Vulnerability Scanning¶
Trivy detects known vulnerabilities in software components that it finds in the scan target.
The following are supported:
OS Packages¶
Trivy is capable of automatically detecting installed OS packages when scanning container images, VM images and running hosts.
Note
Trivy doesn't support third-party/self-compiled packages/binaries, but official packages provided by vendors such as Red Hat and Debian.
Supported OS¶
See here for the supported OSes.
Data Sources¶
| OS | Source |
|---|---|
| Arch Linux | Vulnerable Issues |
| Alpine Linux | secdb |
| Wolfi Linux | secdb |
| Chainguard | secdb |
| Amazon Linux | Amazon Linux Security Center |
| Debian | Security Bug Tracker / OVAL |
| Ubuntu | Ubuntu CVE Tracker |
| RHEL/CentOS | OVAL / Security Data |
| AlmaLinux | AlmaLinux Product Errata |
| Rocky Linux | Rocky Linux UpdateInfo |
| Oracle Linux | OVAL |
| Azure Linux (CBL-Mariner) | OVAL |
| OpenSUSE/SLES | CVRF |
| Photon OS | Photon Security Advisory |
Data Source Selection¶
Trivy only consumes security advisories from the sources listed in the above table.
As for packages installed from OS package managers (dpkg, yum, apk, etc.), Trivy uses the advisory database from the appropriate OS vendor.
For example: for a python package installed from yum (Amazon linux), Trivy will only get advisories from ALAS.
But for a python package installed from another source (e.g. pip), Trivy will get advisories from the GitLab and GitHub databases.
This advisory selection is essential to avoid getting false positives because OS vendors usually backport upstream fixes, and the fixed version can be different from the upstream fixed version.
Severity Selection¶
The severity is taken from the selected data source since the severity from vendors is more accurate. Using CVE-2023-0464 as an example, while it is rated as "HIGH" in NVD, Red Hat has marked its 'Impact' as "Low". As a result, Trivy will display it as "Low".
The severity depends on the compile option, the default configuration, etc. NVD doesn't know how the vendor distributes the software. Red Hat evaluates the severity more accurately. That's why Trivy prefers vendor scores over NVD.
If the data source does not provide a severity, the severity is determined based on the CVSS score as follows:
| Base Score Range | Severity |
|---|---|
| 0.1-3.9 | Low |
| 4.0-6.9 | Medium |
| 7.0-8.9 | High |
| 9.0-10.0 | Critical |
If the CVSS score is also not provided, it falls back to NVD.
NVD and some vendors may delay severity analysis, while other vendors, such as Red Hat, are able to quickly evaluate and announce the severity of vulnerabilities. To avoid marking too many vulnerabilities as "UNKNOWN" severity, Trivy uses severity ratings from other vendors when the NVD information is not yet available. The order of preference for vendor severity data can be found here.
You can reference SeveritySource in the JSON reporting format to see from where the severity is taken for a given vulnerability.
"SeveritySource": "debian",
In addition, you can see all the vendor severity ratings.
"VendorSeverity": {
"amazon": 2,
"cbl-mariner": 4,
"ghsa": 4,
"nvd": 4,
"photon": 4,
"redhat": 2,
"ubuntu": 2
}
Here is the severity mapping in Trivy:
| Number | Severity |
|---|---|
| 0 | Unknown |
| 1 | Low |
| 2 | Medium |
| 3 | High |
| 4 | Critical |
If no vendor has a severity, the UNKNOWN severity will be used.
Unfixed Vulnerabilities¶
The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution.
To hide unfixed/unfixable vulnerabilities, you can use the --ignore-unfixed flag.
Language-specific Packages¶
Supported Languages¶
See here for the supported languages.
Data Sources¶
| Language | Source | Commercial Use | Delay1 |
|---|---|---|---|
| PHP | PHP Security Advisories Database | ✅ | - |
| GitHub Advisory Database (Composer) | ✅ | - | |
| Python | GitHub Advisory Database (pip) | ✅ | - |
| Open Source Vulnerabilities (PyPI) | ✅ | - | |
| Ruby | Ruby Advisory Database | ✅ | - |
| GitHub Advisory Database (RubyGems) | ✅ | - | |
| Node.js | Ecosystem Security Working Group | ✅ | - |
| GitHub Advisory Database (npm) | ✅ | - | |
| Java | GitHub Advisory Database (Maven) | ✅ | - |
| Go | GitHub Advisory Database (Go) | ✅ | - |
| Go Vulnerability Database | ✅ | - | |
| Rust | Open Source Vulnerabilities (crates.io) | ✅ | - |
| .NET | GitHub Advisory Database (NuGet) | ✅ | - |
| C/C++ | GitLab Advisories Community | ✅ | 1 month |
| Dart | GitHub Advisory Database (Pub) | ✅ | - |
| Elixir | GitHub Advisory Database (Erlang) | ✅ | - |
| Swift | GitHub Advisory Database (Swift) | ✅ | - |
Non-packaged software¶
If you have software that is not managed by a package manager, Trivy can still detect vulnerabilities in it in some cases:
- Using SBOM from Sigstore Rekor
- Go Binaries with embedded module information
- Rust Binaries with embedded information
- SBOM embedded in container images
Kubernetes¶
Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the documentation for Kubernetes scanning.
