Incomplete Vulnerability Detection for google-cloud-storage:2.23.0

[sagic-orca]

IDs

CVE-2023-2976, CVE-2020-8908

Description

Incomplete Vulnerability Detection for google-cloud-storage:2.23.0

Upon executing a trivy rootfs scan for both auto-value:1.10.1 and google-cloud-storage:2.23.0, which share the same vulnerable dependency (guava:31.1-jre), Trivy successfully identified the related CVEs for auto-value but failed to detect any vulnerabilities for the google cloud package.

Interestingly, running Trivy directly on the pom.xml produced the expected CVEs in the scan results.

This problem also occurred during the image scan.

Reproduction Steps

1. Download the JAR files from mvnrepository.com
2. Execute Trivy rootfs scan on the JAR files.

Target

Filesystem

Scanner

Vulnerability

Target OS

No response

Debug Output

2023-12-05T12:18:46.675+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-12-05T12:18:46.676+0200	DEBUG	Ignore statuses	{"statuses": null}
2023-12-05T12:18:46.690+0200	DEBUG	cache dir:  /Users/Library/Caches/trivy
2023-12-05T12:18:46.691+0200	DEBUG	DB update was skipped because the local DB is the latest
2023-12-05T12:18:46.691+0200	DEBUG	DB Schema: 2, UpdatedAt: 2023-12-05 06:11:59.667121446 +0000 UTC, NextUpdate: 2023-12-05 12:11:59.667121065 +0000 UTC, DownloadedAt: 2023-12-05 08:57:18.299445 +0000 UTC
2023-12-05T12:18:46.692+0200	INFO	Vulnerability scanning is enabled
2023-12-05T12:18:46.692+0200	DEBUG	Vulnerability type:  [os library]
2023-12-05T12:18:46.692+0200	DEBUG	The nuget packages directory couldn't be found. License search disabled
2023-12-05T12:18:46.692+0200	DEBUG	Walk the file tree rooted at '/Users/Downloads/jars' in parallel
2023-12-05T12:18:46.697+0200	DEBUG	Parsing Java artifacts...	{"file": "auto-value-1.10.1.jar"}
2023-12-05T12:18:46.697+0200	DEBUG	Parsing Java artifacts...	{"file": "google-cloud-storage-2.23.0.jar"}
2023-12-05T12:18:46.714+0200	DEBUG	OS is not detected.
2023-12-05T12:18:46.714+0200	DEBUG	Detected OS: unknown
2023-12-05T12:18:46.714+0200	INFO	Number of language-specific files: 1
2023-12-05T12:18:46.714+0200	INFO	Detecting jar vulnerabilities...
2023-12-05T12:18:46.714+0200	DEBUG	Detecting library vulnerabilities, type: jar, path: 
2023-12-05T12:18:46.727+0200	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Version

v0.48.0

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @sagic-orca
Thanks for your report.

I checked google-cloud-storage:2.23.0.
There is no pom.properties file with information about the installedguava:31.1-jre. Also there is no guava jar file:

➜ unzip -d gcs-2.23.0 google-cloud-storage-2.23.0.jar 
...

➜ find ./gcs-2.23.0 -name "pom.properties"
./gcs-2.23.0/META-INF/maven/com.google.cloud/google-cloud-storage/pom.properties

➜ cat ./gcs-2.23.0/META-INF/maven/com.google.cloud/google-cloud-storage/pom.properties
artifactId=google-cloud-storage
groupId=com.google.cloud
version=2.23.0

➜ find ./gcs-2.23.0 -name "*.jar"

More information about scan jar files here - https://aquasecurity.github.io/trivy/v0.48/docs/coverage/language/java/#jarwarparear

About auto-value:

➜ unzip -d av-1.10.1 auto-value-1.10.1.jar 
 ...

➜ find ./av-1.10.1 -name "*.jar"

➜ find ./av-1.10.1 -name "pom.properties"
./av-1.10.1/META-INF/maven/com.google.errorprone/error_prone_annotations/pom.properties
./av-1.10.1/META-INF/maven/org.jetbrains/annotations/pom.properties
./av-1.10.1/META-INF/maven/com.google.escapevelocity/escapevelocity/pom.properties
./av-1.10.1/META-INF/maven/com.google.auto.value/auto-value/pom.properties
./av-1.10.1/META-INF/maven/com.squareup/javapoet/pom.properties
./av-1.10.1/META-INF/maven/com.google.auto/auto-common/pom.properties
./av-1.10.1/META-INF/maven/com.google.j2objc/j2objc-annotations/pom.properties
./av-1.10.1/META-INF/maven/com.google.auto.service/auto-service-annotations/pom.properties
./av-1.10.1/META-INF/maven/com.google.guava/guava/pom.properties
./av-1.10.1/META-INF/maven/com.google.guava/failureaccess/pom.properties
./av-1.10.1/META-INF/maven/com.google.guava/listenablefuture/pom.properties

➜ cat ./av-1.10.1/META-INF/maven/com.google.guava/guava/pom.properties
#Generated by org.apache.felix.bundleplugin
#Mon Feb 28 16:18:22 EST 2022
groupId=com.google.guava
artifactId=guava
version=31.1-jre

Regards, Dmitriy