Java native image not reporting vulnerabilities #4251

Albertoimpl · 2022-09-06T15:26:52Z

Albertoimpl
Sep 6, 2022

Description

When compiling a project as a native image, even if there is a BOM layer containing the dependencies, they get ignored and are not reported.

What did you expect to happen?

I expect the same output in the native image and in the regular image.

What happened instead?

Ignores all the Java code.

Output of run with `-debug`:

➜  ~ trivy image --debug 'native-trivy-demo:0.0.1-SNAPSHOT'
2022-09-06T17:15:25.247+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-09-06T17:15:25.291+0200	DEBUG	cache dir:  /Users/rcallejarios/Library/Caches/trivy
2022-09-06T17:15:25.292+0200	DEBUG	DB update was skipped because the local DB is the latest
2022-09-06T17:15:25.292+0200	DEBUG	DB Schema: 2, UpdatedAt: 2022-09-06 12:12:56.495473442 +0000 UTC, NextUpdate: 2022-09-06 18:12:56.495473142 +0000 UTC, DownloadedAt: 2022-09-06 14:57:30.410549 +0000 UTC
2022-09-06T17:15:25.293+0200	INFO	Vulnerability scanning is enabled
2022-09-06T17:15:25.293+0200	DEBUG	Vulnerability type:  [os library]
2022-09-06T17:15:25.293+0200	INFO	Secret scanning is enabled
2022-09-06T17:15:25.293+0200	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-06T17:15:25.293+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2022-09-06T17:15:25.307+0200	DEBUG	No secret config detected: trivy-secret.yaml
2022-09-06T17:15:25.307+0200	DEBUG	Image ID: sha256:8ef3541e5e3a8357f4a534af8b92623af000699e24243ec052ab5ac479cb9e14
2022-09-06T17:15:25.307+0200	DEBUG	Diff IDs: [sha256:326fd01a8050a4a649ff7814cd9717d46c01538591a129ed435ab5e46bd0508f sha256:e8c18dc357f51e68934c5b2cd1d96f645c1a3f5211d6b34589bcc651e4e15329 sha256:7bb78388a8bb41810ef5dc3711d5763b70954d7414c8d604463c12d1ccedcacc sha256:f97bf240080d566cdc873c0a3aba958c29096fb5563ed2a4d58d80dd590db9b3 sha256:ac32dbb1d0029fcc6b210f80493df27e7c641e79d87d79c4b5d4d2de77c29f04 sha256:9497805c7bd5df192c4ccf7cf9c4496963c1c008141fe134765e23a3800fa4cf sha256:90c2fc367aa710e8b05419807ea844cbd72d97fbad68c64a83145ae0635fcb4e sha256:76dc679a925b81efc75002d9dfd2fe7bec4c6ab4004e0215f810adc954905894]
2022-09-06T17:15:25.307+0200	DEBUG	Base Layers: []
2022-09-06T17:15:25.310+0200	DEBUG	Missing image ID in cache: sha256:8ef3541e5e3a8357f4a534af8b92623af000699e24243ec052ab5ac479cb9e14
2022-09-06T17:15:25.311+0200	DEBUG	Missing diff ID in cache: sha256:ac32dbb1d0029fcc6b210f80493df27e7c641e79d87d79c4b5d4d2de77c29f04
2022-09-06T17:15:25.311+0200	DEBUG	Missing diff ID in cache: sha256:f97bf240080d566cdc873c0a3aba958c29096fb5563ed2a4d58d80dd590db9b3
2022-09-06T17:15:26.527+0200	INFO	Detected OS: ubuntu
2022-09-06T17:15:26.527+0200	INFO	Detecting Ubuntu vulnerabilities...
2022-09-06T17:15:26.527+0200	DEBUG	ubuntu: os version: 18.04
2022-09-06T17:15:26.527+0200	DEBUG	ubuntu: the number of packages: 8
2022-09-06T17:15:26.530+0200	INFO	Number of language-specific files: 2
2022-09-06T17:15:26.530+0200	INFO	Detecting gobinary vulnerabilities...
2022-09-06T17:15:26.530+0200	DEBUG	Detecting library vulnerabilities, type: gobinary, path: cnb/lifecycle/launcher
2022-09-06T17:15:26.532+0200	DEBUG	Detecting library vulnerabilities, type: gobinary, path: layers/paketo-buildpacks_ca-certificates/helper/helper

native-trivy-demo:0.0.1-SNAPSHOT (ubuntu 18.04)

