Trivy not detecting a known CVE (traefik)

[mcarbonne]

Description

When running docker run aquasec/trivy image traefik:v3.1.2 (with the latest available trivy image), critical CVE-2024-45410 isn't detected.
I don't know if the issue lies in SBOM generation or in the matching of vulnerabilities.

There is a discussion regarding SBOM generation and traefik (#7169) but I don't know if it is related.

Desired Behavior

CVE-2024-45410 detected (as traefik 3.1.2 is vulnerable)

Actual Behavior

critical vulnerability not detected

Reproduction Steps

1. Run `docker run aquasec/trivy image traefik:v3.1.2`

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

$ docker run aquasec/trivy --debug image traefik:v3.1.2 
2024-10-15T19:48:42Z	DEBUG	No plugins loaded
2024-10-15T19:48:42Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-10-15T19:48:42Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-10-15T19:48:42Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-10-15T19:48:42Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-10-15T19:48:42Z	DEBUG	Ignore statuses	statuses=[]
2024-10-15T19:48:42Z	DEBUG	[vulndb] There is no valid metadata file	err="unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory"
2024-10-15T19:48:42Z	INFO	[vulndb] Need to update DB
2024-10-15T19:48:42Z	DEBUG	[vulndb] No metadata file
2024-10-15T19:48:42Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-15T19:48:42Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
18.48 MiB / 54.25 MiB [-------------------->________________________________________] 34.06% ? p/s ?38.96 MiB / 54.25 MiB [------------------------------------------->_________________] 71.83% ? p/s ?54.25 MiB / 54.25 MiB [----------------------------------------------------------->] 100.00% ? p/s ?54.25 MiB / 54.25 MiB [---------------------------------------------->] 100.00% 59.59 MiB p/s ETA 0s54.25 MiB / 54.25 MiB [---------------------------------------------->] 100.00% 59.59 MiB p/s ETA 0s54.25 MiB / 54.25 MiB [---------------------------------------------->] 100.00% 59.59 MiB p/s ETA 0s54.25 MiB / 54.25 MiB [---------------------------------------------->] 100.00% 55.74 MiB p/s ETA 0s54.25 MiB / 54.25 MiB [---------------------------------------------->] 100.00% 55.74 MiB p/s ETA 0s54.25 MiB / 54.25 MiB [-------------------------------------------------] 100.00% 37.33 MiB p/s 1.7s2024-10-15T19:48:44ZINFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-15T19:48:44Z	DEBUG	Updating database metadata...
2024-10-15T19:48:44Z	DEBUG	DB info	schema=2 updated_at=2024-10-15T18:16:47.934977022Z next_update=2024-10-16T18:16:47.934976511Z downloaded_at=2024-10-15T19:48:44.490588565Z
2024-10-15T19:48:44Z	DEBUG	[pkg] Package types	types=[os library]
2024-10-15T19:48:44Z	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-10-15T19:48:44Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-15T19:48:44Z	INFO	[secret] Secret scanning is enabled
2024-10-15T19:48:44Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-15T19:48:44Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-15T19:48:44Z	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-10-15T19:48:44Z	DEBUG	Initializing scan cache...	type="fs"
2024-10-15T19:48:45Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-10-15T19:48:45Z	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-10-15T19:48:45Z	DEBUG	[image] Detected image ID	image_id="sha256:0c02a120479c5db9809725d9bf5b125ffbc79266e4e6dc1e5225bff876880453"
2024-10-15T19:48:45Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85 sha256:3f0efdc2ae04b455dc70bd1f929a82f19dfdf2c7ef116c73bd9874f773f9849d sha256:d568b543f58c93bdc06cdba5e194c83e7a9d5100feb9e26c84a4b4f70cc8b6d8 sha256:e8677da32404b6ede8c5704a742fcc678fac54fec485dcfc4862de3f47911c63]
2024-10-15T19:48:45Z	DEBUG	[image] Detected base layers	diff_ids=[sha256:63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85]
2024-10-15T19:48:45Z	DEBUG	[image] Missing image ID in cache	image_id="sha256:0c02a120479c5db9809725d9bf5b125ffbc79266e4e6dc1e5225bff876880453"
2024-10-15T19:48:45Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:d568b543f58c93bdc06cdba5e194c83e7a9d5100feb9e26c84a4b4f70cc8b6d8"
2024-10-15T19:48:45Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:e8677da32404b6ede8c5704a742fcc678fac54fec485dcfc4862de3f47911c63"
2024-10-15T19:48:45Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85"
2024-10-15T19:48:45Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:3f0efdc2ae04b455dc70bd1f929a82f19dfdf2c7ef116c73bd9874f773f9849d"
2024-10-15T19:48:46Z	DEBUG	[gobinary] Unable to detect main module's dependency version - `(devel)` is used	dependency="github.com/traefik/traefik/v3"
2024-10-15T19:48:46Z	DEBUG	[gobinary] Parsing dependency's build info settings	dependency="github.com/traefik/traefik/v3" -ldflags=[]
2024-10-15T19:48:46Z	DEBUG	[gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.	dependency="github.com/traefik/traefik/v3"
2024-10-15T19:48:46Z	DEBUG	No secrets found in container image config
2024-10-15T19:48:46Z	INFO	Detected OS	family="alpine" version="3.20.3"
2024-10-15T19:48:46Z	INFO	[alpine] Detecting vulnerabilities...	os_version="3.20" repository="3.20" pkg_num=16
2024-10-15T19:48:46Z	INFO	Number of language-specific files	num=1
2024-10-15T19:48:46Z	INFO	[gobinary] Detecting vulnerabilities...
2024-10-15T19:48:46Z	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path="usr/local/bin/traefik"
2024-10-15T19:48:46Z	DEBUG	[gobinary] Skipping vulnerability scan as no version is detected for the package	name="github.com/traefik/traefik/v3"
2024-10-15T19:48:46Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability#severity-selection for details.
2024-10-15T19:48:46Z	DEBUG	[vex] VEX filtering is disabled

