Bitnami images have missing target information, duplicated results #7978

bpfoster · 2024-11-21T13:04:12Z

bpfoster
Nov 21, 2024

Description

If I scan a Bitnami image that contains a VEX file, I see a vulnerability discovered by the VEX document, and the same vulnerability discovered by the gobinary scanning.

The vulnerability from VEX scanning does not have a target reported (in either the table or JSON output).

Desired Behavior

I would expect 2 things:

The package to be reported as the target when discovered from a VEX file
When the VEX file documents a relationship between the package and its contained files, I would not expect additional, duplicate, vulnerability reports on those contained files.

Actual Behavior

The 2 expectations above are not met.

Reproduction Steps

Run trivy against a bitnami image with known vulnerability, for example docker.io/bitnami/grafana@sha256:5950f7be27595bccc83b70998bc44f85518a0c40c2c9bdeeaf6b29a15e6105f9
See debug output below. There are a bunch of OS package results that are not important to this issue; I removed them from the output to reduce noise.
Note the missing target information on the first gobinary, and that the second gobinary resul is the same vulnerability for a file contained in the grafana package. This relationship is described in the SPDX file inside the image.

{
    "packages": [
        {
            "SPDXID": "SPDXRef-grafana",
            "name": "grafana",
            "versionInfo": "11.3.0-2",
            "downloadLocation": "git+https://github.com/grafana/grafana#refs/tags/v11.3.0",
            "licenseConcluded": "AGPL-3.0-only",
            "licenseDeclared": "AGPL-3.0-only",
            "filesAnalyzed": false,
            "externalRefs": [
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:*:grafana:grafana:11.3.0:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:bitnami/[email protected]?arch=amd64&distro=debian-12"
                }
            ],
            "copyrightText": "NOASSERTION"
        },
        {
            "name": "opt/bitnami/grafana/bin/grafana",
            "SPDXID": "SPDXRef-Application-5a701a91b6724cbb-grafana",
            "downloadLocation": "NONE",
            "filesAnalyzed": false,
            "primaryPackagePurpose": "APPLICATION",
            "copyrightText": "NOASSERTION",
            "licenseConcluded": "NOASSERTION",
            "licenseDeclared": "NOASSERTION"
        }
    ],
    "relationships": [
        {
            "spdxElementId": "SPDXRef-grafana",
            "relationshipType": "CONTAINS",
            "relatedSpdxElement": "SPDXRef-Application-5a701a91b6724cbb-grafana"
        }
    ]
}

