CVEs in Busybox v. 1.36.1 are not being detected #6132
-
IDsCVE-2023-42363, CVE-2023-42364, CVE-2023-42365, CVE-2023-42366 DescriptionThe above mentioned CVEs are referring to busybox Version 1.36.1, as it can be seen from the Acqua NVD Page:
Nevertheless, they are not being reported. Thanks in advance for your time and support, Reproduction Steps1. Run trivy image --debug docker.io/library/alpine:3.19.1
2. Analyse the results TargetContainer Image ScannerVulnerability Target OSUbuntu 20.04.5 LTS (Focal Fossa) Debug Outputtrivy image --debug docker.io/library/alpine:3.19.1
2024-02-14T11:41:48.692Z DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-02-14T11:41:48.693Z DEBUG Ignore statuses {"statuses": null}
2024-02-14T11:41:48.701Z DEBUG cache dir: /home/myuser/.cache/trivy
2024-02-14T11:41:48.701Z INFO Need to update DB
2024-02-14T11:41:48.701Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2024-02-14T11:41:48.701Z INFO Downloading DB...
42.87 MiB / 42.87 MiB [------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 26.81 MiB p/s 1.8s
2024-02-14T11:41:51.056Z DEBUG Updating database metadata...
2024-02-14T11:41:51.057Z DEBUG DB Schema: 2, UpdatedAt: 2024-02-13 12:11:42.390102083 +0000 UTC, NextUpdate: 2024-02-13 18:11:42.390101822 +0000 UTC, DownloadedAt: 2024-02-14 11:41:51.056973182 +0000 UTC
2024-02-14T11:41:51.057Z INFO Vulnerability scanning is enabled
2024-02-14T11:41:51.057Z DEBUG Vulnerability type: [os library]
2024-02-14T11:41:51.057Z INFO Secret scanning is enabled
2024-02-14T11:41:51.057Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-14T11:41:51.057Z INFO Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-02-14T11:41:51.057Z DEBUG Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-14T11:41:51.066Z DEBUG No secret config detected: trivy-secret.yaml
2024-02-14T11:41:51.066Z DEBUG The nuget packages directory couldn't be found. License search disabled
2024-02-14T11:41:51.066Z DEBUG No secret config detected: trivy-secret.yaml
2024-02-14T11:41:51.067Z DEBUG Image ID: sha256:05455a08881ea9cf0e752bc48e61bbd71a34c029bb13df01e40e3e70e0d007bd
2024-02-14T11:41:51.067Z DEBUG Diff IDs: [sha256:d4fc045c9e3a848011de66f34b81f052d4f2c15a17bb196d637e526349601820]
2024-02-14T11:41:51.067Z DEBUG Base Layers: []
2024-02-14T11:41:51.067Z INFO Detected OS: alpine
2024-02-14T11:41:51.067Z INFO Detecting Alpine vulnerabilities...
2024-02-14T11:41:51.068Z DEBUG alpine: os version: 3.19
2024-02-14T11:41:51.068Z DEBUG alpine: package repository: 3.19
2024-02-14T11:41:51.068Z DEBUG alpine: the number of packages: 15
2024-02-14T11:41:51.069Z INFO Number of language-specific files: 0
2024-02-14T11:41:51.069Z DEBUG Found an ignore file: .trivyignore
docker.io/library/alpine:3.19.1 (alpine 3.19.1)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) VersionVersion: 0.49.1
Vulnerability DB:
Version: 2
UpdatedAt: 2024-02-13 12:11:42.390102083 +0000 UTC
NextUpdate: 2024-02-13 18:11:42.390101822 +0000 UTC
DownloadedAt: 2024-02-14 10:38:42.850405312 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2024-02-12 00:45:04.687521318 +0000 UTC
NextUpdate: 2024-02-15 00:45:04.687521198 +0000 UTC
DownloadedAt: 2024-02-13 09:08:47.508073785 +0000 UTC Checklist
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Hello @mike-miller-ct We use Alpine security database to get advisories for Alpine - https://aquasecurity.github.io/trivy/v0.49/docs/scanner/vulnerability/#data-sources Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
Hello @mike-miller-ct
Thanks for your interest to Trivy!
We use Alpine security database to get advisories for Alpine - https://aquasecurity.github.io/trivy/v0.49/docs/scanner/vulnerability/#data-sources
The Alpine team did not add these CVEs (perhaps these CVEs did not affect their versions of busibox).
Regards, Dmitriy