Trivy fails to scan SBOMs of RHEL/UBI 10: unable to find CPE indices #9679

candrews · 2025-10-16T17:24:08Z

candrews
Oct 16, 2025

Description

Scanning an SBOM of a RHEL or UBI 10 image fails.

This issue was previously reported for scanning (using trivy image) at aquasecurity/trivy-db#435 and supposedly fixed.

The issue is still reproducible when using SBOMs.

Desired Behavior

The scan should complete.

Actual Behavior

FATAL	Fatal error	run error: sbom scan error: scan error: scan failed: scan failed: failed to detect vulnerabilities: unable to scan OS packages: failed vulnerability detection of OS packages: failed detection: redhat vulnerability detection error: failed to get Red Hat advisories: unable to find CPE indices. See https://github.com/aquasecurity/trivy-db/issues/435 for details

Reproduction Steps

1. `trivy image --format cyclonedx --output test.cdx.json redhat/ubi10 && trivy sbom test.cdx.json`

Target

SBOM

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

$ trivy image --format cyclonedx --output test.cdx.json redhat/ubi10 && trivy sbom test.cdx.json --debug
2025-10-16T13:22:46-04:00	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2025-10-16T13:22:48-04:00	INFO	Detected OS	family="redhat" version="10.0"
2025-10-16T13:22:48-04:00	INFO	Number of language-specific files	num=0
2025-10-16T13:22:48-04:00	DEBUG	No plugins loaded
2025-10-16T13:22:48-04:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-16T13:22:48-04:00	DEBUG	Cache dir	dir="/home/candrews/.cache/trivy"
2025-10-16T13:22:48-04:00	DEBUG	Cache dir	dir="/home/candrews/.cache/trivy"
2025-10-16T13:22:48-04:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-16T13:22:48-04:00	DEBUG	Ignore statuses	statuses=[]
2025-10-16T13:22:48-04:00	DEBUG	DB update was skipped because the local DB is the latest
2025-10-16T13:22:48-04:00	DEBUG	DB info	schema=2 updated_at=2025-10-16T12:29:12.328995978Z next_update=2025-10-17T12:29:12.328995717Z downloaded_at=2025-10-16T17:08:30.587505409Z
2025-10-16T13:22:48-04:00	DEBUG	[pkg] Package types	types=[os library]
2025-10-16T13:22:48-04:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-10-16T13:22:48-04:00	INFO	[vuln] Vulnerability scanning is enabled
2025-10-16T13:22:48-04:00	DEBUG	Initializing scan cache...	type="memory"
2025-10-16T13:22:48-04:00	DEBUG	[notification] Running version check
2025-10-16T13:22:48-04:00	INFO	Detected SBOM format	format="cyclonedx-json"
2025-10-16T13:22:48-04:00	DEBUG	Unmarshalling CycloneDX JSON...
2025-10-16T13:22:48-04:00	DEBUG	[sbom] Skipping a component with an unsupported type	file_path="test.cdx.json" name="redhat/ubi10" version="" type="oci"
2025-10-16T13:22:48-04:00	INFO	Detected OS	family="redhat" version="10.0"
2025-10-16T13:22:48-04:00	INFO	[redhat] Detecting RHEL/CentOS vulnerabilities...	os_version="10" pkg_num=172
2025-10-16T13:22:48-04:00	FATAL	Fatal error
  - run error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:398
  - sbom scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:439
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:291
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:693
  - scan failed:
    github.com/aquasecurity/trivy/pkg/scan.Service.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scan/service.go:59
  - failed to detect vulnerabilities:
    github.com/aquasecurity/trivy/pkg/scan/local.Service.ScanTarget
        /home/runner/work/trivy/trivy/pkg/scan/local/service.go:127
  - unable to scan OS packages:
    github.com/aquasecurity/trivy/pkg/scan/local.Service.scanVulnerabilities
        /home/runner/work/trivy/trivy/pkg/scan/local/service.go:177
  - failed vulnerability detection of OS packages:
    github.com/aquasecurity/trivy/pkg/scan/ospkg.(*scanner).Scan
        /home/runner/work/trivy/trivy/pkg/scan/ospkg/scan.go:55
  - failed detection:
    github.com/aquasecurity/trivy/pkg/detector/ospkg.Detect
        /home/runner/work/trivy/trivy/pkg/detector/ospkg/detect.go:94
  - redhat vulnerability detection error:
    github.com/aquasecurity/trivy/pkg/detector/ospkg/redhat.(*Scanner).Detect