Total: 3 (UNKNOWN: 0, LOW: 3, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├─────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libc6   │ CVE-2009-5155  │ LOW      │ 2.27-3ubuntu1.6   │               │ glibc: parse_reg_exp in posix/regcomp.c misparses          │
│         │                │          │                   │               │ alternatives leading to denial of service or...            │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2009-5155                  │
│         ├────────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2015-8985  │          │                   │               │ glibc: potential denial of service in pop_fail_stack()     │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2015-8985                  │
│         ├────────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2016-20013 │          │                   │               │ sha256crypt and sha512crypt through 0.6 allow attackers to │
│         │                │          │                   │               │ cause a denial of...                                       │
│         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2016-20013                 │
└─────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

➜  ~  trivy image --debug 'regular-trivy-demo:0.0.1-SNAPSHOT'
2022-09-06T17:16:29.258+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-09-06T17:16:29.297+0200	DEBUG	cache dir:  /Users/rcallejarios/Library/Caches/trivy
2022-09-06T17:16:29.298+0200	DEBUG	DB update was skipped because the local DB is the latest
2022-09-06T17:16:29.298+0200	DEBUG	DB Schema: 2, UpdatedAt: 2022-09-06 12:12:56.495473442 +0000 UTC, NextUpdate: 2022-09-06 18:12:56.495473142 +0000 UTC, DownloadedAt: 2022-09-06 14:57:30.410549 +0000 UTC
2022-09-06T17:16:29.298+0200	INFO	Vulnerability scanning is enabled
2022-09-06T17:16:29.298+0200	DEBUG	Vulnerability type:  [os library]
2022-09-06T17:16:29.298+0200	INFO	Secret scanning is enabled
2022-09-06T17:16:29.298+0200	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-06T17:16:29.298+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.31.3/docs/secret/scanning/#recommendation for faster secret detection
2022-09-06T17:16:29.311+0200	DEBUG	No secret config detected: trivy-secret.yaml
2022-09-06T17:16:29.312+0200	DEBUG	Image ID: sha256:8abcf83fe22427f1827b67ea11af206ae9d5ef72398ab22262a09fa729515957
