-
DescriptionHi all! Desired BehaviorTrivy detects CVE-2023-38646 in the image. Actual BehaviorTrivy oversees the vulnerability. Reproduction Steps1. trivy image metabase/metabase:v0.45.2 --quiet | grep CVE-2023-38646
... TargetContainer Image ScannerVulnerability Output FormatJSON ModeStandalone Debug Output❯ trivy image metabase/metabase:v0.45.2 --debug| grep CVE-2023-38646
2024-03-19T18:22:39.574-0300 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-03-19T18:22:39.575-0300 DEBUG Ignore statuses {"statuses": null}
2024-03-19T18:22:39.614-0300 DEBUG cache dir: /Users/lucas.teixeira/Library/Caches/trivy
2024-03-19T18:22:39.614-0300 DEBUG DB update was skipped because the local DB is the latest
2024-03-19T18:22:39.614-0300 DEBUG DB Schema: 2, UpdatedAt: 2024-03-19 18:11:55.127619352 +0000 UTC, NextUpdate: 2024-03-20 00:11:55.12761871 +0000 UTC, DownloadedAt: 2024-03-19 18:49:07.422505 +0000 UTC
2024-03-19T18:22:39.614-0300 INFO Vulnerability scanning is enabled
2024-03-19T18:22:39.614-0300 DEBUG Vulnerability type: [os library]
2024-03-19T18:22:39.614-0300 INFO Secret scanning is enabled
2024-03-19T18:22:39.614-0300 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-19T18:22:39.614-0300 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-03-19T18:22:39.614-0300 DEBUG Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-03-19T18:22:40.792-0300 DEBUG No secret config detected: trivy-secret.yaml
2024-03-19T18:22:40.792-0300 DEBUG The nuget packages directory couldn't be found. License search disabled
2024-03-19T18:22:40.793-0300 DEBUG No secret config detected: trivy-secret.yaml
2024-03-19T18:22:40.987-0300 DEBUG Image ID: sha256:d52859d68b82e5f458058bd30b99c86765bff70efdbb42e9ef5e8876416d8c50
2024-03-19T18:22:40.987-0300 DEBUG Diff IDs: [sha256:8e012198eea15b2554b07014081c85fec4967a1b9cc4b65bd9a4bce3ae1c0c88 sha256:f9e315186df9d3a8de76074e45a1d5d65e712837e6f91271c2a47425ccc6706e sha256:2e8bab69232fa0f47170a9cf348173bcf4b3a5726f546f2f884c81443f307888 sha256:b0a2c454f7b862377bd199b90c24b7d121dec34e43a16fe030bc7f56d745da6c sha256:07f84bed0fa2958d23a47aa474d507d186a76473a474d23486d51eba38c03438 sha256:816ea78d10893f7b8a7d994b503d499c6af422c0bdb71ad92def3aaae7e941a2]
2024-03-19T18:22:40.987-0300 DEBUG Base Layers: [sha256:8e012198eea15b2554b07014081c85fec4967a1b9cc4b65bd9a4bce3ae1c0c88]
2024-03-19T18:22:40.995-0300 INFO Detected OS: alpine
2024-03-19T18:22:40.995-0300 INFO Detecting Alpine vulnerabilities...
2024-03-19T18:22:40.995-0300 DEBUG alpine: os version: 3.17
2024-03-19T18:22:40.995-0300 DEBUG alpine: package repository: 3.17
2024-03-19T18:22:40.995-0300 DEBUG alpine: the number of packages: 42
2024-03-19T18:22:41.000-0300 INFO Number of language-specific files: 1
2024-03-19T18:22:41.000-0300 INFO Detecting jar vulnerabilities...
2024-03-19T18:22:41.000-0300 DEBUG Detecting library vulnerabilities, type: jar, path:
2024-03-19T18:22:41.038-0300 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file. Operating SystemMacOS Sonoma 14.4 Version0.48.3 Checklist
|
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 13 replies
-
Hello @exiett What package/file in this image contains
supported OS packages and their databases - https://aquasecurity.github.io/trivy/v0.50/docs/scanner/vulnerability/#data-sources Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
-
It's certain they will close this one too. It even includes less information than the one we sent. Any alternatives, @DmitriyLewen ? |
Beta Was this translation helpful? Give feedback.
@DmitriyLewen, I've read the blogpost made by the team that found out this vulnerability in Metabase (see here).
I've concluded that this CVE is more linked to faulty application logic, which is written in Clojure, rather than a vulnerable package by itself.
Does this classify this vulnerability as undetectable by Trivy?