Trivy fails to spot Java distribution in distroless image

[biehl1]

Description

Trivy used to detect just fine openjdk shipped in gcr.io/distroless/java17-debian12:nonroot
That has changed with gcr.io/distroless/java21-debian12:nonroot where trivy is no longer able to spot openjdk version and thus misses out potential CVEs.

Desired Behavior

• Trivy picks up openjdk version and detects all related CVEs

Actual Behavior

• Trivy fails to pick up openjdk version and is unable to detect any related CVE

Reproduction Steps

For example `gcr.io/distroless/java21-debian12@sha256:68e11975ae9e7911becda53c8746fd4564182c2c402a1c4c0d4e3479ad50b3ba`
The image packs java/openjdk 21.0.2.

1.  trivy image gcr.io/distroless/java21-debian12@sha256:68e11975ae9e7911becda53c8746fd4564182c2c402a1c4c0d4e3479ad50b3ba
# No CVEs related to openjdk are detected

1. trivy image --format cyclonedx gcr.io/distroless/java21-debian12@sha256:68e11975ae9e7911becda53c8746fd4564182c2c402a1c4c0d4e3479ad50b3ba > java21-debian12:nonroot.trivy.cdx.json
2. jq -r '.components[] | ."bom-ref"' ./java21-debian12:nonroot.trivy.cdx.json | grep openjdk
# No JDK distribution detected. Expected 1