        /home/runner/work/trivy/trivy/pkg/detector/ospkg/redhat/redhat.go:95
  - failed to get Red Hat advisories:
    github.com/aquasecurity/trivy/pkg/detector/ospkg/redhat.(*Scanner).detect
        /home/runner/work/trivy/trivy/pkg/detector/ospkg/redhat/redhat.go:120
  - Oops: unable to find CPE indices. See https://github.com/aquasecurity/trivy-db/issues/435 for details
    Time: 2025-10-16 17:22:48.595252048 +0000 UTC
    Domain: redhat
    Tags: oval
    Trace: 01K7Q0QD4M3DXPC21HBV20MBEM
    Context:
      * package_name: alternatives
      * repositories: []
      * nvrs: []
    Stacktrace:
      Oops: unable to find CPE indices. See https://github.com/aquasecurity/trivy-db/issues/435 for details
        --- at /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/vulnsrc/redhat-oval/redhat-oval.go:262 VulnSrc.Get()
        --- at /home/runner/work/trivy/trivy/pkg/detector/ospkg/redhat/redhat.go:118 Scanner.detect()
        --- at /home/runner/work/trivy/trivy/pkg/detector/ospkg/redhat/redhat.go:93 Scanner.Detect()
        --- at /home/runner/work/trivy/trivy/pkg/detector/ospkg/detect.go:92 Detect()
        --- at /home/runner/work/trivy/trivy/pkg/scan/ospkg/scan.go:52 scanner.Scan()
        --- at /home/runner/work/trivy/trivy/pkg/scan/local/service.go:172 Service.scanVulnerabilities()
        --- at /home/runner/work/trivy/trivy/pkg/scan/local/service.go:125 Service.ScanTarget()
        --- at /home/runner/work/trivy/trivy/pkg/scan/local/service.go:102 Service.Scan()
        --- at /home/runner/work/trivy/trivy/pkg/scan/service.go:57 Service.ScanArtifact()
        --- at /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:691 runner.scan()
[1]
candrews@craigworking ~/projects$ trivy image --format cyclonedx --output test.cdx.json redhat/ubi10 --debug && trivy sbom test.cdx.json --debug
2025-10-16T13:23:15-04:00	DEBUG	No plugins loaded
2025-10-16T13:23:15-04:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-16T13:23:15-04:00	DEBUG	Cache dir	dir="/home/candrews/.cache/trivy"
2025-10-16T13:23:15-04:00	DEBUG	Cache dir	dir="/home/candrews/.cache/trivy"
2025-10-16T13:23:15-04:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-16T13:23:15-04:00	DEBUG	Ignore statuses	statuses=[]
2025-10-16T13:23:15-04:00	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2025-10-16T13:23:15-04:00	DEBUG	[pkg] Package types	types=[os library]
2025-10-16T13:23:15-04:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-10-16T13:23:15-04:00	DEBUG	Initializing scan cache...	type="fs"
2025-10-16T13:23:15-04:00	DEBUG	[notification] Running version check
2025-10-16T13:23:15-04:00	DEBUG	Created process-specific temp directory	path="/tmp/trivy-74444"
2025-10-16T13:23:15-04:00	DEBUG	[image] Image found	image="redhat/ubi10" source="docker"
2025-10-16T13:23:15-04:00	DEBUG	[image] Detected image ID	image_id="sha256:d8c6dbe516018b7032fe88fd9dec3921f799f84dbe5b0ee254624c12f6b7efe6"
2025-10-16T13:23:15-04:00	DEBUG	Saving the container image to a local file to obtain the image config...
2025-10-16T13:23:15-04:00	DEBUG	[notification] Version check completed	latest_version="0.67.2"
2025-10-16T13:23:17-04:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:e7bd026f68fb3d57abd554132d130befd566c06acae31c3e0838a49fdcb7bc3c]
2025-10-16T13:23:17-04:00	DEBUG	[image] Detected base layers	diff_ids=[]
2025-10-16T13:23:17-04:00	INFO	Detected OS	family="redhat" version="10.0"
2025-10-16T13:23:17-04:00	INFO	Number of language-specific files	num=0
2025-10-16T13:23:17-04:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-10-16T13:23:17-04:00	DEBUG	[vex] VEX filtering is disabled
2025-10-16T13:23:17-04:00	DEBUG	Cleaning up temp directory	path="/tmp/trivy-74444"
2025-10-16T13:23:17-04:00	DEBUG	No plugins loaded
2025-10-16T13:23:17-04:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-16T13:23:17-04:00	DEBUG	Cache dir	dir="/home/candrews/.cache/trivy"
2025-10-16T13:23:17-04:00	DEBUG	Cache dir	dir="/home/candrews/.cache/trivy"
2025-10-16T13:23:17-04:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-16T13:23:17-04:00	DEBUG	Ignore statuses	statuses=[]
