Closed StephGit closed 2 years ago
Hi @StephGit Thank you for bringing this up I did some testing and I was unable to reproduce it with dockerfile like
FROM centos:centos7
COPY *.jar /opt/rh/rh-maven36/root/usr/share/java/jsoup/
ENTRYPOINT ["/bin/sh"]
and jsoup-1.12.1.jar
Could you please check if you can reproduce it with my dockerfile?
Thanks Andrey
Hi @AndreyLevchenko
Nope, couldn't reproduce it. In both versions the CVE shows up.
Do you have an idea what this issue could cause?
Hi @StephGit this is good question. I suspect it's some cache issue
Hi @AndreyLevchenko
It seems that Trivy scans all the Artifacts even if the CVE's are allready fixed by a parent repo (for example rpm)
With usage of --vuln-type os
it works fine with 0.19.2
Description
I have different scan results with
trivy:v0.19.2
andtrivy:0.21.2
on the same image. This leads to uncertainty. Maybe I understand something wrong...What did you expect to happen?
CVE-2021-37714 to show up on both trivy-versions
What happened instead?
CVE-2021-37714 only shows up on trivy:v0.19.2
Output of run with
-debug
:scan with v0.19.2 -> CVE-2021-37714 shows up:
scan with v0.21.2