Data Sources¶
| Vendor | Source |
|---|---|
| Kubernetes | Kubernetes Official CVE feed1 |
Databases¶
The information from the above sources is collected and stored in databases that Trivy uses for vulnerability scanning. Trivy automatically fetches, maintains, and caches the relevant databases when performing a vulnerability scan For more information about Trivy's Databases mechanism and configurations, refer to the Databases document.
Detection Behavior¶
Trivy prioritizes precision in vulnerability detection, aiming to minimize false positives while potentially accepting some false negatives. This approach is particularly relevant in two key areas:
- Handling Software Installed via OS Packages
- Handling Packages with Unspecified Versions
Handling Software Installed via OS Packages¶
For files installed by OS package managers, such as apt, Trivy exclusively uses advisories from the OS vendor.
This means that even if a JAR file is present in a container image, if it was installed via an OS package manager (e.g., apt), Trivy will not analyze the JAR file itself and use upstream security advisories.
For example, consider the Python requests package in Red Hat Universal Base Image 8:
[root@987ee49dc93d /]# head -n 3 /usr/lib/python3.6/site-packages/requests-2.20.0-py3.6.egg-info/PKG-INFO
Metadata-Version: 2.1
Name: requests
Version: 2.20.0
Version 2.20.0 is installed, and this package is installed by dnf.
[root@987ee49dc93d /]# rpm -ql python3-requests | grep PKG-INFO
/usr/lib/python3.6/site-packages/requests-2.20.0-py3.6.egg-info/PKG-INFO
At first glance, this might seem vulnerable to CVE-2023-32681, which affects versions of requests prior to v2.31.0. However, Red Hat backported the fix to v2.20.0-3 in RHSA-2023:4520, and the package is not vulnerable.
- Upstream (PyPI requests): Fixed in v2.31.0
- Red Hat (
python-requests): Backported fix applied in v2.20.0-3 (RHSA-2023:4520)
If Trivy were to detect CVE-2023-32681 in this case, it would be a false positive. This illustrates why using the correct security advisory is crucial to avoid false detections. To minimize false positives, Trivy trusts the OS vendor's advisory for software installed via OS package managers and does not use upstream advisories for these packages.
However, this approach may lead to false negatives if the OS vendor's advisories are delayed or missing. In such cases, using --detection-priority comprehensive allows Trivy to consider upstream advisories (e.g., GitHub Advisory Database), potentially increasing false positives but reducing false negatives.
Handling Packages with Unspecified Versions¶
When a package version cannot be uniquely determined (e.g., package-a: ">=3.0"), Trivy typically skips vulnerability detection for that package to avoid false positives.
If a lock file is present with fixed versions, Trivy will use those for detection.
To detect potential vulnerabilities even with unspecified versions, use --detection-priority comprehensive. This option makes Trivy use the minimum version in the specified range for vulnerability detection. While this may increase false positives if the actual version used is not the minimum, it helps reduce false negatives.
Configuration¶
This section describes vulnerability-specific configuration. Other common options are documented here.
Enabling a Subset of Package Types¶
It's possible to only enable certain package types if you prefer.
You can do so by passing the --pkg-types option.
This flag takes a comma-separated list of package types.
Available values:
- os
- Scan OS packages managed by the OS package manager (e.g.
dpkg,yum,apk).
- Scan OS packages managed by the OS package manager (e.g.
- library
- Scan language-specific packages (e.g. packages installed by
pip,npm, orgem).
- Scan language-specific packages (e.g. packages installed by
$ trivy image --pkg-types os ruby:2.4.0
Result
2019-05-22T19:36:50.530+0200 [34mINFO[0m Updating vulnerability database...
2019-05-22T19:36:51.681+0200 [34mINFO[0m Detecting Alpine vulnerabilities...
2019-05-22T19:36:51.685+0200 [34mINFO[0m Updating npm Security DB...
2019-05-22T19:36:52.389+0200 [34mINFO[0m Detecting npm vulnerabilities...
2019-05-22T19:36:52.390+0200 [34mINFO[0m Updating pipenv Security DB...