2022-09-06T17:16:29.312+0200	DEBUG	Diff IDs: [sha256:1a996540f50f2464d3e1e09c47dde9ef3673a2fdec7b70716a60c0df0c0ada51 sha256:bcee057186ad4ec678be8f83a72145f9f97e8023c6c9e3c3732e05ef594c5eb4 sha256:959a0969cd4b8a2335b304f4a424c266057d4f10b78c3ba7571201a3da3492fe sha256:35462b7febfbbc6ba00ea954c0fcec5defb80f6c30adb450b57b6ea4db2df0a8 sha256:5b8b907a28e64fe5a96b0d9583e4beeb0d491fa4e27dbf8cb84713eb9c725f49 sha256:7bb78388a8bb41810ef5dc3711d5763b70954d7414c8d604463c12d1ccedcacc sha256:4a967a6f20309fd6888e0c4192bd3270c19c5d36c64ef307825364035fe3250e sha256:ec0381c8f32136ad9564b114b2271d1181e0c181957acb6707e6ff4713a7a89d sha256:0cf3b19112288f5a96a8364f905f3ba0185aa178eca09da491492c7f6d4b6a1f sha256:7fbc97c38fad01ae2b8189c8d9a0a0149932192accc4ad253b0f8186d0793e9a sha256:28d31c76bca111ac2ced4d4c9c794d03956c291ea19d7749b4a1197290d3a2e5 sha256:33df858545b5408f86e2adc84c9d6696fd3f3ab16065d01a9c3e3366de12a462 sha256:fcc507beb4ccdbc112909bcf999e90802212e4fc86afa20617a863e89081a6da sha256:cad26987c35259156fa118544caa381f653a14bdefb3ce71d8c353e73f134fcb sha256:38df0160fe65226601bf9c881afe8a8bfd24bb11ad8ba0319950e9390b585800 sha256:a258d333203171b7ab72537f4bf60896e7df648a268e66314416303702db90f7 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:8f3c298a4ba4d3f75c03ec2de32fe8b7f166bc6b0e6bcea6570baea98633be4a sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:9497805c7bd5df192c4ccf7cf9c4496963c1c008141fe134765e23a3800fa4cf sha256:4095cdf96410ef09a8dcfdc518235e7096e0cb0225bbcb2dd5a2430a0d0da0b0 sha256:1dc94a70dbaa2171fb086500a5d27797f779219b126b0a1eebb9180c2792e80e]
2022-09-06T17:16:29.312+0200	DEBUG	Base Layers: []
2022-09-06T17:16:29.319+0200	INFO	Detected OS: ubuntu
2022-09-06T17:16:29.319+0200	INFO	Detecting Ubuntu vulnerabilities...
2022-09-06T17:16:29.319+0200	DEBUG	ubuntu: os version: 18.04
2022-09-06T17:16:29.319+0200	DEBUG	ubuntu: the number of packages: 97
2022-09-06T17:16:29.328+0200	INFO	Number of language-specific files: 5
2022-09-06T17:16:29.328+0200	INFO	Detecting gobinary vulnerabilities...
2022-09-06T17:16:29.328+0200	DEBUG	Detecting library vulnerabilities, type: gobinary, path: layers/paketo-buildpacks_ca-certificates/helper/helper
2022-09-06T17:16:29.329+0200	DEBUG	Detecting library vulnerabilities, type: gobinary, path: layers/paketo-buildpacks_bellsoft-liberica/helper/helper
2022-09-06T17:16:29.330+0200	DEBUG	Detecting library vulnerabilities, type: gobinary, path: layers/paketo-buildpacks_spring-boot/helper/helper
2022-09-06T17:16:29.330+0200	DEBUG	Detecting library vulnerabilities, type: gobinary, path: cnb/lifecycle/launcher
2022-09-06T17:16:29.330+0200	INFO	Detecting jar vulnerabilities...
2022-09-06T17:16:29.330+0200	DEBUG	Detecting library vulnerabilities, type: jar, path:

regular-trivy-demo:0.0.1-SNAPSHOT (ubuntu 18.04)

