Trivy doesn't update vulnerability after updating package manually

[juyoungkimthedev]

Description

I am using
FROM python:3.10.12-buster in my image
and the recent CVEs:

• https://security-tracker.debian.org/tracker/CVE-2024-42154
• https://security-tracker.debian.org/tracker/CVE-2024-38428

are not updated even after installing the debian binary packages.

I have linux-libc-dev/now 6.10.4-1 all [installed,local]
and when I run trivy image --format table --exit-code 1 --vuln-type os,library --severity CRITICAL <image>, still shows linux-libc-dev │ CVE-2024-42154 │ │ affected │ 6.10.4-1

Desired Behavior

I'd expect based on https://security-tracker.debian.org/tracker/CVE-2024-42154,
linux-libc-dev would appear as fixed?

Actual Behavior

linux-libc-dev still appears CRITICAl even after patching it to 6.10.4-1 from debian snapshot.

Reproduction Steps

1. Build simple image based on `FROM python:3.10.12-buster`
2. add this 

RUN wget http://ftp.debian.org/debian/pool/main/l/linux/linux-libc-dev_6.10.4-1_all.deb
RUN dpkg -i linux-libc-dev_6.10.4-1_all.deb
RUN apt-get install -f

3. Run trivy report on the built image.
   ...

### Target

Container Image

### Scanner

Vulnerability

### Output Format

Table

### Mode

None

### Debug Output

```bash
2024/08/19 13:21:43 WARN '--vuln-type' is deprecated. Use '--pkg-types' instead.
2024-08-19T13:21:43-04:00       DEBUG   Cache dir       dir="/Users/jkim/Library/Caches/trivy"
2024-08-19T13:21:43-04:00       DEBUG   Parsed severities       severities=[CRITICAL]
2024-08-19T13:21:43-04:00       DEBUG   Ignore statuses statuses=[]
2024-08-19T13:21:43-04:00       DEBUG   DB update was skipped because the local DB is the latest
2024-08-19T13:21:43-04:00       DEBUG   DB info schema=2 updated_at=2024-08-19T12:13:24.768094154Z next_update=2024-08-19T18:13:24.768093753Z downloaded_at=2024-08-19T17:21:29.941511Z
2024-08-19T13:21:43-04:00       DEBUG   [pkg] Package types     types=[os library]
2024-08-19T13:21:43-04:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-08-19T13:21:43-04:00       INFO    [vuln] Vulnerability scanning is enabled
2024-08-19T13:21:43-04:00       INFO    [secret] Secret scanning is enabled
2024-08-19T13:21:43-04:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-19T13:21:43-04:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-19T13:21:43-04:00       DEBUG   Enabling misconfiguration scanners     scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-08-19T13:21:43-04:00       DEBUG   Initializing scan cache...      type="fs"
2024-08-19T13:21:43-04:00       DEBUG   [secret] No secret config detected     config_path="trivy-secret.yaml"
2024-08-19T13:21:43-04:00       DEBUG   [secret] No secret config detected     config_path="trivy-secret.yaml"
2024-08-19T13:21:43-04:00       DEBUG   [image] Detected image ID       image_id="sha256:86be4a284d546a49590dbd7c16d5d4138629eeb08c0549b0665d5a0d96c4b1f3"
2024-08-19T13:21:43-04:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:6af7a54a0a0dc3d3b622e2ffb19b80c55b3e29b07857efb3d818517cad416e3b sha256:53d40515380c2dce4348df0565356261e1795bd9c68f0263fa14d0bdbf52521d sha256:eccb9ed74974c6ffbb0ffe29805839db91d2b4f4e2cdc61ee70650d6210e7fbd sha256:dcc1cfeee1ab24b1736806348df7db43070fe755d6912cba38ce80340585ec16 sha256:474c7af106972488141362c55112a7419898074e526ebc62cba9de91fbac75f8 sha256:28c8022c15c7d81abb3a6999242b40307561f8ada36f7e8f302ab7759f0177c4 sha256:c590d86aed8890c57ef1207bbf53264ae8e7b4c23d056aef9a693eb2a92b75ff sha256:f5a064a62844b38a41d5913bf043792669fe608b90391d8d831c93e35f196267 sha256:02dc2fac7a1536556be6d8a4b846403087928c23cbd59a7d1a81b169af837d2d sha256:7220084ec3b86f013d71d582b8940633df200ea13bbcd863a89322f48e04ed4e sha256:b186ea7cfdc5fbb929f415d8472516a394551d0bb56d72ee5c52469ca2d1dac1 sha256:e5bb5b4bbcede10414dbb15923f9d454655b7ff04930f47e60b970b6180ecf26 sha256:934b12b91652464ff7662576a31570f15c5c26150ec924a4950cc2f6d9cc4560 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef]