2019-05-22T19:36:53.406+0200 [34mINFO[0m Detecting pipenv vulnerabilities...
ruby:2.4.0 (debian 8.7)
=======================
Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| curl | CVE-2018-14618 | CRITICAL | 7.61.0-r0 | 7.61.1-r0 | curl: NTLM password overflow |
| | | | | | via integer overflow |
+ +------------------+----------+ +---------------+----------------------------------+
| | CVE-2018-16839 | HIGH | | 7.61.1-r1 | curl: Integer overflow leading |
| | | | | | to heap-based buffer overflow in |
| | | | | | Curl_sasl_create_plain_message() |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| git | CVE-2018-17456 | HIGH | 2.15.2-r0 | 2.15.3-r0 | git: arbitrary code execution |
| | | | | | via .gitmodules |
+ +------------------+ + + +----------------------------------+
| | CVE-2018-19486 | | | | git: Improper handling of |
| | | | | | PATH allows for commands to be |
| | | | | | executed from... |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| libssh2 | CVE-2019-3855 | CRITICAL | 1.8.0-r2 | 1.8.1-r0 | libssh2: Integer overflow in |
| | | | | | transport read resulting in |
| | | | | | out of bounds write... |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| sqlite | CVE-2018-20346 | MEDIUM | 3.21.0-r1 | 3.25.3-r0 | CVE-2018-20505 CVE-2018-20506 |
| | | | | | sqlite: Multiple flaws in |
| | | | | | sqlite which can be triggered |
| | | | | | via... |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| tar | CVE-2018-20482 | LOW | 1.29-r1 | 1.31-r0 | tar: Infinite read loop in |
| | | | | | sparse_dump_region function in |
| | | | | | sparse.c |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
Info
This flag filters the packages themselves, so it also affects the --list-all-pkgs option and SBOM generation.
Filtering by Package Relationships¶
Trivy supports filtering vulnerabilities based on the relationship of packages within a project.
This is achieved through the --pkg-relationships flag.
This feature allows you to focus on vulnerabilities in specific types of dependencies, such as only those in direct dependencies.
In Trivy, there are four types of package relationships:
root: The root package being scanneddirect: Direct dependencies of the root packageindirect: Transitive dependenciesunknown: Packages whose relationship cannot be determined
The available relationships may vary depending on the ecosystem.
To see which relationships are supported for a particular project, you can use the JSON output format and check the Relationship field:
$ trivy repo -f json --list-all-pkgs /path/to/project
To scan only the root package and its direct dependencies, you can use the flag as follows:
$ trivy repo --pkg-relationships root,direct /path/to/project
By default, all relationships are included in the scan.
Info
This flag filters the packages themselves, so it also affects the --list-all-pkgs option and SBOM generation.
Warning
As it may not provide a complete package list, --pkg-relationships cannot be used with --dependency-tree, --vex or SBOM generation.
Detection Priority¶
Trivy provides a --detection-priority flag to control the balance between false positives and false negatives in vulnerability detection.
This concept is similar to the relationship between precision and recall in machine learning evaluation.
$ trivy image --detection-priority {precise|comprehensive} alpine:3.15
precise: This mode prioritizes reducing false positives. It results in less noisy vulnerability reports but may miss some potential vulnerabilities.comprehensive: This mode aims to detect more vulnerabilities, potentially including some that might be false positives. It provides broader coverage but may increase the noise in the results.
The default value is precise. Also refer to the detection behavior section for more information.
Regardless of the chosen mode, user review of detected vulnerabilities is crucial:
precise: Review thoroughly, considering potential missed vulnerabilities.comprehensive: Carefully investigate each reported vulnerability due to increased false positive possibility.
Overriding OS version¶
By default, Trivy automatically detects the OS during container image scanning and performs vulnerability detection based on that OS.
However, in some cases, you may want to scan an image with a different OS version than the one detected.
Also, you may want to specify the OS version when OS is not detected.
For these cases, Trivy supports a --distro flag using the <family>/<version> format (e.g. alpine/3.20) to set the desired OS version.
Severity selection¶
By default, Trivy automatically detects severity (as described here).
But there are cases when you may want to use your own source priority. Trivy supports the --vuln-severity-source flag for this.
Fill in a list of required sources, and Trivy will check the sources in that order until it finds an existing severity.
If no source has the severity - Trivy will use the UNKNOWN severity.
Note
To use the default logic in combination with your sources - use the auto value.
Example logic for the following vendor severity levels when scanning an Alpine image:
"VendorSeverity": {
"ghsa": 3,
"nvd": 4,
}
--vuln-severity-source auto,nvd- severity isCRITICAL, got fromauto.--vuln-severity-source alpine,auto- severity isCRITICAL, got fromauto.--vuln-severity-source alpine,ghsa- severity isHIGH, got fromghsa.--vuln-severity-source alpine,alma- severity isUNKNOWN.