Large number of CVE's per Trivy?

[dygland]

Hello!
I was going to try glpi using docker images and downloaded the latest image from docker hub. Before running it i scanned it using Trivy (https://www.aquasec.com/products/trivy/). I disccovered a large number of CVE's (1075) which was very suprising. Most of them seems to be fixed per the description but do not have a fixed version per trivy which is curious. (see attached scan report).

scan.txt

I believe this is a false positive due to the fact that you seem to build your image by using github actions to run commands in a pre-buiilt image instead of using a dockerfile to create the image and this confues Trivy, rendering it unable to find the fixed versions.
But I am not sure how to confirm.

Could you shed some light over this?
Thank you!

[froozeify]

Hello,

I don't know how aquasec work, I just run a docker scout analysis and I get 100 cve (no criticial or high)

Most of them are caused by debian packages like python3 or tar.

Latest images (for example glpi:10 glpi:11) are rebuild on every release so this happen on average one time per month. It download from debian the packages and should be fixed at that moment.

I don't understand why aquasec returned to you 1075 cve (and some are from 2001...)

[dygland]

Yeah this is very weird, I ran a scan with grype that produced the same results as trivy (new image, so a few differences from my initial scan).

grype glpi/glpi:11.0-nightly
 ✔ Vulnerability DB                [updated]
 ✔ Pulled image
 ✔ Loaded image                                                                                                                                                                                                                                                                                                                                 glpi/glpi:11.0-nightly
 ✔ Parsed image sha256:eb0102a638cc0641552cac4ca06ac4ba0ee4789822bd72fa2f68ce4d7fb921c3
 ✔ Cataloged contents 3bf9b5764b7731d60b6bbcf75ef36bb609dc84c41825028b020f65ef78efd54c
   ├── ✔ Packages                        [396 packages]
   ├── ✔ Executables                     [1,124 executables]
   ├── ✔ File metadata                   [10,497 locations]
   └── ✔ File digests                    [10,497 files]
 ✔ Scanned for vulnerabilities     [572 vulnerability matches]
   ├── by severity: 0 critical, 56 high, 147 medium, 8 low, 514 negligible (310 unknown)
   └── by status:   251 fixed, 784 not-fixed, 463 ignored

Same image scanned by docker scout:

101 vulnerabilities found in 24 packages
  CRITICAL  0
  HIGH      1
  MEDIUM    5
  LOW       95

I still _believe _ this is a false positive, but now 2 out of 3 scanners agree on the vulnerabilites being present 🤷

[froozeify]

Indeed the high ceverity cve has been published 2 days ago and looks like it's not available yet on debian