Different vulnerability lists after upgrade to 0.20.0

[ajw3-msw]

Description

Running a vulnerability scan against the same image on Trivy v0.19.2 and v0.20.0 produces a list of different CVEs

What did you expect to happen?

The list of CVEs should be the same (or at least, the new Trivy version list should contain a superset of the previous CVEs) when run against the same image.

What happened instead?

The list of CVEs was different.

Output of run with -debug:

The output is quite verbose. I'll attach the two separate outputs as "trivy0.20.0.txt" and "trivy0.19.2.txt".

trivy0.19.2.txt
trivy0.20.0.txt

An example of a CVE that goes "missing" in 0.20.0 is CVE-2005-2541.
An example of a CVE that "appears" in 0.20.0 is CVE-2019-3881.

Output of trivy -v:

Commands run were:

• docker run docker.io/aquasec/trivy:0.19.2 -d image --severity HIGH,CRITICAL fluent/fluentd:v1.14.2-debian-1.0
  and
• docker run docker.io/aquasec/trivy:0.20.0 -d image --severity HIGH,CRITICAL fluent/fluentd:v1.14.2-debian-1.0

Could you advise?

[knqyf263]

@DmitriyLewen Can you look into it?

[DmitriyLewen]

Hello @ajw3-msw
Thanks for your report!
I will check your issue and write about this later.

Regards, Dmitriy

[DmitriyLewen]

Hello @ajw3-msw
I scanned fluent/fluentd:v1.14.2-debian-1.0 image with v0.19.2 and v0.20.0 without --severity flag:

>> docker run docker.io/aquasec/trivy:0.19.2 -d image fluent/fluentd:v1.14.2-debian-1.0
fluent/fluentd:v1.14.2-debian-1.0 (debian 10.11)
================================================
Total: 332 (UNKNOWN: 9, LOW: 24, MEDIUM: 172, HIGH: 106, CRITICAL: 21)

+----------------+------------------+----------+------------------------+---------------+--------------------------------------------------------------+
|    LIBRARY     | VULNERABILITY ID | SEVERITY |   INSTALLED VERSION    | FIXED VERSION |                            TITLE                             |
+----------------+------------------+----------+------------------------+---------------+--------------------------------------------------------------+
| apt            | CVE-2011-3374    | LOW      | 1.8.2.3                |               | It was found that apt-key in apt,                            |
|                |                  |          |                        |               | all versions, do not correctly...                            |
|                |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2011-3374                         |
+----------------+------------------+----------+------------------------+---------------+--------------------------------------------------------------+
| bash           | CVE-2019-18276   | HIGH     | 5.0-4                  |               | bash: when effective UID is not                              |
|                |                  |          |                        |               | equal to its real UID the...                                 |
|                |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2019-18276                        |

>> docker run docker.io/aquasec/trivy:0.20.0 -d image fluent/fluentd:v1.14.2-debian-1.0
fluent/fluentd:v1.14.2-debian-1.0 (debian 10.11)
================================================
Total: 332 (UNKNOWN: 8, LOW: 161, MEDIUM: 85, HIGH: 62, CRITICAL: 16)

+----------------+------------------+----------+------------------------+---------------+--------------------------------------------------------------+
|    LIBRARY     | VULNERABILITY ID | SEVERITY |   INSTALLED VERSION    | FIXED VERSION |                            TITLE                             |
+----------------+------------------+----------+------------------------+---------------+--------------------------------------------------------------+
| apt            | CVE-2011-3374    | LOW      | 1.8.2.3                |               | It was found that apt-key in apt,                            |
|                |                  |          |                        |               | all versions, do not correctly...                            |
|                |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2011-3374                         |
+----------------+------------------+          +------------------------+---------------+--------------------------------------------------------------+
| bash           | CVE-2019-18276   |          | 5.0-4                  |               | bash: when effective UID is not                              |
|                |                  |          |                        |               | equal to its real UID the...                                 |
|                |                  |          |                        |               | -->avd.aquasec.com/nvd/cve-2019-18276                        |

Trivy found all vulnerabilities, but the vulnerabilities are of different severity (e.g. CVE-2019-18276).
This happens after changing the logic for getting the severity from the database.
Now Trivy gets severity from Debian repository.

Regards, Dmirtiy

[ajw3-msw]

Hi Dmitriy.

Thanks for investigating promptly for me - I understand your explanation.

I'll close the ticket.

Best regards.

[knqyf263]

@DmitriyLewen Cool! Thanks for investigating!