Total: 38 (UNKNOWN: 0, LOW: 34, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬──────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │  Installed Version   │ Fixed Version │                            Title                             │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ coreutils    │ CVE-2016-2781  │ LOW      │ 8.28-1ubuntu1        │               │ coreutils: Non-privileged session can escape to the parent   │
│              │                │          │                      │               │ session in chroot                                            │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2016-2781                    │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ gcc-8-base   │ CVE-2020-13844 │ MEDIUM   │ 8.4.0-1ubuntu1~18.04 │               │ kernel: ARM straight-line speculation vulnerability          │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2020-13844                   │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin     │ CVE-2009-5155  │ LOW      │ 2.27-3ubuntu1.6      │               │ glibc: parse_reg_exp in posix/regcomp.c misparses            │
│              │                │          │                      │               │ alternatives leading to denial of service or...              │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2009-5155                    │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2015-8985  │          │                      │               │ glibc: potential denial of service in pop_fail_stack()       │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2015-8985                    │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2016-20013 │          │                      │               │ sha256crypt and sha512crypt through 0.6 allow attackers to   │
│              │                │          │                      │               │ cause a denial of...                                         │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2016-20013                   │
├──────────────┼────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│ libc6        │ CVE-2009-5155  │          │                      │               │ glibc: parse_reg_exp in posix/regcomp.c misparses            │
│              │                │          │                      │               │ alternatives leading to denial of service or...              │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2009-5155                    │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2015-8985  │          │                      │               │ glibc: potential denial of service in pop_fail_stack()       │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2015-8985                    │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2016-20013 │          │                      │               │ sha256crypt and sha512crypt through 0.6 allow attackers to   │
│              │                │          │                      │               │ cause a denial of...                                         │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2016-20013                   │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libgcc1      │ CVE-2020-13844 │ MEDIUM   │ 8.4.0-1ubuntu1~18.04 │               │ kernel: ARM straight-line speculation vulnerability          │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2020-13844                   │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libgnutls30  │ CVE-2018-16868 │ LOW      │ 3.5.18-1ubuntu1.6    │               │ gnutls: Bleichenbacher-like side channel leakage in PKCS#1   │
│              │                │          │                      │               │ v1.5 verification and padding oracle...                      │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2018-16868                   │
├──────────────┼────────────────┤          ├──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libncurses5  │ CVE-2019-17594 │          │ 6.1-1ubuntu1.18.04   │               │ ncurses: heap-based buffer overflow in the _nc_find_entry    │
│              │                │          │                      │               │ function in tinfo/comp_hash.c                                │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2019-17594                   │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2019-17595 │          │                      │               │ ncurses: heap-based buffer overflow in the fmt_entry         │
│              │                │          │                      │               │ function in tinfo/comp_hash.c                                │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2019-17595                   │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2021-39537 │          │                      │               │ ncurses: heap-based buffer overflow in _nc_captoinfo() in    │
│              │                │          │                      │               │ captoinfo.c                                                  │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2021-39537                   │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-29458 │          │                      │               │ ncurses: segfaulting OOB read                                │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2022-29458                   │
├──────────────┼────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│ libncursesw5 │ CVE-2019-17594 │          │                      │               │ ncurses: heap-based buffer overflow in the _nc_find_entry    │
│              │                │          │                      │               │ function in tinfo/comp_hash.c                                │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2019-17594                   │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2019-17595 │          │                      │               │ ncurses: heap-based buffer overflow in the fmt_entry         │
│              │                │          │                      │               │ function in tinfo/comp_hash.c                                │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2019-17595                   │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2021-39537 │          │                      │               │ ncurses: heap-based buffer overflow in _nc_captoinfo() in    │
│              │                │          │                      │               │ captoinfo.c                                                  │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2021-39537                   │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-29458 │          │                      │               │ ncurses: segfaulting OOB read                                │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2022-29458                   │
├──────────────┼────────────────┤          ├──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libpcre3     │ CVE-2017-11164 │          │ 2:8.39-9ubuntu0.1    │               │ pcre: OP_KETRMAX feature in the match function in            │
│              │                │          │                      │               │ pcre_exec.c                                                  │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2017-11164                   │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libstdc++6   │ CVE-2020-13844 │ MEDIUM   │ 8.4.0-1ubuntu1~18.04 │               │ kernel: ARM straight-line speculation vulnerability          │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2020-13844                   │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libtinfo5    │ CVE-2019-17594 │ LOW      │ 6.1-1ubuntu1.18.04   │               │ ncurses: heap-based buffer overflow in the _nc_find_entry    │
│              │                │          │                      │               │ function in tinfo/comp_hash.c                                │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2019-17594                   │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2019-17595 │          │                      │               │ ncurses: heap-based buffer overflow in the fmt_entry         │
