Trivy doesn't update vulnerability after updating package manually #7359
-
DescriptionI am using
are not updated even after installing the debian binary packages. I have Desired BehaviorI'd expect based on https://security-tracker.debian.org/tracker/CVE-2024-42154, Actual Behavior
Reproduction Steps1. Build simple image based on `FROM python:3.10.12-buster`
2. add this
RUN wget http://ftp.debian.org/debian/pool/main/l/linux/linux-libc-dev_6.10.4-1_all.deb
RUN dpkg -i linux-libc-dev_6.10.4-1_all.deb
RUN apt-get install -f
Operating SystemDebian Buster VersionVersion: 0.54.1 Checklist
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
Hello @juyoungkimthedev We use separate advisory lists for each Debian release.
|
Beta Was this translation helpful? Give feedback.
Hello @juyoungkimthedev
Thanks for your report!
We use separate advisory lists for each Debian release.
But we have no way to detect this installed version from another release.
Debian 10
does not have fixed version forCVE-2024-42154
.That's why Trivy still marks this package as vulnerable.