Vulnerability Scan in Docker Image for python sbom not finding vulnerabilities

[spank79]

Description

Hi,
in our current environment we are using the docker image to initiate trivy scans for our projects. It does work with the process for Angular, C# and yields findings. But for our Python projects it's not finding anything although we know there are critical CVE's found with e.g. twistcli that we have used before.

Our DOCKERFILE looks like this (with other code around for the original build):

RUN pip freeze > requirements.installed.txt

# we use Artifactory to remote to ghcr-io  so we are actuall using this as proxy and downloading everytime we run docker
FROM ghcr-io./aquasecurity/trivy:0.54.1 AS trivy

RUN mkdir -p /sources
COPY --from=builder /app/requirements.installed.txt /sources

RUN /usr/local/bin/trivy fs /sources --file-patterns 'pip:requirements.*.txt' --format cyclonedx --include-dev-deps \
    --output source-sbom.json --scanners vuln --db-repository ghcr-io/aquasecurity/trivy-db:2

# exit-code 1 stops the build on findings
RUN /usr/local/bin/trivy sbom source-sbom.json --exit-code 1 \
    --db-repository ghcr-io/aquasecurity/trivy-db:2

We then in our build pipeline execute like this:

docker build . -t <imagename>-trivy --no-cache --progress=plain --target trivy

In our attached requirements.installed.txt there is cPython==0.0.6
requirements.installed.txt

which has a critical vulnerability which also listed in the database as you can see here https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip+cpython

But the output of the build does not show anything.

Also even if it does not find anything, why is it not printing the line with nothing found. For all our languages it just is not putting out anything. I would expect something like:
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Kind regards

Desired Behavior

#16 18.63 2024-08-23T12:17:13Z INFO Number of language-specific files num=1
#16 18.63 2024-08-23T12:17:13Z INFO [pip] Detecting vulnerabilities...
#16 DONE 18.8s
#16 19.67
#16 19.67 ==================
#16 19.67 Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 1)
#16 19.67

=> Table listing at least the one critical measure

Actual Behavior

#16 18.62 2024-08-23T12:17:13Z WARN [pip] Unable to find python site-packages directory. License detection is skipped. err="unable to find path to Python executable"
#16 18.63 2024-08-23T12:17:13Z INFO Number of language-specific files num=1
#16 18.63 2024-08-23T12:17:13Z INFO [pip] Detecting vulnerabilities...
#16 DONE 18.8s

Reproduction Steps

1. Create small python project referencing cPython==0.0.6
2. Create Dockerfile to create sbom.json and scan for vulnerabilities
3. Check results

Target

SBOM

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

#17 19.29 2024-08-23T12:30:59Z  DEBUG   DB info schema=2 updated_at=2024-08-23T06:11:52.410005193Z next_update=2024-08-23T12:11:52.410004802Z downloaded_at=2024-08-23T12:30:59.1630997Z
#17 19.29 2024-08-23T12:30:59Z  DEBUG   [pkg] Package types     types=[os library]
#17 19.29 2024-08-23T12:30:59Z  DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
#17 19.29 2024-08-23T12:30:59Z  INFO    [vuln] Vulnerability scanning is enabled
#17 19.29 2024-08-23T12:30:59Z  DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
#17 19.29 2024-08-23T12:30:59Z  DEBUG   Initializing scan cache...      type="memory"
#17 19.29 2024-08-23T12:30:59Z  WARN    [pip] Unable to find python `site-packages` directory. License detection is skipped.    err="unable to find path to Python executable"
#17 19.29 2024-08-23T12:30:59Z  DEBUG   OS is not detected.
#17 19.29 2024-08-23T12:30:59Z  DEBUG   Detected OS: unknown
#17 19.29 2024-08-23T12:30:59Z  INFO    Number of language-specific files       num=1
#17 19.29 2024-08-23T12:30:59Z  INFO    [pip] Detecting vulnerabilities...
#17 19.29 2024-08-23T12:30:59Z  DEBUG   [pip] Scanning packages for vulnerabilities     file_path="requirements.installed.txt"
#17 19.30 2024-08-23T12:30:59Z  DEBUG   [vex] VEX filtering is disabled
#17 DONE 19.5s

Operating System

Docker Container provided by Trivy

Version

0.54.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @spank79
Thanks for your report!

which has a critical vulnerability which also listed in the database as you can see here https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip+cpython

I don't see any vulnerabilities for cPython in the GitHub database
Can you write a CVE for this vulnerability?
This link shows all advisories containing cpython, but it doesn't mean that these advisories are related to the cPython package.

Regards, Dmitriy

[spank79]

Ok, sorry I misread the database and was not focusing on the package. Is there a way to filter for packages? Our Prisma Scan showed this one but I can see now that it is coming from the Prisma database.

But I can also give you another example where the package actually has a high vulnerability but still is not listed, which is package "setuptools"

GHSA-27x4-j476-jp5f

This one should be listed, shouldn't it?

[DmitriyLewen]

But your requirements.installed.txt file doesn't contain setuptools dependency.

[spank79]

your correct again. Ok, I see the difference from our Prisma scan comes because it is scanning the whole docker image. Thanks for the clarification.
Then my only question left would be, why is the tool not outputting the line
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

This way it looks a little bit broken

[DmitriyLewen]

Trivy shows Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) only for OS pkgs (rpm, apk, etc.).
This is necessary to prevent spam in the report (imagine if we printed this line for every file).

[spank79]

I would think this is helpful as it does print the line for every finding. Also you could just print the report for all files or make it an option with a config flag if a user would want this to be printed.

[DmitriyLewen]

related discussion - #6501

[spank79]

Explenation for not finding anything was given. Implementation on our side looks ok and no problem had existed. Only misunderstanding of how to use trivy