│              │                │          │                      │               │ function in tinfo/comp_hash.c                                │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2019-17595                   │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2021-39537 │          │                      │               │ ncurses: heap-based buffer overflow in _nc_captoinfo() in    │
│              │                │          │                      │               │ captoinfo.c                                                  │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2021-39537                   │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-29458 │          │                      │               │ ncurses: segfaulting OOB read                                │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2022-29458                   │
├──────────────┼────────────────┤          ├──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ locales      │ CVE-2009-5155  │          │ 2.27-3ubuntu1.6      │               │ glibc: parse_reg_exp in posix/regcomp.c misparses            │
│              │                │          │                      │               │ alternatives leading to denial of service or...              │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2009-5155                    │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2015-8985  │          │                      │               │ glibc: potential denial of service in pop_fail_stack()       │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2015-8985                    │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2016-20013 │          │                      │               │ sha256crypt and sha512crypt through 0.6 allow attackers to   │
│              │                │          │                      │               │ cause a denial of...                                         │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2016-20013                   │
├──────────────┼────────────────┤          ├──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ login        │ CVE-2013-4235  │          │ 1:4.5-1ubuntu2.3     │               │ shadow-utils: TOCTOU race conditions by copying and removing │
│              │                │          │                      │               │ directory trees                                              │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2013-4235                    │
├──────────────┼────────────────┤          ├──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ ncurses-base │ CVE-2019-17594 │          │ 6.1-1ubuntu1.18.04   │               │ ncurses: heap-based buffer overflow in the _nc_find_entry    │
│              │                │          │                      │               │ function in tinfo/comp_hash.c                                │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2019-17594                   │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2019-17595 │          │                      │               │ ncurses: heap-based buffer overflow in the fmt_entry         │
│              │                │          │                      │               │ function in tinfo/comp_hash.c                                │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2019-17595                   │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2021-39537 │          │                      │               │ ncurses: heap-based buffer overflow in _nc_captoinfo() in    │
│              │                │          │                      │               │ captoinfo.c                                                  │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2021-39537                   │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-29458 │          │                      │               │ ncurses: segfaulting OOB read                                │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2022-29458                   │
├──────────────┼────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│ ncurses-bin  │ CVE-2019-17594 │          │                      │               │ ncurses: heap-based buffer overflow in the _nc_find_entry    │
│              │                │          │                      │               │ function in tinfo/comp_hash.c                                │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2019-17594                   │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2019-17595 │          │                      │               │ ncurses: heap-based buffer overflow in the fmt_entry         │
│              │                │          │                      │               │ function in tinfo/comp_hash.c                                │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2019-17595                   │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2021-39537 │          │                      │               │ ncurses: heap-based buffer overflow in _nc_captoinfo() in    │
│              │                │          │                      │               │ captoinfo.c                                                  │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2021-39537                   │
│              ├────────────────┤          │                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-29458 │          │                      │               │ ncurses: segfaulting OOB read                                │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2022-29458                   │
├──────────────┼────────────────┤          ├──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ passwd       │ CVE-2013-4235  │          │ 1:4.5-1ubuntu2.3     │               │ shadow-utils: TOCTOU race conditions by copying and removing │
│              │                │          │                      │               │ directory trees                                              │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2013-4235                    │
├──────────────┼────────────────┼──────────┼──────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ perl-base    │ CVE-2020-16156 │ MEDIUM   │ 5.26.1-6ubuntu0.5    │               │ perl-CPAN: Bypass of verification of signatures in CHECKSUMS │
│              │                │          │                      │               │ files                                                        │
│              │                │          │                      │               │ https://avd.aquasec.com/nvd/cve-2020-16156                   │
└──────────────┴────────────────┴──────────┴──────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
2022-09-06T17:16:29.365+0200	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────────────────────────────────────────┬────────────────┬──────────┬───────────────────┬────────────────────┬──────────────────────────────────────────────────────────┐
│                   Library                   │ Vulnerability  │ Severity │ Installed Version │   Fixed Version    │                          Title                           │
├─────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼────────────────────┼──────────────────────────────────────────────────────────┤
│ com.fasterxml.jackson.core:jackson-databind │ CVE-2020-36518 │ HIGH     │ 2.13.0            │ 2.12.6.1, 2.13.2.1 │ jackson-databind: denial of service via a large depth of │
│ (jackson-databind-2.13.0.jar)               │                │          │                   │                    │ nested objects                                           │
│                                             │                │          │                   │                    │ https://avd.aquasec.com/nvd/cve-2020-36518               │
└─────────────────────────────────────────────┴────────────────┴──────────┴───────────────────┴────────────────────┴──────────────────────────────────────────────────────────┘

