CVEs missing even though SBOM lists vulnerable dependency #4245
fawind
started this conversation in
False Detection
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Checklist
-f jsonthat shows data sources and make sure that the security advisory is correct.Description
I stumbled upon a few Maven CVEs where Trivy correctly identifies the vulnerable dependency coordinate and lists it in its SBOM but doesn't flag the CVE even though the Github Security Advisory lists it as vulnerable.
As far as I know, GHSA is a data source for Maven CVEs. Based on that, my expectation would be that if Trivy finds a Maven dependency that has an entry in the GHSA, it should appear in the scan report.
Those CVEs are also flagged in the same image by JFog's XRay, so I think they are actual false negatives.
Examples:
CVE-2022-3509 and CVE-2022-3510 (protobuf-java):
pkg:maven/com.google.protobuf/[email protected].< 3.16.3(ghsa-1, ghsa-2).[email protected]package.CVE-2022-1471 (snakeyaml):
pkg:maven/org.yaml/[email protected].<= 1.33(ghsa).CVE-2021-31684 (json-smart):
pkg:maven/net.minidev/[email protected].>= 1.3.0, < 1.3.3(ghse)Output of
trivy -v:Additional details:
I'm also using the trivy-java-db with the following
metadata.json:{"Version":1,"NextUpdate":"2023-02-19T00:47:31.588072508Z","UpdatedAt":"2023-02-16T00:47:31.588073208Z","DownloadedAt":"2023-02-16T16:20:43.393534Z"}For scanning my container image, I'm running the following command:
Note that I had these findings on internal images. Happy to provide more data if necessary (i.e. the redacted SBOM for a reproducer).
Beta Was this translation helpful? Give feedback.
All reactions