Replies: 3 comments 10 replies
-
Custom vulnerabilities are not yet supported in Trivy. The vulnerability is in public. I think it would be helpful for Trivy users if you contribute to public databases like GHSA. |
Beta Was this translation helpful? Give feedback.
-
The company I work for build a lot of in-house software. If a vulnerability is found it would be useful to use Trivy to detect any running vulnerable versions in our landscape. As the software is private, there would be no benefit to expose that information in a public advisory. |
Beta Was this translation helpful? Give feedback.
-
Hello there! I also tried creating a VEX file with the affected status, but looking at the source code it seems that trivy only uses VEX to filter vulnerabilities with not_affected. Would it will be possible to create a vulnerability when the VEX status is affected and the PURL matches to a package running in the image? For example:
$ trivy image --list-all-pkgs --format json azul/zulu-openjdk:11.0.17 | jq '.Results[].Packages[].Identifier.PURL'
VEX file: {
"@context": "https://openvex.dev/ns/v0.2.0",
"@id": "https://openvex.dev/docs/public/vex-2e67563e128250cbcb3e98930df948dd053e43271d70dc50cfa22d57e03fe96f",
"author": "Test",
"timestamp": "2023-08-29T19:07:16.853479631-06:00",
"version": 1,
"statements": [
{
"vulnerability": { "name": "CVE-2020-14583" },
"products": [{ "@id": "pkg:deb/ubuntu/[email protected]" }],
"status": "affected"
}
]
} BTW, this discussion is a duplicated of #4238. |
Beta Was this translation helpful? Give feedback.
-
Question
Hello folks.
trivy
don't detect known vulnerabilities on Azul/Zulu packages (Zulu CVEs).I need to detect them, but I'm not sure how is the best way to do so.
This is related to #4238 and the comment made by @breun #4238 (reply in thread).
Trivy detects that zulu packages are installed, but don't recognizes the vulnerabilities.
So my hypothesis is the following:
If that's true, then the following questions comes to mind:
ps: I knew into security related topics, so forgive me if I'm asking something silly or if my premises are wrong.
Target
Container Image
Scanner
Vulnerability
Output Format
JSON
Mode
Standalone
Operating System
No response
Version
Beta Was this translation helpful? Give feedback.
All reactions