Target

Container Image

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

$ trivy image gcr.io/distroless/java21-debian12@sha256:68e11975ae9e7911becda53c8746fd4564182c2c402a1c4c0d4e3479ad50b3ba --debug                                      
2024-09-16T09:37:28-03:00	DEBUG	No plugins loaded
2024-09-16T09:37:28-03:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-09-16T09:37:28-03:00	DEBUG	Cache dir	dir="~/Library/Caches/trivy"
2024-09-16T09:37:28-03:00	DEBUG	Cache dir	dir="~/Library/Caches/trivy"
2024-09-16T09:37:28-03:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-09-16T09:37:28-03:00	DEBUG	Ignore statuses	statuses=[]
2024-09-16T09:37:28-03:00	DEBUG	DB update was skipped because the local DB is the latest
2024-09-16T09:37:28-03:00	DEBUG	DB info	schema=2 updated_at=2024-09-16T12:14:15.87479179Z next_update=2024-09-16T18:14:15.874791459Z downloaded_at=2024-09-16T12:32:58.241453Z
2024-09-16T09:37:28-03:00	DEBUG	[pkg] Package types	types=[os library]
2024-09-16T09:37:28-03:00	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-09-16T09:37:28-03:00	INFO	[vuln] Vulnerability scanning is enabled
2024-09-16T09:37:28-03:00	INFO	[secret] Secret scanning is enabled
2024-09-16T09:37:28-03:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-16T09:37:28-03:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-16T09:37:28-03:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-16T09:37:28-03:00	DEBUG	Initializing scan cache...	type="fs"
2024-09-16T09:37:28-03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-09-16T09:37:28-03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-09-16T09:37:28-03:00	DEBUG	[image] Detected image ID	image_id="sha256:ac1342b60dfbb310f0ff75a1c3ec2f059b8f281563ff69c4630c1c46bab23f24"
2024-09-16T09:37:28-03:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:f52af47487c7689b94bd0d30141a31953d1e9ff251a758202fc41a45a14a1f9f sha256:10e9b9e72178b3e5fe8ff566a61eefb03ad585f5eae5cc0f2b08dbe3c874cecb sha256:9ed5d5f339b179a31810cf4070ad8cb5570efefc0d7c93dcdffe02b8b26cc71d sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368 sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1 sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849 sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3 sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217 sha256:54a7f7f831d9141c04609a2aeb4550f4e021a7de13af6663c66da30ac52c72ac sha256:823445a9cbb6a131bc85d47351491ef2aab9093efb417071e2eec55be2a55ceb sha256:6ab4dccbb10f01eded1230c0505880fdf5c02ef1ee2f013ad4a38a9356933a4d sha256:4e60b45321ebb3882c36e2682d74c4c932c8ac710b2ce26201797c6071d298fc sha256:39dcc5b5e9412e904b2f552f140eb063a8245554870d09a8889333dea4f45ea9 sha256:8e8821aff8ec6c0988bbd3db98c1c28ce83ca35f9f9161fff8e251a0250c3404 sha256:851ebe84e8c6569e808efc06ca933eb22e3f7e199e36c0ceb63c0f079a6652ac sha256:8d5a9d2392bb2abcc4473e30de7a843d94138d711afd0eb173ba9317726c9a70 sha256:4798828710c1729e8cc8d60d38b5a7a7c3f0a9e101ae58eaaf0d2f5674d89517 sha256:5f8898a06a91624109ed8b76c1a2763d274a171edb7a46dd49c3a4a7e9f5dede sha256:3b43310dfdf36b8fb3504edd98ed77ac96c1520b6c69ce59aaf8f5bc27e0b8dd sha256:6e89fce23da62cf986e96a1867f7389b3063cbf726e0239b32434129d42dceb5 sha256:68743a20de5bf77bfd7a390913a4ceaf5e30b96d1c597ebae8337da808179ad2 sha256:694893867b688a6706e76ae80092a67f996a4b293d08158de07bbcbfc63c8ed3 sha256:f9a55c9614be7dce41d60a28717324de261036c9e9cf5ad0c797145b9e59755a sha256:cdcffa7d6e0ab967808e1ab65caabe24d2f18f0842488388624b7551b136a7e6 sha256:20d91d608a92388f7a1f4cd3d68e8b63b598f20ee4456737c4176aaa6f77f25b]
2024-09-16T09:37:28-03:00	DEBUG	[image] Detected base layers	diff_ids=[]
2024-09-16T09:37:28-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:f52af47487c7689b94bd0d30141a31953d1e9ff251a758202fc41a45a14a1f9f"
2024-09-16T09:37:28-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc"
2024-09-16T09:37:28-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:9ed5d5f339b179a31810cf4070ad8cb5570efefc0d7c93dcdffe02b8b26cc71d"
2024-09-16T09:37:28-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:10e9b9e72178b3e5fe8ff566a61eefb03ad585f5eae5cc0f2b08dbe3c874cecb"
2024-09-16T09:37:28-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368"
2024-09-16T09:37:39-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:39-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:39-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:ac805962e47900b616b2f4b4584a34ac7b07d64ac1fd2c077478cf65311addcc"
2024-09-16T09:37:39-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b"
2024-09-16T09:37:39-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:39-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1"
2024-09-16T09:37:39-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849"
2024-09-16T09:37:39-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3"
2024-09-16T09:37:39-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:b336e209998fa5cf0eec3dabf93a21194198a35f4f75612d8da03693f8c30217"
2024-09-16T09:37:39-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:54a7f7f831d9141c04609a2aeb4550f4e021a7de13af6663c66da30ac52c72ac"
2024-09-16T09:37:39-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:823445a9cbb6a131bc85d47351491ef2aab9093efb417071e2eec55be2a55ceb"
2024-09-16T09:37:39-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:39-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:39-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:6ab4dccbb10f01eded1230c0505880fdf5c02ef1ee2f013ad4a38a9356933a4d"
2024-09-16T09:37:39-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:39-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:4e60b45321ebb3882c36e2682d74c4c932c8ac710b2ce26201797c6071d298fc"
2024-09-16T09:37:39-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:39-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:39dcc5b5e9412e904b2f552f140eb063a8245554870d09a8889333dea4f45ea9"
2024-09-16T09:37:39-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:39-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:8e8821aff8ec6c0988bbd3db98c1c28ce83ca35f9f9161fff8e251a0250c3404"
2024-09-16T09:37:39-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:39-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:851ebe84e8c6569e808efc06ca933eb22e3f7e199e36c0ceb63c0f079a6652ac"
2024-09-16T09:37:39-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:39-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:8d5a9d2392bb2abcc4473e30de7a843d94138d711afd0eb173ba9317726c9a70"
2024-09-16T09:37:39-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:39-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:4798828710c1729e8cc8d60d38b5a7a7c3f0a9e101ae58eaaf0d2f5674d89517"
2024-09-16T09:37:40-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:40-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:5f8898a06a91624109ed8b76c1a2763d274a171edb7a46dd49c3a4a7e9f5dede"
2024-09-16T09:37:40-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:40-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:3b43310dfdf36b8fb3504edd98ed77ac96c1520b6c69ce59aaf8f5bc27e0b8dd"
2024-09-16T09:37:40-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:40-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:6e89fce23da62cf986e96a1867f7389b3063cbf726e0239b32434129d42dceb5"
2024-09-16T09:37:40-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:40-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:68743a20de5bf77bfd7a390913a4ceaf5e30b96d1c597ebae8337da808179ad2"
2024-09-16T09:37:40-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:40-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:694893867b688a6706e76ae80092a67f996a4b293d08158de07bbcbfc63c8ed3"
2024-09-16T09:37:40-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:40-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:f9a55c9614be7dce41d60a28717324de261036c9e9cf5ad0c797145b9e59755a"
2024-09-16T09:37:40-03:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-16T09:37:40-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:cdcffa7d6e0ab967808e1ab65caabe24d2f18f0842488388624b7551b136a7e6"
2024-09-16T09:37:40-03:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:20d91d608a92388f7a1f4cd3d68e8b63b598f20ee4456737c4176aaa6f77f25b"
2024-09-16T09:37:40-03:00	DEBUG	[jar] Parsing Java artifacts...	file_path="usr/lib/jvm/temurin21_jre_amd64/lib/jrt-fs.jar"
2024-09-16T09:37:40-03:00	DEBUG	[jar] No such POM in the central repositories	file="jrt-fs.jar"
2024-09-16T09:37:40-03:00	INFO	Detected OS	family="debian" version="12.5"
2024-09-16T09:37:40-03:00	INFO	[debian] Detecting vulnerabilities...	os_version="12" pkg_num=18
2024-09-16T09:37:40-03:00	INFO	Number of language-specific files	num=0
2024-09-16T09:37:40-03:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.55/docs/scanner/vulnerability#severity-selection for details.
2024-09-16T09:37:40-03:00	DEBUG	[vex] VEX filtering is disabled

