Vulnerability Scanning

Trivy detects known vulnerabilities in software components that it finds in the scan target.

The following are supported:

• OS packages
• Language-specific packages
• Non-packaged software
• Kubernetes components

OS Packages

Trivy is capable of automatically detecting installed OS packages when scanning container images, VM images and running hosts.

Note

Trivy doesn't support third-party/self-compiled packages/binaries, but official packages provided by vendors such as Red Hat and Debian.

Supported OS

See here for the supported OSes.

Data Sources

OS	Source
Arch Linux	Vulnerable Issues
Alpine Linux	secdb
Wolfi Linux	secdb
Chainguard	secdb
Amazon Linux	Amazon Linux Security Center
Debian	Security Bug Tracker / OVAL
Ubuntu	Ubuntu CVE Tracker
RHEL/CentOS	OVAL / Security Data
AlmaLinux	AlmaLinux Product Errata
Rocky Linux	Rocky Linux UpdateInfo
Oracle Linux	OVAL
Azure Linux (CBL-Mariner)	OVAL
OpenSUSE/SLES	CVRF
Photon OS	Photon Security Advisory

Data Source Selection

Trivy only consumes security advisories from the sources listed in the above table.

As for packages installed from OS package managers (dpkg, yum, apk, etc.), Trivy uses the advisory database from the appropriate OS vendor.

For example: for a python package installed from yum (Amazon linux), Trivy will only get advisories from ALAS. But for a python package installed from another source (e.g. pip), Trivy will get advisories from the GitLab and GitHub databases.

This advisory selection is essential to avoid getting false positives because OS vendors usually backport upstream fixes, and the fixed version can be different from the upstream fixed version.

Severity Selection

The severity is taken from the selected data source since the severity from vendors is more accurate. Using CVE-2023-0464 as an example, while it is rated as "HIGH" in NVD, Red Hat has marked its 'Impact' as "Low". As a result, Trivy will display it as "Low".

The severity depends on the compile option, the default configuration, etc. NVD doesn't know how the vendor distributes the software. Red Hat evaluates the severity more accurately. That's why Trivy prefers vendor scores over NVD.

If the data source does not provide a severity, the severity is determined based on the CVSS score as follows:

Base Score Range	Severity
0.1-3.9	Low
4.0-6.9	Medium
7.0-8.9	High
9.0-10.0	Critical

If the CVSS score is also not provided, it falls back to NVD.

NVD and some vendors may delay severity analysis, while other vendors, such as Red Hat, are able to quickly evaluate and announce the severity of vulnerabilities. To avoid marking too many vulnerabilities as "UNKNOWN" severity, Trivy uses severity ratings from other vendors when the NVD information is not yet available. The order of preference for vendor severity data can be found here.

You can reference SeveritySource in the JSON reporting format to see from where the severity is taken for a given vulnerability.

"SeveritySource": "debian",

In addition, you can see all the vendor severity ratings.

"VendorSeverity": {
  "amazon": 2,
  "cbl-mariner": 4,
  "ghsa": 4,
  "nvd": 4,
  "photon": 4,
  "redhat": 2,
  "ubuntu": 2
}

Here is the severity mapping in Trivy:

Number	Severity
0	Unknown
1	Low
2	Medium
3	High
4	Critical

If no vendor has a severity, the UNKNOWN severity will be used.

Unfixed Vulnerabilities

The unfixed/unfixable vulnerabilities mean that the patch has not yet been provided on their distribution. To hide unfixed/unfixable vulnerabilities, you can use the --ignore-unfixed flag.

Language-specific Packages

Supported Languages

See here for the supported languages.

Data Sources

Language	Source	Commercial Use	Delay1
PHP	PHP Security Advisories Database	✅	-
	GitHub Advisory Database (Composer)	✅	-
Python	GitHub Advisory Database (pip)	✅	-
	Open Source Vulnerabilities (PyPI)	✅	-
Ruby	Ruby Advisory Database	✅	-
	GitHub Advisory Database (RubyGems)	✅	-
Node.js	Ecosystem Security Working Group	✅	-
	GitHub Advisory Database (npm)	✅	-
Java	GitHub Advisory Database (Maven)	✅	-
Go	GitHub Advisory Database (Go)	✅	-
	Go Vulnerability Database	✅	-
Rust	Open Source Vulnerabilities (crates.io)	✅	-
.NET	GitHub Advisory Database (NuGet)	✅	-
C/C++	GitLab Advisories Community	✅	1 month
Dart	GitHub Advisory Database (Pub)	✅	-
Elixir	GitHub Advisory Database (Erlang)	✅	-
Swift	GitHub Advisory Database (Swift)	✅	-

Non-packaged software

If you have software that is not managed by a package manager, Trivy can still detect vulnerabilities in it in some cases:

• Using SBOM from Sigstore Rekor
• Go Binaries with embedded module information
• Rust Binaries with embedded information
• SBOM embedded in container images

Kubernetes

Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the documentation for Kubernetes scanning.