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2024-11-21T07:56:01-05:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-21T07:56:01-05:00	DEBUG	Cache dir	dir="/home/me/.cache/trivy"
2024-11-21T07:56:01-05:00	DEBUG	Cache dir	dir="/home/me/.cache/trivy"
2024-11-21T07:56:01-05:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-11-21T07:56:01-05:00	DEBUG	Ignore statuses	statuses=[]
2024-11-21T07:56:01-05:00	DEBUG	[vulndb] There is no valid metadata file	err="unable to open a file: open /home/me/.cache/trivy/db/metadata.json: no such file or directory"
2024-11-21T07:56:01-05:00	INFO	[vulndb] Need to update DB
2024-11-21T07:56:01-05:00	DEBUG	[vulndb] No metadata file
2024-11-21T07:56:01-05:00	INFO	[vulndb] Downloading vulnerability DB...
2024-11-21T07:56:01-05:00	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
56.29 MiB / 56.29 MiB [--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 11.36 MiB p/s 5.2s
2024-11-21T07:56:08-05:00	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2024-11-21T07:56:08-05:00	DEBUG	Updating database metadata...
2024-11-21T07:56:08-05:00	DEBUG	DB info	schema=2 updated_at=2024-11-21T06:15:30.929926099Z next_update=2024-11-22T06:15:30.929925699Z downloaded_at=2024-11-21T12:56:08.186166861Z
2024-11-21T07:56:08-05:00	DEBUG	[pkg] Package types	types=[os library]
2024-11-21T07:56:08-05:00	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-11-21T07:56:08-05:00	INFO	[vuln] Vulnerability scanning is enabled
2024-11-21T07:56:08-05:00	INFO	[secret] Secret scanning is enabled
2024-11-21T07:56:08-05:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-21T07:56:08-05:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-21T07:56:08-05:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-11-21T07:56:08-05:00	DEBUG	Initializing scan cache...	type="fs"
2024-11-21T07:56:08-05:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-11-21T07:56:08-05:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-11-21T07:56:08-05:00	DEBUG	[image] Detected image ID	image_id="sha256:88f15faf60d7c1c1d31993e53fa4a5a2549023d49834176c11af5c626193415d"
2024-11-21T07:56:08-05:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:f904d4eeea257c5355ac3817b0350420751acf0bfcf81438a7d9b2055d7ee784]
2024-11-21T07:56:08-05:00	DEBUG	[image] Detected base layers	diff_ids=[]
2024-11-21T07:56:08-05:00	DEBUG	[image] Missing image ID in cache	image_id="sha256:88f15faf60d7c1c1d31993e53fa4a5a2549023d49834176c11af5c626193415d"
2024-11-21T07:56:08-05:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:f904d4eeea257c5355ac3817b0350420751acf0bfcf81438a7d9b2055d7ee784"
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/bitnami/ini-file"
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="github.com/bitnami/ini-file" -ldflags=[-X main.commit= -X 'main.buildDate=2024-11-07 01:04:36 UTC' -s -w]
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.	dependency="github.com/bitnami/ini-file"
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/grafana/grafana"
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="github.com/grafana/grafana" -ldflags=[-w -X main.version=11.3.0-pre -X main.commit=d9455ff7 -X main.buildstamp=1729270190 -X main.buildBranch=HEAD]
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/grafana/grafana/apps/playlist"
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/grafana/grafana/pkg/aggregator"
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/grafana/grafana/pkg/apimachinery"
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/grafana/grafana/pkg/apiserver"
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/grafana/grafana/pkg/promlib"
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/grafana/grafana/pkg/semconv"
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/grafana/grafana/pkg/storage/unified/apistore"
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/grafana/grafana/pkg/storage/unified/resource"
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="./pkg/util/xorm"
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/grafana/grafana"
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="github.com/grafana/grafana" -ldflags=[-w -X main.version=11.3.0-pre -X main.commit=d9455ff7 -X main.buildstamp=1729270190 -X main.buildBranch=HEAD]
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/grafana/grafana"
2024-11-21T07:56:18-05:00	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="github.com/grafana/grafana" -ldflags=[-w -X main.version=11.3.0-pre -X main.commit=d9455ff7 -X main.buildstamp=1729270190 -X main.buildBranch=HEAD]
2024-11-21T07:56:23-05:00	WARN	[secret] The size of the scanned file is too large. It is recommended to use `--skip-files` for this file to avoid high memory consumption.	file_path="opt/bitnami/grafana/public/build/2150.21f907cc3e0b7a685dac.js.map" size (MB)=12
2024-11-21T07:56:25-05:00	WARN	[secret] The size of the scanned file is too large. It is recommended to use `--skip-files` for this file to avoid high memory consumption.	file_path="opt/bitnami/grafana/public/build/322.9e448e90c86f8dd2907e.js.map" size (MB)=11
2024-11-21T07:56:26-05:00	WARN	[secret] The size of the scanned file is too large. It is recommended to use `--skip-files` for this file to avoid high memory consumption.	file_path="opt/bitnami/grafana/public/build/3379.020d2edcd8eb1d9f6d9a.js.map" size (MB)=12
2024-11-21T07:56:28-05:00	WARN	[secret] The size of the scanned file is too large. It is recommended to use `--skip-files` for this file to avoid high memory consumption.	file_path="opt/bitnami/grafana/public/build/3520.51156d26d7b619a9eba0.js.map" size (MB)=13
2024-11-21T07:56:42-05:00	DEBUG	No secrets found in container image config
2024-11-21T07:56:42-05:00	INFO	Detected OS	family="debian" version="12.8"
2024-11-21T07:56:42-05:00	INFO	[debian] Detecting vulnerabilities...	os_version="12" pkg_num=125
2024-11-21T07:56:42-05:00	INFO	Number of language-specific files	num=9
2024-11-21T07:56:42-05:00	INFO	[gobinary] Detecting vulnerabilities...
2024-11-21T07:56:42-05:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path=""
2024-11-21T07:56:42-05:00	INFO	[bitnami] Detecting vulnerabilities...
2024-11-21T07:56:42-05:00	DEBUG	[bitnami] Scanning packages for vulnerabilities	file_path="opt/bitnami/common"
2024-11-21T07:56:42-05:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="opt/bitnami/common/bin/ini-file"
2024-11-21T07:56:42-05:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/bitnami/ini-file"
2024-11-21T07:56:42-05:00	DEBUG	[bitnami] Scanning packages for vulnerabilities	file_path="opt/bitnami/grafana"
2024-11-21T07:56:42-05:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="opt/bitnami/grafana/bin/grafana"
2024-11-21T07:56:42-05:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="./pkg/util/xorm"
2024-11-21T07:56:42-05:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/grafana/grafana/apps/playlist"
2024-11-21T07:56:42-05:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/grafana/grafana/pkg/aggregator"
2024-11-21T07:56:42-05:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/grafana/grafana/pkg/apimachinery"
2024-11-21T07:56:42-05:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/grafana/grafana/pkg/apiserver"
2024-11-21T07:56:42-05:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/grafana/grafana/pkg/promlib"
2024-11-21T07:56:42-05:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/grafana/grafana/pkg/semconv"
2024-11-21T07:56:42-05:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/grafana/grafana/pkg/storage/unified/apistore"
2024-11-21T07:56:42-05:00	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/grafana/grafana/pkg/storage/unified/resource"
2024-11-21T07:56:42-05:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="opt/bitnami/grafana/bin/grafana-cli"
2024-11-21T07:56:42-05:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="opt/bitnami/grafana/bin/grafana-server"
2024-11-21T07:56:42-05:00	DEBUG	[bitnami] Scanning packages for vulnerabilities	file_path="opt/bitnami/mysql"
2024-11-21T07:56:42-05:00	INFO	[node-pkg] Detecting vulnerabilities...
2024-11-21T07:56:42-05:00	DEBUG	[node-pkg] Scanning packages for vulnerabilities	file_path=""
2024-11-21T07:56:42-05:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.57/docs/scanner/vulnerability#severity-selection for details.
2024-11-21T07:56:42-05:00	DEBUG	[vex] VEX filtering is disabled

