CVEs missing even though SBOM lists vulnerable dependency

[fawind]

Checklist

• [x] I've read the documentation regarding wrong detection.
• [x] I've confirmed that a security advisory in data sources was correct.
  • Run Trivy with -f json that shows data sources and make sure that the security advisory is correct.
    • N.a. given I'm dealing with false negatives.

Description

I stumbled upon a few Maven CVEs where Trivy correctly identifies the vulnerable dependency coordinate and lists it in its SBOM but doesn't flag the CVE even though the Github Security Advisory lists it as vulnerable.

As far as I know, GHSA is a data source for Maven CVEs. Based on that, my expectation would be that if Trivy finds a Maven dependency that has an entry in the GHSA, it should appear in the scan report.

Those CVEs are also flagged in the same image by JFog's XRay, so I think they are actual false negatives.

Examples:

CVE-2022-3509 and CVE-2022-3510 (protobuf-java):

• In the SBOM, Trivy detects pkg:maven/com.google.protobuf/protobuf-java@3.7.1.
• Vulnerable version range for both CVEs is < 3.16.3 (ghsa-1, ghsa-2).
• Note that Trivy correctly flags CVE-2022-3171 for that same protobuf-java@3.7.1 package.

CVE-2022-1471 (snakeyaml):

• In the SBOM, Trivy detects pkg:maven/org.yaml/snakeyaml@1.33.
• Vulnerable version range is <= 1.33 (ghsa).

CVE-2021-31684 (json-smart):

• In the SBOM, Trivy detects pkg:maven/net.minidev/json-smart@1.3.2.
• Vulnerable version range is >= 1.3.0, < 1.3.3 (ghse)

Output of trivy -v:

Version: 0.37.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-02-17 12:07:35.325977147 +0000 UTC
  NextUpdate: 2023-02-17 18:07:35.325976447 +0000 UTC
  DownloadedAt: 2023-02-17 15:09:30.270763 +0000 UTC

Additional details:

I'm also using the trivy-java-db with the following metadata.json:

{"Version":1,"NextUpdate":"2023-02-19T00:47:31.588072508Z","UpdatedAt":"2023-02-16T00:47:31.588073208Z","DownloadedAt":"2023-02-16T16:20:43.393534Z"}

For scanning my container image, I'm running the following command:

trivy image --format cyclonedx --output sbom.json --scanners vuln --offline-scan my-image:1.2.3

Note that I had these findings on internal images. Happy to provide more data if necessary (i.e. the redacted SBOM for a reproducer).

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.