search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.8k stars 2.34k forks source link

Trivy 0.49.1 does not detect CVE-2023-52428 against nimbus-jose-jwt-9.31.jar #6185

Closed navzen2000 closed 9 months ago

navzen2000 commented 9 months ago

Discussed in https://github.com/aquasecurity/trivy/discussions/6184

Originally posted by **navzen2000** February 22, 2024 ### Description Trivy 0.49.1 does not detect CVE-2023-52428 against nimbus-jose-jwt-9.31.jar ### Desired Behavior CVE-2023-52428 needs to be reported against nimbus-jose-jwt-9.31.jar ### Actual Behavior `$ trivy rootfs -d nimbus-jose-jwt-9.31.jar 2024-02-22T02:57:41.773-0800 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"] 2024-02-22T02:57:41.774-0800 DEBUG Ignore statuses {"statuses": null} 2024-02-22T02:57:41.775-0800 DEBUG cache dir: /home/user/.cache/trivy 2024-02-22T02:57:41.775-0800 DEBUG DB update was skipped because the local DB is the latest 2024-02-22T02:57:41.775-0800 DEBUG DB Schema: 2, UpdatedAt: 2024-02-22 06:10:30.933488406 +0000 UTC, NextUpdate: 2024-02-22 12:10:30.933488045 +0000 UTC, DownloadedAt: 2024-02-22 10:39:29.271259375 +0000 UTC 2024-02-22T02:57:41.775-0800 INFO Vulnerability scanning is enabled 2024-02-22T02:57:41.775-0800 DEBUG Vulnerability type: [os library] 2024-02-22T02:57:41.775-0800 INFO Secret scanning is enabled 2024-02-22T02:57:41.775-0800 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-02-22T02:57:41.775-0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection 2024-02-22T02:57:41.775-0800 DEBUG Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan] 2024-02-22T02:57:41.776-0800 DEBUG No secret config detected: trivy-secret.yaml 2024-02-22T02:57:41.776-0800 DEBUG The nuget packages directory couldn't be found. License search disabled 2024-02-22T02:57:41.776-0800 DEBUG Walk the file tree rooted at 'nimbus-jose-jwt-9.31.jar' in parallel 2024-02-22T02:57:41.776-0800 DEBUG Parsing Java artifacts... {"file": "nimbus-jose-jwt-9.31.jar"} 2024-02-22T02:57:41.779-0800 DEBUG OS is not detected. 2024-02-22T02:57:41.779-0800 DEBUG Detected OS: unknown 2024-02-22T02:57:41.779-0800 INFO Number of language-specific files: 1 2024-02-22T02:57:41.779-0800 INFO Detecting jar vulnerabilities... 2024-02-22T02:57:41.779-0800 DEBUG Detecting library vulnerabilities, type: jar, path: ` ### Reproduction Steps ```bash 1. trivy rootfs -d nimbus-jose-jwt-9.31.jar 2. 3. ... ``` ### Target Filesystem ### Scanner Vulnerability ### Output Format None ### Mode Standalone ### Debug Output ```bash $ trivy rootfs -d nimbus-jose-jwt-9.31.jar 2024-02-22T02:57:41.773-0800 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"] 2024-02-22T02:57:41.774-0800 DEBUG Ignore statuses {"statuses": null} 2024-02-22T02:57:41.775-0800 DEBUG cache dir: /home/user/.cache/trivy 2024-02-22T02:57:41.775-0800 DEBUG DB update was skipped because the local DB is the latest 2024-02-22T02:57:41.775-0800 DEBUG DB Schema: 2, UpdatedAt: 2024-02-22 06:10:30.933488406 +0000 UTC, NextUpdate: 2024-02-22 12:10:30.933488045 +0000 UTC, DownloadedAt: 2024-02-22 10:39:29.271259375 +0000 UTC 2024-02-22T02:57:41.775-0800 INFO Vulnerability scanning is enabled 2024-02-22T02:57:41.775-0800 DEBUG Vulnerability type: [os library] 2024-02-22T02:57:41.775-0800 INFO Secret scanning is enabled 2024-02-22T02:57:41.775-0800 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-02-22T02:57:41.775-0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection 2024-02-22T02:57:41.775-0800 DEBUG Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan] 2024-02-22T02:57:41.776-0800 DEBUG No secret config detected: trivy-secret.yaml 2024-02-22T02:57:41.776-0800 DEBUG The nuget packages directory couldn't be found. License search disabled 2024-02-22T02:57:41.776-0800 DEBUG Walk the file tree rooted at 'nimbus-jose-jwt-9.31.jar' in parallel 2024-02-22T02:57:41.776-0800 DEBUG Parsing Java artifacts... {"file": "nimbus-jose-jwt-9.31.jar"} 2024-02-22T02:57:41.779-0800 DEBUG OS is not detected. 2024-02-22T02:57:41.779-0800 DEBUG Detected OS: unknown 2024-02-22T02:57:41.779-0800 INFO Number of language-specific files: 1 2024-02-22T02:57:41.779-0800 INFO Detecting jar vulnerabilities... 2024-02-22T02:57:41.779-0800 DEBUG Detecting library vulnerabilities, type: jar, path: ``` ### Operating System linux ### Version ```bash Version: 0.49.1 Vulnerability DB: Version: 2 UpdatedAt: 2024-02-22 06:10:30.933488406 +0000 UTC NextUpdate: 2024-02-22 12:10:30.933488045 +0000 UTC DownloadedAt: 2024-02-22 10:39:29.271259375 +0000 UTC Java DB: Version: 1 UpdatedAt: 2024-02-22 04:45:27.539778706 +0000 UTC NextUpdate: 2024-02-25 04:45:27.539778585 +0000 UTC DownloadedAt: 2024-02-22 10:40:39.313156235 +0000 UTC ``` ### Checklist - [ ] Run `trivy image --reset` - [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
github-actions[bot] commented 9 months ago

Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/