false detection in alpine latest docker images

[arunvc]

IDs

CVE-2025-58050

Description

Affected version is 10.45, still vulnerability report shows

GHSA-c2gv-xgf5-5cc2

its mentioned Release 10.44 and earlier are not affected.

Reproduction Steps

docker run --rm   -v ~/.cache/trivy:/root/.cache/trivy   aquasec/trivy image haproxy:3.2-alpine

Target

Container Image

Scanner

Vulnerability

Target OS

Ununtu 22

Debug Output

2025-10-23T00:09:56Z	DEBUG	No plugins loaded
2025-10-23T00:09:56Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-23T00:09:56Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2025-10-23T00:09:56Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2025-10-23T00:09:56Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-23T00:09:56Z	DEBUG	Ignore statuses	statuses=[]
2025-10-23T00:09:56Z	DEBUG	DB update was skipped because the local DB is the latest
2025-10-23T00:09:56Z	DEBUG	DB info	schema=2 updated_at=2025-10-22T06:30:05.490929943Z next_update=2025-10-23T06:30:05.490929662Z downloaded_at=2025-10-22T12:27:47.781802995Z
2025-10-23T00:09:56Z	DEBUG	[pkg] Package types	types=[os library]
2025-10-23T00:09:56Z	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-10-23T00:09:56Z	INFO	[vuln] Vulnerability scanning is enabled
2025-10-23T00:09:56Z	INFO	[secret] Secret scanning is enabled
2025-10-23T00:09:56Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-10-23T00:09:56Z	INFO	[secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection
2025-10-23T00:09:56Z	DEBUG	Initializing scan cache...	type="fs"
2025-10-23T00:09:56Z	DEBUG	[notification] Running version check
2025-10-23T00:09:56Z	DEBUG	[notification] Version check completed	latest_version="0.67.2"
2025-10-23T00:09:59Z	DEBUG	[image] Image found	image="haproxy:3.2-alpine" source="remote"
2025-10-23T00:09:59Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-10-23T00:09:59Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-10-23T00:09:59Z	DEBUG	Created process-specific temp directory	path="/tmp/trivy-1"
2025-10-23T00:09:59Z	DEBUG	[image] Detected image ID	image_id="sha256:cb3e8cf6a18ca82ce959cda4ae0344575137a64f86d95a2b449ed39424d7f8c4"
2025-10-23T00:09:59Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:256f393e029fa2063d8c93720da36a74a032bed3355a2bc3e313ad12f8bde9d1 sha256:620fbd33f20046a35c194d9b7a5b05f43152d3580a3137a6419643c022a2bd2c sha256:01efcaf06cb8582c9e8a1f94ff181f868d8a81af068a4370a5088db841f50cbb sha256:d24e4e0710f59d0c890470ac80a742533003d37869aa611ce1b782f2dbcfd52c sha256:4fd9809963d2eafff51227a84ed5a1aaeb9aa122e5ddb5a52ba350495838d519 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef]
2025-10-23T00:09:59Z	DEBUG	[image] Detected base layers	diff_ids=[sha256:256f393e029fa2063d8c93720da36a74a032bed3355a2bc3e313ad12f8bde9d1]
2025-10-23T00:10:00Z	INFO	Detected OS	family="alpine" version="3.22.2"
2025-10-23T00:10:00Z	INFO	[alpine] Detecting vulnerabilities...	os_version="3.22" repository="3.22" pkg_num=20
2025-10-23T00:10:00Z	INFO	Number of language-specific files	num=0
2025-10-23T00:10:01Z	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-10-23T00:10:01Z	DEBUG	[vex] VEX filtering is disabled

Version

latest

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @arunvc
Thanks for your report!

pcre is alpine package (i mean installed from apk)
So you need to look into Alpine advisories.

More info here - https://trivy.dev/latest/docs/scanner/vulnerability/#data-source-selection

Regards, Dmitriy

[arunvc]

Affected version is pcre2 10.45 version only, its not like anything under 10.45 has issue
so there was no issues in version < 10.45, thats mentioned here GHSA-c2gv-xgf5-5cc2

problem is with trivy scan,  
am using pcre2 version 10.43 
so the scan should not make this as critical issue

[DmitriyLewen]

Hello @arunvc
As I said before, you need to check the Alpine advisory database for apk packages.

Their DB contains only fixed versions, so we can't determine the vulnerable version range — https://secdb.alpinelinux.org/v3.22/main.json

You can filter these vulnerabilities — https://trivy.dev/latest/docs/configuration/filtering/
I think VEX would be a good solution for you.