docker.io/bitnami/grafana@sha256:5950f7be27595bccc83b70998bc44f85518a0c40c2c9bdeeaf6b29a15e6105f9 (debian 12.8)

Total: 126 (UNKNOWN: 0, LOW: 92, MEDIUM: 18, HIGH: 15, CRITICAL: 1)
...  REMOVED OS PACKAGE RESULTS ...

2024-11-21T07:56:42-05:00	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

 (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐
│                Library                 │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                        │
├────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ github.com/golang-jwt/jwt/v4 (grafana) │ CVE-2024-51744 │ LOW      │ fixed  │ v4.5.0            │ 4.5.1         │ golang-jwt: Bad documentation of error handling in │
│                                        │                │          │        │                   │               │ ParseWithClaims can lead to potentially...         │
│                                        │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-51744         │
└────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘

opt/bitnami/grafana/bin/grafana (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌──────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐
│           Library            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                        │
├──────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤
│ github.com/golang-jwt/jwt/v4 │ CVE-2024-51744 │ LOW      │ fixed  │ v4.5.0            │ 4.5.1         │ golang-jwt: Bad documentation of error handling in │
│                              │                │          │        │                   │               │ ParseWithClaims can lead to potentially...         │
│                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-51744         │
└──────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘

Operating System

RHEL 8

Version

Version: 0.57.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-21 06:15:30.929926099 +0000 UTC
  NextUpdate: 2024-11-22 06:15:30.929925699 +0000 UTC
  DownloadedAt: 2024-11-21 12:41:58.323547408 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-11-13 03:58:52.326472745 +0000 UTC
  NextUpdate: 2024-11-16 03:58:52.326472254 +0000 UTC
  DownloadedAt: 2024-11-13 13:24:54.22902779 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bitnami images have missing target information, duplicated results #7978

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 0 comments

Select a reply

Bitnami images have missing target information, duplicated results #7978

bpfoster Nov 21, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 0 comments

bpfoster
Nov 21, 2024