Output of `trivy -v`:

➜  ~ trivy -v
Version: 0.31.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-09-06 12:12:56.495473442 +0000 UTC
  NextUpdate: 2022-09-06 18:12:56.495473142 +0000 UTC
  DownloadedAt: 2022-09-06 14:57:30.410549 +0000 UTC

Additional details (base image name, container registry info...):

Created a repo with a reproducible samples and the SBOM for each image downloaded:
https://github.com/Albertoimpl/trivi-native-image-report

To build the image for each project the command is:

./gradlew bootBuildImage

Albertoimpl · 2022-11-07T08:38:47Z

Albertoimpl
Nov 7, 2022
Author

Is there anything else I can provide to help out with this issue?

0 replies

Albertoimpl · 2023-01-12T08:47:24Z

Albertoimpl
Jan 12, 2023
Author

Not sure if there is anything else I can do to help. I provided a minimal reproducible example.

8 replies

DmitriyLewen May 11, 2023
Maintainer

unfortunately, Trivy currently only supports scanning SBOM file in fs mode.

@knqyf263 wdyt? Should we add option to scan all SBOM files from image?

knqyf263 May 11, 2023
Maintainer

However, you should have the information in the BOM layer.

What is the BOM layer? Does it mean the image has SBOM inside? If it is the case, this PR could be relevant.
#4210

Albertoimpl May 11, 2023
Author

Exactly that!
If you dive into the generated image, you can see them here:

Attaching the layers so you don't have to go grab them:
layers.zip

The command I use to download them, in case you are curious was:

pack sbom download native-trivy-demo:0.0.1-SNAPSHOT

And, yes #4210 looks exactly what will be needed.

Let me know if I can help with anything else or assist in any way.

knqyf263 May 11, 2023
Maintainer

BTW, how did you build the image? I'm trying to understand "native images".

Albertoimpl May 11, 2023
Author

With the command:

./gradlew bootBuildImage

It uses https://paketo.io/docs/reference/java-native-image-reference/ underneath.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Java native image not reporting vulnerabilities #4251

{{title}}

Replies: 2 comments 8 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Java native image not reporting vulnerabilities #4251

Albertoimpl Sep 6, 2022

Description

What did you expect to happen?

What happened instead?

Output of run with -debug:

Output of trivy -v:

Additional details (base image name, container registry info...):

Replies: 2 comments · 8 replies

Albertoimpl Nov 7, 2022 Author

Albertoimpl Jan 12, 2023 Author

DmitriyLewen May 11, 2023 Maintainer

knqyf263 May 11, 2023 Maintainer

Albertoimpl May 11, 2023 Author

knqyf263 May 11, 2023 Maintainer

Albertoimpl May 11, 2023 Author

Albertoimpl
Sep 6, 2022

Output of run with `-debug`:

Output of `trivy -v`:

Replies: 2 comments 8 replies

Albertoimpl
Nov 7, 2022
Author

Albertoimpl
Jan 12, 2023
Author

DmitriyLewen May 11, 2023
Maintainer

knqyf263 May 11, 2023
Maintainer

Albertoimpl May 11, 2023
Author

knqyf263 May 11, 2023
Maintainer

Albertoimpl May 11, 2023
Author