Trivy supports the following scanners for OS packages.
Please see here for supported versions.
The table below outlines the features offered by Trivy.
Trivy detects packages that have been installed through package managers such as
While there are some exceptions, like Go binaries and JAR files, it's important to note that binaries that have been custom-built using
make or tools installed via
curl are generally not detected.
Debian offers its own security advisories, and these are utilized when scanning Debian for vulnerabilities.
When looking at fixed versions, it's crucial to consider the patches supplied by Debian.
For example, for CVE-2023-3269, the fixed version for Debian 12 (bookworm) is listed as
6.1.37-1 in the Security Tracker.
This patch is provided in DSA-5448-1.
Note that this is different from the upstream fixed version, which is
Typically, only the upstream information gets listed on NVD, so it's important not to get confused.
Trivy calculates the severity of an issue based on the 'Urgency' metric found in the Security Tracker. If 'Urgency' isn't provided by Debian, the severity from the NVD is taken into account.
Using CVE-2019-15052 as an example, while it is rated as "Critical" in NVD, Debian has marked its "Urgency" as "Low". As a result, Trivy will display it as "Low".
Trivy supports the following vulnerability statuses for Debian.
|Will Not Fix|
|End of Life||✓|
To identify the license of a package, Trivy checks the copyright file located at
However, this method has its limitations as the file isn't machine-readable, leading to situations where the license isn't detected.
In such scenarios, the
--license-full flag can be passed.
It compares the contents of known licenses with the copyright file to discern the license in question.
Please be aware that using this flag can increase memory usage, so it's disabled by default for efficiency.