Operating System

macos 14.6.1

Version

$ trivy --version
Version: 0.55.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-09-16 12:14:15.87479179 +0000 UTC
  NextUpdate: 2024-09-16 18:14:15.874791459 +0000 UTC
  DownloadedAt: 2024-09-16 12:32:58.241453 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-09-15 01:09:34.675345619 +0000 UTC
  NextUpdate: 2024-09-18 01:09:34.675345449 +0000 UTC
  DownloadedAt: 2024-09-15 15:26:13.44779 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @biehl1
Thanks for your report!

Trivy only detects Go and Rust binaries - https://aquasecurity.github.io/trivy/v0.55/docs/coverage/language/#supported-languages

gcr.io/distroless/java17-debian12:nonroot image contains openjdk installed using deb: pkg:deb/debian/[email protected]%2B7-2~deb12u1?arch=amd64\u0026distro=debian-12.7",.
But gcr.io/distroless/java21-debian12:nonroot doesn't have openjdk deb package.
It is possible that openjdk is installed as a binary (e.g. COPY command in docker).
Unfortunately, Trivi can't detect such binaries.

Regards, Dmitriy

[biehl1]

Can this be listed - sort of officially - as a feature request somewhere?
Or is it totally out of scope for trivy OSS - considering overlapping commercial feature from Aqua?

Thanks

[simar7]

@biehl1 it is part of the commercial offering from Aqua.

[biehl1]

@simar7 question still remains
will it not be supported because it is part of a commercial offering; OR
it can be added (somewhere) as a feature request?

[DmitriyLewen]

will it not be supported because it is part of a commercial offering

as far as i know yes. this function is only for aqua scanner.