2025-10-16T13:23:17-04:00	DEBUG	DB update was skipped because the local DB is the latest
2025-10-16T13:23:17-04:00	DEBUG	DB info	schema=2 updated_at=2025-10-16T12:29:12.328995978Z next_update=2025-10-17T12:29:12.328995717Z downloaded_at=2025-10-16T17:08:30.587505409Z
2025-10-16T13:23:17-04:00	DEBUG	[pkg] Package types	types=[os library]
2025-10-16T13:23:17-04:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-10-16T13:23:17-04:00	INFO	[vuln] Vulnerability scanning is enabled
2025-10-16T13:23:17-04:00	DEBUG	Initializing scan cache...	type="memory"
2025-10-16T13:23:17-04:00	DEBUG	[notification] Running version check
2025-10-16T13:23:17-04:00	INFO	Detected SBOM format	format="cyclonedx-json"
2025-10-16T13:23:17-04:00	DEBUG	Unmarshalling CycloneDX JSON...
2025-10-16T13:23:17-04:00	DEBUG	[sbom] Skipping a component with an unsupported type	file_path="test.cdx.json" name="redhat/ubi10" version="" type="oci"
2025-10-16T13:23:17-04:00	INFO	Detected OS	family="redhat" version="10.0"
2025-10-16T13:23:17-04:00	INFO	[redhat] Detecting RHEL/CentOS vulnerabilities...	os_version="10" pkg_num=172
2025-10-16T13:23:17-04:00	FATAL	Fatal error
  - run error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:398
  - sbom scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:439
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:291
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:693
  - scan failed:
    github.com/aquasecurity/trivy/pkg/scan.Service.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scan/service.go:59
  - failed to detect vulnerabilities:
    github.com/aquasecurity/trivy/pkg/scan/local.Service.ScanTarget
        /home/runner/work/trivy/trivy/pkg/scan/local/service.go:127
  - unable to scan OS packages:
    github.com/aquasecurity/trivy/pkg/scan/local.Service.scanVulnerabilities
        /home/runner/work/trivy/trivy/pkg/scan/local/service.go:177
  - failed vulnerability detection of OS packages:
    github.com/aquasecurity/trivy/pkg/scan/ospkg.(*scanner).Scan
        /home/runner/work/trivy/trivy/pkg/scan/ospkg/scan.go:55
  - failed detection:
    github.com/aquasecurity/trivy/pkg/detector/ospkg.Detect
        /home/runner/work/trivy/trivy/pkg/detector/ospkg/detect.go:94
  - redhat vulnerability detection error:
    github.com/aquasecurity/trivy/pkg/detector/ospkg/redhat.(*Scanner).Detect
        /home/runner/work/trivy/trivy/pkg/detector/ospkg/redhat/redhat.go:95
  - failed to get Red Hat advisories:
    github.com/aquasecurity/trivy/pkg/detector/ospkg/redhat.(*Scanner).detect
        /home/runner/work/trivy/trivy/pkg/detector/ospkg/redhat/redhat.go:120
  - Oops: unable to find CPE indices. See https://github.com/aquasecurity/trivy-db/issues/435 for details
    Time: 2025-10-16 17:23:17.271619523 +0000 UTC
    Domain: redhat
    Tags: oval
    Trace: 01K7Q0R94STYQ3E53F10KHMY74
    Context:
      * package_name: alternatives
      * repositories: []
      * nvrs: []
    Stacktrace:
      Oops: unable to find CPE indices. See https://github.com/aquasecurity/trivy-db/issues/435 for details
        --- at /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/vulnsrc/redhat-oval/redhat-oval.go:262 VulnSrc.Get()
        --- at /home/runner/work/trivy/trivy/pkg/detector/ospkg/redhat/redhat.go:118 Scanner.detect()
        --- at /home/runner/work/trivy/trivy/pkg/detector/ospkg/redhat/redhat.go:93 Scanner.Detect()
        --- at /home/runner/work/trivy/trivy/pkg/detector/ospkg/detect.go:92 Detect()
        --- at /home/runner/work/trivy/trivy/pkg/scan/ospkg/scan.go:52 scanner.Scan()
        --- at /home/runner/work/trivy/trivy/pkg/scan/local/service.go:172 Service.scanVulnerabilities()
        --- at /home/runner/work/trivy/trivy/pkg/scan/local/service.go:125 Service.ScanTarget()
        --- at /home/runner/work/trivy/trivy/pkg/scan/local/service.go:102 Service.Scan()
        --- at /home/runner/work/trivy/trivy/pkg/scan/service.go:57 Service.ScanArtifact()
        --- at /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:691 runner.scan()
[1]