traefik:v3.1.2 (alpine 3.20.3)
==============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/local/bin/traefik (gobinary)
================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)

┌────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│          Library           │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version  │                            Title                            │
├────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ gopkg.in/square/go-jose.v2 │ CVE-2024-28180 │ MEDIUM   │ affected │ v2.5.1            │                │ jose-go: improper handling of highly compressed data        │
│                            │                │          │          │                   │                │ https://avd.aquasec.com/nvd/cve-2024-28180                  │
├────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib                     │ CVE-2024-34156 │ HIGH     │ fixed    │ 1.22.5            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message   │
│                            │                │          │          │                   │                │ which contains deeply nested structures...                  │
│                            │                │          │          │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                  │
│                            ├────────────────┼──────────┤          │                   │                ├─────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-34155 │ MEDIUM   │          │                   │                │ go/parser: golang: Calling any of the Parse functions       │
│                            │                │          │          │                   │                │ containing deeply nested literals...                        │
│                            │                │          │          │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34155                  │
│                            ├────────────────┤          │          │                   │                ├─────────────────────────────────────────────────────────────┤
│                            │ CVE-2024-34158 │          │          │                   │                │ go/build/constraint: golang: Calling Parse on a "// +build" │
│                            │                │          │          │                   │                │ build tag line with...                                      │
│                            │                │          │          │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34158                  │
└────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

Operating System

Linux

Version

$ docker run aquasec/trivy --version
Version: 0.56.2

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @mcarbonne
Thanks for your report!

Trivy detects version for binaries with (devel) version by ldflags - https://aquasecurity.github.io/trivy/v0.56/docs/coverage/language/golang/#main-module_1

traefik uses (devel) version, but doesn't have ldflags:

➜ go version -m ./traefik 
traefik: go1.22.5
	path	github.com/traefik/traefik/v3/cmd/traefik
	mod	github.com/traefik/traefik/v3	(devel)	
	dep	cloud.google.com/go/compute/metadata	v0.3.0	h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
	...
	dep	sigs.k8s.io/yaml	v1.4.0	h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
	build	-buildmode=exe
	build	-compiler=gc
	build	-trimpath=true
	build	CGO_ENABLED=0
	build	GOARCH=arm64
	build	GOOS=linux
	build	vcs=git
	build	vcs.revision=4c4780f88692fa38c6a0a6da814f0449704075f0
	build	vcs.time=2024-08-06T13:34:03Z
	build	vcs.modified=false

That is why Trivy can't detect version of traefik and found vulnerability for this package.

Regards, Dmitriy