some obvious here? (I am new to Trivy, I think I have checked the neceesary stuff before reporting)

I have looked at the first CVE at https://security-tracker.debian.org/tracker/CVE-2024-1874, but I'm not sure that it matters since php isn't even present in the sbom generated by Trivy?

Or is it related to https://github.com/aquasecurity/trivy/discussions/6457?

That would be a shame because you basically cannot scan lots of the official images such as for php and probably other languages/runtimes as well.

Target

Container Image

Scanner

Vulnerability

Target OS

debian:11-slim

Debug Output

$ trivy image php:8.1.0-fpm --debug
2024-11-19T20:31:02+01:00       DEBUG   No plugins loaded
2024-11-19T20:31:02+01:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-19T20:31:02+01:00       DEBUG   Cache dir       dir="/home/valentijn/.cache/trivy"
2024-11-19T20:31:02+01:00       DEBUG   Cache dir       dir="/home/valentijn/.cache/trivy"
2024-11-19T20:31:02+01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-11-19T20:31:02+01:00       DEBUG   Ignore statuses statuses=[]
2024-11-19T20:31:02+01:00       DEBUG   DB update was skipped because the local DB is the latest
2024-11-19T20:31:02+01:00       DEBUG   DB info schema=2 updated_at=2024-11-19T12:18:42.541978123Z next_update=2024-11-20T12:18:42.541977742Z downloaded_at=2024-11-19T15:26:33.421344724Z
2024-11-19T20:31:02+01:00       DEBUG   [pkg] Package types     types=[os library]
2024-11-19T20:31:02+01:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-11-19T20:31:02+01:00       INFO    [vuln] Vulnerability scanning is enabled
2024-11-19T20:31:02+01:00       INFO    [secret] Secret scanning is enabled
2024-11-19T20:31:02+01:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-19T20:31:02+01:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-19T20:31:02+01:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-11-19T20:31:02+01:00       DEBUG   Initializing scan cache...      type="fs"
2024-11-19T20:31:02+01:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-11-19T20:31:02+01:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-11-19T20:31:02+01:00       DEBUG   [image] Detected image ID       image_id="sha256:ce4c0139f920d93c729b0122852e2e0dda381b480c15891257097bc80d0ed3ac"
2024-11-19T20:31:02+01:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:9321ff862abbe8e1532076e5fdc932371eff562334ac86984a836d77dfb717f5 sha256:ae6d225e2209e37464a6219da610401de0e4850ac18abc2fa629cc98e118b555 sha256:ddd4adc58b9efdb7012077807113cfdddff8e4a4c9b30c6cd7e59c016ab0ac8f sha256:b258e9d25731f7cca2fac9135b8cd7f851babb14c2084fa76d203346f3bb3fd1 sha256:f66724cb2f7412cfd59467dd006961a39cc53f9b8773ab2e476ec97a05f3d5ef sha256:0512bec3ebf34d4755286d901c373c9c5346082f865df8be859033d6103ae307 sha256:35312c8930d71f6e9e74eb902427df7b589de2332b2bfc2ea0e2cd940813632b sha256:2e65fd36bfa70301b6d92da7fa741564c5291a4d427c0ba54a28973880efcbcc sha256:0a1d77a6c12560ca0fa57d274b3cba04139fb71ab7e74d2907522b7a0e00d23c sha256:62a735227476c17283ec6fea694124935633ad506f99da34768473aae4149f33]
2024-11-19T20:31:02+01:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:9321ff862abbe8e1532076e5fdc932371eff562334ac86984a836d77dfb717f5]
2024-11-19T20:31:02+01:00       INFO    Detected OS     family="debian" version="11.1"
2024-11-19T20:31:02+01:00       INFO    [debian] Detecting vulnerabilities...   os_version="11" pkg_num=168
2024-11-19T20:31:02+01:00       INFO    Number of language-specific files       num=0
2024-11-19T20:31:02+01:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.57/docs/scanner/vulnerability#severity-selection for details.
2024-11-19T20:31:02+01:00       DEBUG   [vex] VEX filtering is disabled

Version

Version: 0.57.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-19 12:18:42.541978123 +0000 UTC
  NextUpdate: 2024-11-20 12:18:42.541977742 +0000 UTC
  DownloadedAt: 2024-11-19 15:26:33.421344724 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-09-27 04:03:41.667506428 +0000 UTC
  NextUpdate: 2024-09-30 04:03:41.667506248 +0000 UTC
  DownloadedAt: 2024-09-27 06:54:13.456141065 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @valentijnscholten
Thanks for your report!

Trivy only detects Go and Rust binaries (cargo-auditable).
If php is not installed from the OS package manager (apt/dpkg for this image) - Trivy can't detect php package and vulnerabilities for it.
See https://trivy.dev/v0.57/docs/coverage/ and https://trivy.dev/v0.57/docs/coverage/language/#supported-languages and for more details.

Regards, Dmitriy

[valentijnscholten]

Thanks for confirming, basically this discussion then is duplicate of #6457