2024-08-19T13:21:43-04:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:6af7a54a0a0dc3d3b622e2ffb19b80c55b3e29b07857efb3d818517cad416e3b sha256:53d40515380c2dce4348df0565356261e1795bd9c68f0263fa14d0bdbf52521d sha256:eccb9ed74974c6ffbb0ffe29805839db91d2b4f4e2cdc61ee70650d6210e7fbd sha256:dcc1cfeee1ab24b1736806348df7db43070fe755d6912cba38ce80340585ec16 sha256:474c7af106972488141362c55112a7419898074e526ebc62cba9de91fbac75f8 sha256:28c8022c15c7d81abb3a6999242b40307561f8ada36f7e8f302ab7759f0177c4 sha256:c590d86aed8890c57ef1207bbf53264ae8e7b4c23d056aef9a693eb2a92b75ff sha256:f5a064a62844b38a41d5913bf043792669fe608b90391d8d831c93e35f196267]
2024-08-19T13:21:43-04:00       INFO    Detected OS     family="debian" version="10.13"
2024-08-19T13:21:43-04:00       INFO    [debian] Detecting vulnerabilities...  os_version="10" pkg_num=435
2024-08-19T13:21:43-04:00       INFO    Number of language-specific files      num=1
2024-08-19T13:21:43-04:00       INFO    [python-pkg] Detecting vulnerabilities...
2024-08-19T13:21:43-04:00       DEBUG   [python-pkg] Scanning packages for vulnerabilities      file_path=""
2024-08-19T13:21:43-04:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.54/docs/scanner/vulnerability#severity-selection for details.
2024-08-19T13:21:43-04:00       WARN    This OS version is no longer supported by the distribution      family="debian" version="10.13"
2024-08-19T13:21:43-04:00       WARN    The vulnerability detection may be insufficient because security updates are not provided
2024-08-19T13:21:43-04:00       DEBUG   [vex] VEX filtering is disabled

Operating System

Debian Buster

Version

Version: 0.54.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @juyoungkimthedev
Thanks for your report!

We use separate advisory lists for each Debian release.
But we have no way to detect this installed version from another release.

Debian 10 does not have fixed version for CVE-2024-42154.
That's why Trivy still marks this package as vulnerable.

[juyoungkimthedev]

Thanks for the reply!
Okay so that means if we're using debian 10, we'd just need to wait out for the upstream bug fixes to be released for debian 10 and update the packages for Trivy to pick it up? Does Trviy look at debian tracker to look for fixed versions? i.e. check places like https://security-tracker.debian.org/tracker/CVE-2024-42154?

[DmitriyLewen]

Okay so that means if we're using debian 10, we'd just need to wait out for the upstream bug fixes to be released for debian 10 and update the packages for Trivy to pick it up

Right.But Debian has stopped supporting Debian 10 (https://www.debian.org/News/2024/20240615). So most likely the fix will not be released

Does Trviy look at debian tracker to look for fixed versions

List of used DBs - https://aquasecurity.github.io/trivy/v0.54/docs/scanner/vulnerability/#data-sources

[juyoungkimthedev]

Thanks, we're moving to bookworm. Hopefully patch will be released there. Closing.