Vulnerabilities identified in a scan using Trivy can differ depending on whether an image or an SBOM is used.

[genos1998]

Initially I scanned an open source image for vulnerabilities using the below cmd:
trivy image argoproj/argocd --format=cyclonedx -o argo-trivy-issue-imageScan.json --scanners vuln --timeout 60m

And then I performed another vulnerability scan using the sbom which was generated using the above cmd
trivy sbom argo-trivy-issue-imageScan.json --format=cyclonedx -o argo-trivy-issue-sbomScan.json --scanners vuln

After thorough analysis I found out that there was a difference of 3 vulnerabilities between them:
"CVE-2022-21235", "GHSA-xg2h-wx96-xgxr", "CVE-2021-4238"

Shouldn't the vulnerabilities be same if there was no change made to the sbom or the image

[afdesk]

@genos1998 thanks for the report.
I'm trying to reproduce your issue.

image scan contains 91 vulnerability, sbom scan contains only 88 vulns, right?

[afdesk]

Trivy loses vulnerabilities for github.com/Masterminds/vcs and github.com/Masterminds/goutils.
it seems it's a case-sensitive issue. but i couldn't find it yet.

[genos1998]

Due to changes in the Trivy database, I am unable to provide an exact count of the number of vulnerabilities between the two instances. However, there was still a difference of 3 vulnerabilities between them.

Have you been able to replicate the issue? Please let me know if there is anything I can do to assist. I am also willing to search for the issue in the code and collaborate on a solution if necessary.

[afdesk]

@genos1998 yes, I could reproduce it. #4302 was recreated.
it seems I understood a reason, trying to fix it - #4306
thanks for help.

[afdesk]

this discussion is closed, because #4302 was created.

[genos1998]

Thankyou so much for your help @afdesk