False negative: clamav 1.2.x is out of support, has vulnerabilities and is in Alpine 3.20 and is not detected

[kolbma]

IDs

CVE-2024-20506,CVE-2024-20505

Description

Which vulnerability sources are used for scanning Alpine images?
The CVEs say all 1.2.x versions are vulnerable.
Alpine has some human resource problem to manage security in its packages.
Although now only Alpine 3.21 is supported, the clamav 1.2.2 package has been undetected for months while Alpine 3.20 has been stable and supported.

Reproduction Steps

1. Create Alpine 3.20 docker image and apk add clamav
2. docker push to harbor instance using trivy scanner
3. Doesn't detect vulnerability

Target

Container Image

Scanner

Vulnerability

Target OS

Alpine 3.20

Debug Output

Don't know how to do this with harbor trivy adapter.

Version

Version: 0.56.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-12-05 12:16:57.876607858 +0000 UTC
  NextUpdate: 2024-12-06 12:16:57.876607388 +0000 UTC
  DownloadedAt: 2024-12-05 17:21:29.257302001 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

In general, it's listed here.
https://trivy.dev/latest/docs/scanner/vulnerability/#data-sources

For your specific case, https://secdb.alpinelinux.org/v3.20/. You can see those vulnerabilities are not listed.

[knqyf263]

It produces too much noise. Also, if the vulnerability is critical, a vendor usually prioritizes the patch.

[kolbma]

A vendor needs to know about the vulnerability, can decide wrong or ignore vulnerabilities.

[kolbma]

Is it possible to tell trivy that it should use the edge version DB although the image is in real 3.20 or 3.21?

[knqyf263]

It's not supported now, but adding such an option sounds like a good idea.

[knqyf263]

Created #8065