Trivy supports the following scanners for OS packages.
The following table provides an outline of the targets Trivy supports.
|Version||Container image||Virtual machine||Arch|
The table below outlines the features offered by Trivy.
|Detect unfixed vulnerabilities||✓|
Trivy detects packages that have been installed through package managers such as
CBL-Mariner offers its own security advisories, and these are utilized when scanning CBL-Mariner for vulnerabilities.
Trivy takes fixed versions from CBL-Mariner OVAL.
Trivy calculates the severity of an issue based on the severity provided in CBL-Mariner OVAL.
Trivy supports the following vulnerability statuses for CBL-Mariner.
|Will Not Fix|
|End of Life|
Trivy identifies licenses by examining the metadata of RPM packages.
License detection is not supported for CBL-Mariner Distroless.