CVEs in Busybox v. 1.36.1 are not being detected

[mike-miller-ct]

IDs

CVE-2023-42363, CVE-2023-42364, CVE-2023-42365, CVE-2023-42366

Description

The above mentioned CVEs are referring to busybox Version 1.36.1, as it can be seen from the Acqua NVD Page:

1. https://avd.aquasec.com/nvd/2023/cve-2023-42363/
2. https://avd.aquasec.com/nvd/2023/cve-2023-42364/
3. https://avd.aquasec.com/nvd/2023/cve-2023-42365/
4. https://avd.aquasec.com/nvd/2023/cve-2023-42366/

Nevertheless, they are not being reported.
Is this a bug or am I missing something?

Thanks in advance for your time and support,
BR
Mike

Reproduction Steps

1. Run trivy image --debug docker.io/library/alpine:3.19.1
2. Analyse the results

Target

Container Image

Scanner

Vulnerability

Target OS

Ubuntu 20.04.5 LTS (Focal Fossa)

Debug Output

trivy image --debug docker.io/library/alpine:3.19.1

2024-02-14T11:41:48.692Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-02-14T11:41:48.693Z        DEBUG   Ignore statuses {"statuses": null}
2024-02-14T11:41:48.701Z        DEBUG   cache dir:  /home/myuser/.cache/trivy
2024-02-14T11:41:48.701Z        INFO    Need to update DB
2024-02-14T11:41:48.701Z        INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2024-02-14T11:41:48.701Z        INFO    Downloading DB...
42.87 MiB / 42.87 MiB [------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 26.81 MiB p/s 1.8s
2024-02-14T11:41:51.056Z        DEBUG   Updating database metadata...
2024-02-14T11:41:51.057Z        DEBUG   DB Schema: 2, UpdatedAt: 2024-02-13 12:11:42.390102083 +0000 UTC, NextUpdate: 2024-02-13 18:11:42.390101822 +0000 UTC, DownloadedAt: 2024-02-14 11:41:51.056973182 +0000 UTC
2024-02-14T11:41:51.057Z        INFO    Vulnerability scanning is enabled
2024-02-14T11:41:51.057Z        DEBUG   Vulnerability type:  [os library]
2024-02-14T11:41:51.057Z        INFO    Secret scanning is enabled
2024-02-14T11:41:51.057Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-14T11:41:51.057Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-02-14T11:41:51.057Z        DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-14T11:41:51.066Z        DEBUG   No secret config detected: trivy-secret.yaml
2024-02-14T11:41:51.066Z        DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-02-14T11:41:51.066Z        DEBUG   No secret config detected: trivy-secret.yaml
2024-02-14T11:41:51.067Z        DEBUG   Image ID: sha256:05455a08881ea9cf0e752bc48e61bbd71a34c029bb13df01e40e3e70e0d007bd
2024-02-14T11:41:51.067Z        DEBUG   Diff IDs: [sha256:d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820]
2024-02-14T11:41:51.067Z        DEBUG   Base Layers: []
2024-02-14T11:41:51.067Z        INFO    Detected OS: alpine
2024-02-14T11:41:51.067Z        INFO    Detecting Alpine vulnerabilities...
2024-02-14T11:41:51.068Z        DEBUG   alpine: os version: 3.19
2024-02-14T11:41:51.068Z        DEBUG   alpine: package repository: 3.19
2024-02-14T11:41:51.068Z        DEBUG   alpine: the number of packages: 15
2024-02-14T11:41:51.069Z        INFO    Number of language-specific files: 0
2024-02-14T11:41:51.069Z        DEBUG   Found an ignore file: .trivyignore

docker.io/library/alpine:3.19.1 (alpine 3.19.1)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Version

Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-13 12:11:42.390102083 +0000 UTC
  NextUpdate: 2024-02-13 18:11:42.390101822 +0000 UTC
  DownloadedAt: 2024-02-14 10:38:42.850405312 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-02-12 00:45:04.687521318 +0000 UTC
  NextUpdate: 2024-02-15 00:45:04.687521198 +0000 UTC
  DownloadedAt: 2024-02-13 09:08:47.508073785 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @mike-miller-ct
Thanks for your interest to Trivy!

We use Alpine security database to get advisories for Alpine - https://aquasecurity.github.io/trivy/v0.49/docs/scanner/vulnerability/#data-sources
The Alpine team did not add these CVEs (perhaps these CVEs did not affect their versions of busibox).

Regards, Dmitriy