Data Sources

Vendor	Source
Kubernetes	Kubernetes Official CVE feed1

Databases

Trivy utilizes several databases containing information relevant for vulnerability scanning.
When performing a vulnerability scan, Trivy will automatically downloads the relevant databases. The databases are cached locally and Trivy will reuse them for subsequent scans on the same machine. Trivy takes care of updating the databases cache automatically, so normally users can be oblivious to it.

For CLI flags related to the database, please refer to this page.

Vulnerability Database

This is Trivy's main database which contains vulnerability information, as collected from the datasources mentioned above.
It is built every six hours on GitHub.

Java Index Database

When scanning JAR files, Trivy relies on a dedicated database for identifying the groupId, artifactId, and version of the scanned JAR files. This database is only used when scanning JAR files, however your scanned artifacts might contain JAR files that you're not aware of.
This database is built once a day on GitHub.

External connectivity

Trivy needs to connect to the internet to download the databases. If you are running Trivy in an air-gapped environment, or an tightly controlled network, please refer to the Advanced Network Scenarios document.

Detection Behavior

Trivy prioritizes precision in vulnerability detection, aiming to minimize false positives while potentially accepting some false negatives. This approach is particularly relevant in two key areas:

• Handling Software Installed via OS Packages
• Handling Packages with Unspecified Versions

Handling Software Installed via OS Packages

For files installed by OS package managers, such as apt, Trivy exclusively uses advisories from the OS vendor. This means that even if a JAR file is present in a container image, if it was installed via an OS package manager (e.g., apt), Trivy will not analyze the JAR file itself and use upstream security advisories.

For example, consider the Python requests package in Red Hat Universal Base Image 8:

[root@987ee49dc93d /]# head -n 3 /usr/lib/python3.6/site-packages/requests-2.20.0-py3.6.egg-info/PKG-INFO
Metadata-Version: 2.1
Name: requests
Version: 2.20.0

Version 2.20.0 is installed, and this package is installed by dnf.

[root@987ee49dc93d /]# rpm -ql python3-requests | grep PKG-INFO
/usr/lib/python3.6/site-packages/requests-2.20.0-py3.6.egg-info/PKG-INFO

At first glance, this might seem vulnerable to CVE-2023-32681, which affects versions of requests prior to v2.31.0. However, Red Hat backported the fix to v2.20.0-3 in RHSA-2023:4520, and the package is not vulnerable.

• Upstream (PyPI requests): Fixed in v2.31.0
• Red Hat (python-requests): Backported fix applied in v2.20.0-3 (RHSA-2023:4520)

If Trivy were to detect CVE-2023-32681 in this case, it would be a false positive. This illustrates why using the correct security advisory is crucial to avoid false detections. To minimize false positives, Trivy trusts the OS vendor's advisory for software installed via OS package managers and does not use upstream advisories for these packages.

However, this approach may lead to false negatives if the OS vendor's advisories are delayed or missing. In such cases, using --detection-priority comprehensive allows Trivy to consider upstream advisories (e.g., GitHub Advisory Database), potentially increasing false positives but reducing false negatives.

Handling Packages with Unspecified Versions

When a package version cannot be uniquely determined (e.g., package-a: ">=3.0"), Trivy typically skips vulnerability detection for that package to avoid false positives. If a lock file is present with fixed versions, Trivy will use those for detection.

To detect potential vulnerabilities even with unspecified versions, use --detection-priority comprehensive. This option makes Trivy use the minimum version in the specified range for vulnerability detection. While this may increase false positives if the actual version used is not the minimum, it helps reduce false negatives.

Configuration

This section describes vulnerability-specific configuration. Other common options are documented here.

Enabling a Subset of Package Types

It's possible to only enable certain package types if you prefer. You can do so by passing the --pkg-types option. This flag takes a comma-separated list of package types.

Available values:

• os
  • Scan OS packages managed by the OS package manager (e.g. dpkg, yum, apk).
• library
  • Scan language-specific packages (e.g. packages installed by pip, npm, or gem).

