Bitnami Images
EXPERIMENTAL
Scanning results may be inaccurate.
While it is not an OS, this page describes the details of the container images provided by Bitnami. Bitnami images are based on Debian. Please see the Debian page for OS packages.
Trivy supports the following scanners for Bitnami packages.
| Scanner | Supported |
|---|---|
| SBOM | ✓ |
| Vulnerability | ✓ |
| License | ✓ |
The table below outlines the features offered by Trivy.
| Feature | Supported |
|---|---|
| Unfixed vulnerabilities | - |
| Dependency graph | - |
SBOM
Trivy analyzes the SBOM information contained within the container images provided by Bitnami.
The SBOM files are located at /opt/bitnami/<component>/.spdx-<component>.spdx.
Vulnerability
Since Bitnami has its own vulnerability database, it uses these for vulnerability detection of applications and packages distributed by Bitnami.
Note
Trivy does not support vulnerability detection of independently compiled binaries, so even if you scan container images like nginx:1.15.2, vulnerabilities in Nginx cannot be detected.
This is because main applications like Nginx are not installed by the package manager.
However, in the case of Bitnami images, since these SBOMs are stored within the image, scanning bitnami/nginx:1.15.2 allows for the detection of vulnerabilities in Nginx.
Fixed Version
Trivy refers to the Bitnami database. Please note that these may differ from the upstream fixed versions.
Severity
Similar to Fixed versions, it follows Bitnami's vulnerability database.
Status
Trivy supports the following vulnerability statuses for Bitnami packages.
| Status | Supported |
|---|---|
| Fixed | ✓ |
| Affected | ✓ |
| Under Investigation | |
| Will Not Fix | |
| Fix Deferred | |
| End of Life |
License
If licenses are included in the SBOM distributed by Bitnami, they will be used for scanning.