Trivy docker image has vulnerabilities?

[middleagedman]

IDs

CVE-2024-45336, CVE-2024-45341

Description

So I pulled down the latest trivy docker image (docker pull aquasec/trivy). Then I installed trivy via pacman -S trivy
And I scanned the docker image and it reports a vuln, but I don't think it's correct. Is it actually complaining about my OS?

Reproduction Steps

# sudo pacman -S trivy
# docker pull aquasec/trivy
# trivy image aquasec/trivy

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

trivy image aquasec/trivy --debug
2025-02-01T20:45:17-05:00       DEBUG   No plugins loaded
2025-02-01T20:45:17-05:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-01T20:45:17-05:00       DEBUG   Cache dir       dir="/home/tom/.cache/trivy"
2025-02-01T20:45:17-05:00       DEBUG   Cache dir       dir="/home/tom/.cache/trivy"
2025-02-01T20:45:17-05:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-01T20:45:17-05:00       DEBUG   Ignore statuses statuses=[]
2025-02-01T20:45:17-05:00       DEBUG   DB update was skipped because the local DB is the latest
2025-02-01T20:45:17-05:00       DEBUG   DB info schema=2 updated_at=2025-02-02T00:21:30.370386254Z next_update=2025-02-03T00:21:30.370386124Z downloaded_at=2025-02-02T01:34:22.058961974Z
2025-02-01T20:45:17-05:00       DEBUG   [pkg] Package types     types=[os library]
2025-02-01T20:45:17-05:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-02-01T20:45:17-05:00       INFO    [vuln] Vulnerability scanning is enabled
2025-02-01T20:45:17-05:00       INFO    [secret] Secret scanning is enabled
2025-02-01T20:45:17-05:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-01T20:45:17-05:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.59/docs/scanner/secret#recommendation for faster secret detection
2025-02-01T20:45:17-05:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-02-01T20:45:17-05:00       DEBUG   Initializing scan cache...      type="fs"
2025-02-01T20:45:17-05:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-02-01T20:45:17-05:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-02-01T20:45:17-05:00       DEBUG   [image] Detected image ID       image_id="sha256:f67504ca581bee4b3833687bcb47f590f3ed826db250da3fe240cc53e7a6e9c4"
2025-02-01T20:45:17-05:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:3e01818d79cd3467f1d60e54224f3f6ce5170eceb54e265d96bb82344b8c24e7 sha256:174ac372eafb31a01a7e72062f873aa7cf357dfe0133f0fbd794f2f43ae278dd sha256:f75706aada560f9fc3c035a44e9c8f8da8bf7317a39df18ae86c56fdd8344d66 sha256:178f0c84f66ac6f6b57214291b8827aa1199eb29949efec2aafe838998b8df67]
2025-02-01T20:45:17-05:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:3e01818d79cd3467f1d60e54224f3f6ce5170eceb54e265d96bb82344b8c24e7]
2025-02-01T20:45:17-05:00       INFO    Detected OS     family="alpine" version="3.21.0"
2025-02-01T20:45:17-05:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.21" repository="3.21" pkg_num=28
2025-02-01T20:45:17-05:00       INFO    Number of language-specific files       num=1
2025-02-01T20:45:17-05:00       INFO    [gobinary] Detecting vulnerabilities...
2025-02-01T20:45:17-05:00       DEBUG   [gobinary] Scanning packages for vulnerabilities  file_path="usr/local/bin/trivy"
2025-02-01T20:45:17-05:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.59/docs/scanner/vulnerability#severity-selection for details.
2025-02-01T20:45:17-05:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-02-01T20:45:17-05:00       DEBUG   [vex] VEX filtering is disabled

aquasec/trivy (alpine 3.21.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/local/bin/trivy (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-45336 │ MEDIUM   │ fixed  │ v1.23.4           │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly    │
│         │                │          │        │                   │                              │ sent after cross-domain redirect                             │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-45341 │          │        │                   │                              │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│         │                │          │        │                   │                              │ bypass URI name...                                           │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

Version

Version: 0.59.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-02-02 00:21:30.370386254 +0000 UTC
  NextUpdate: 2025-02-03 00:21:30.370386124 +0000 UTC
  DownloadedAt: 2025-02-02 01:34:22.058961974 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @middleagedman

Trivy didn't find vulns in alpine 3.21.0 (OS for aquasec/trivy image).

But Trivy found 2 vulns in Trivy binary.

[middleagedman]

Correct. So I guess a patch is coming for that soon :)

[DmitriyLewen]

Created #8341

[DmitriyLewen]

Created #8341