$ trivy image --pkg-types os ruby:2.4.0

Result

2019-05-22T19:36:50.530+0200    INFO    Updating vulnerability database...
2019-05-22T19:36:51.681+0200    INFO    Detecting Alpine vulnerabilities...
2019-05-22T19:36:51.685+0200    INFO    Updating npm Security DB...
2019-05-22T19:36:52.389+0200    INFO    Detecting npm vulnerabilities...
2019-05-22T19:36:52.390+0200    INFO    Updating pipenv Security DB...
2019-05-22T19:36:53.406+0200    INFO    Detecting pipenv vulnerabilities...

ruby:2.4.0 (debian 8.7)
=======================
Total: 7 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 2)

+---------+------------------+----------+-------------------+---------------+----------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |              TITLE               |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| curl    | CVE-2018-14618   | CRITICAL | 7.61.0-r0         | 7.61.1-r0     | curl: NTLM password overflow     |
|         |                  |          |                   |               | via integer overflow             |
+         +------------------+----------+                   +---------------+----------------------------------+
|         | CVE-2018-16839   | HIGH     |                   | 7.61.1-r1     | curl: Integer overflow leading   |
|         |                  |          |                   |               | to heap-based buffer overflow in |
|         |                  |          |                   |               | Curl_sasl_create_plain_message() |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| git     | CVE-2018-17456   | HIGH     | 2.15.2-r0         | 2.15.3-r0     | git: arbitrary code execution    |
|         |                  |          |                   |               | via .gitmodules                  |
+         +------------------+          +                   +               +----------------------------------+
|         | CVE-2018-19486   |          |                   |               | git: Improper handling of        |
|         |                  |          |                   |               | PATH allows for commands to be   |
|         |                  |          |                   |               | executed from...                 |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| libssh2 | CVE-2019-3855    | CRITICAL | 1.8.0-r2          | 1.8.1-r0      | libssh2: Integer overflow in     |
|         |                  |          |                   |               | transport read resulting in      |
|         |                  |          |                   |               | out of bounds write...           |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| sqlite  | CVE-2018-20346   | MEDIUM   | 3.21.0-r1         | 3.25.3-r0     | CVE-2018-20505 CVE-2018-20506    |
|         |                  |          |                   |               | sqlite: Multiple flaws in        |
|         |                  |          |                   |               | sqlite which can be triggered    |
|         |                  |          |                   |               | via...                           |
+---------+------------------+----------+-------------------+---------------+----------------------------------+
| tar     | CVE-2018-20482   | LOW      | 1.29-r1           | 1.31-r0       | tar: Infinite read loop in       |
|         |                  |          |                   |               | sparse_dump_region function in   |
|         |                  |          |                   |               | sparse.c                         |
+---------+------------------+----------+-------------------+---------------+----------------------------------+

Info

This flag filters the packages themselves, so it also affects the --list-all-pkgs option and SBOM generation.

Filtering by Package Relationships

Trivy supports filtering vulnerabilities based on the relationship of packages within a project. This is achieved through the --pkg-relationships flag. This feature allows you to focus on vulnerabilities in specific types of dependencies, such as only those in direct dependencies.

In Trivy, there are four types of package relationships:

1. root: The root package being scanned
2. direct: Direct dependencies of the root package
3. indirect: Transitive dependencies
4. unknown: Packages whose relationship cannot be determined

The available relationships may vary depending on the ecosystem. To see which relationships are supported for a particular project, you can use the JSON output format and check the Relationship field:

$ trivy repo -f json --list-all-pkgs /path/to/project

To scan only the root package and its direct dependencies, you can use the flag as follows:

$ trivy repo --pkg-relationships root,direct /path/to/project

By default, all relationships are included in the scan.

Info

This flag filters the packages themselves, so it also affects the --list-all-pkgs option and SBOM generation.

Warning

As it may not provide a complete package list, --pkg-relationships cannot be used with --dependency-tree, --vex or SBOM generation.

Detection Priority

Trivy provides a --detection-priority flag to control the balance between false positives and false negatives in vulnerability detection. This concept is similar to the relationship between precision and recall in machine learning evaluation.

$ trivy image --detection-priority {precise|comprehensive} alpine:3.15

• precise: This mode prioritizes reducing false positives. It results in less noisy vulnerability reports but may miss some potential vulnerabilities.
• comprehensive: This mode aims to detect more vulnerabilities, potentially including some that might be false positives. It provides broader coverage but may increase the noise in the results.

The default value is precise. Also refer to the detection behavior section for more information.

Regardless of the chosen mode, user review of detected vulnerabilities is crucial:

• precise: Review thoroughly, considering potential missed vulnerabilities.
• comprehensive: Carefully investigate each reported vulnerability due to increased false positive possibility.

---

1. https://github.com/GoogleContainerTools/distroless ↩↩