Operating System

Linux

Version

$ trivy --version
Version: 0.67.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-10-16 12:29:12.328995978 +0000 UTC
  NextUpdate: 2025-10-17 12:29:12.328995717 +0000 UTC
  DownloadedAt: 2025-10-16 17:08:30.587505409 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-02-14 02:24:51.921228254 +0000 UTC
  NextUpdate: 2025-02-17 02:24:51.921228094 +0000 UTC
  DownloadedAt: 2025-02-24 20:15:07.116719167 +0000 UTC
Check Bundle:
  Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
  DownloadedAt: 2025-09-15 14:17:42.443579072 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

DmitriyLewen · 2025-10-17T06:44:51Z

DmitriyLewen
Oct 17, 2025
Maintainer

Hello @candrews
Thanks for your report!

I should note that Trivy currently doesn’t support vulnerability detection for Red Hat 10.

But i found another problem and created #9682.

Regards, Dmitriy

2 replies

candrews Oct 17, 2025
Author

I should note that Trivy currently doesn’t support vulnerability detection for Red Hat 10.

Which issue can I follow to learn when that will be supported?

DmitriyLewen Oct 20, 2025
Maintainer

#7452

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Trivy fails to scan SBOMs of RHEL/UBI 10: unable to find CPE indices #9679

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Trivy fails to scan SBOMs of RHEL/UBI 10: unable to find CPE indices #9679

Uh oh!

Uh oh!

candrews Oct 16, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 1 comment · 2 replies

Uh oh!

DmitriyLewen Oct 17, 2025 Maintainer

Uh oh!

candrews Oct 17, 2025 Author

Uh oh!

DmitriyLewen Oct 20, 2025 Maintainer

candrews
Oct 16, 2025

Replies: 1 comment 2 replies

DmitriyLewen
Oct 17, 2025
Maintainer

candrews Oct 17, 2025
Author

DmitriyLewen Oct 20, 2025
Maintainer