Rust / Cargo.lock scanning broken

[synack-security]

IDs

RUSTSEC-2019-0035 - CVE-2020-25576

Description

Rust scanning seems broken entirely. No matter how many vulnerable rust packages included in Cargo.lock there are never results.

Other tools find vulns like the following:
Name: rand_core, Version: 0.4.0, Path: /Cargo.lock
RUSTSEC-2019-0035, Severity: CRITICAL, Source: https://rustsec.org/advisories/RUSTSEC-2019-0035.html
CVSS score: 9.8

Even the command published on the trivy website doesn't return results, but should: "trivy repo https://github.com/aquasecurity/rust-app --debug --list-all-pkgs"

Trivy screenshot:
https://trivy.dev/wp-content/uploads/2022/02/bouncing-block-4-screenshot.jpg

Reproduction Steps

1.trivy repo https://github.com/aquasecurity/rust-app --debug --list-all-pkgs
2.No results come back
3.
...

Target

Filesystem

Scanner

Vulnerability

Target OS

No response

Debug Output

2023-09-19T09:34:17.075-0400	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-09-19T09:34:17.076-0400	DEBUG	Ignore statuses	{"statuses": null}
2023-09-19T09:34:17.114-0400	DEBUG	cache dir:  ...Library/Caches/trivy
2023-09-19T09:34:17.114-0400	DEBUG	DB update was skipped because the local DB is the latest
2023-09-19T09:34:17.115-0400	DEBUG	DB Schema: 2, UpdatedAt: 2023-09-19 12:16:05.220556166 +0000 UTC, NextUpdate: 2023-09-19 18:16:05.220555566 +0000 UTC, DownloadedAt: 2023-09-19 13:21:02.402363 +0000 UTC
2023-09-19T09:34:17.115-0400	INFO	Vulnerability scanning is enabled
2023-09-19T09:34:17.115-0400	DEBUG	Vulnerability type:  [library]
2023-09-19T09:34:17.115-0400	INFO	Secret scanning is enabled
2023-09-19T09:34:17.115-0400	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-09-19T09:34:17.115-0400	INFO	Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
Enumerating objects: 6, done.
Counting objects: 100% (6/6), done.
Compressing objects: 100% (5/5), done.
Total 6 (delta 0), reused 3 (delta 0), pack-reused 0
2023-09-19T09:34:17.438-0400	DEBUG	No secret config detected: trivy-secret.yaml
2023-09-19T09:34:17.438-0400	DEBUG	Walk the file tree rooted at '/var/folders/..../T/trivy-remote-repo4196353208' in parallel
2023-09-19T09:34:17.456-0400	DEBUG	Cargo: Cargo.toml not found
2023-09-19T09:34:17.495-0400	DEBUG	OS is not detected.
2023-09-19T09:34:17.495-0400	INFO	Number of language-specific files: 1
2023-09-19T09:34:17.495-0400	INFO	Detecting cargo vulnerabilities...
2023-09-19T09:34:17.495-0400	DEBUG	Detecting library vulnerabilities, type: cargo, path: Cargo.lock

Version

I've tried 0.44, 0.45, 0.38.3

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[dagint]

Able to reproduce this. -f json works but if you use -f table you get the same response.

trivy repo https://github.com/aquasecurity/rust-app --debug --list-all-pkgs                                                                                               
2023-09-19T09:50:22.444-0400	WARN	"--list-all-pkgs" cannot be used with "--format table". Try "--format json" or other formats.
2023-09-19T09:50:22.444-0400	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-09-19T09:50:22.486-0400	DEBUG	cache dir:  /Users/michael.ginter/Library/Caches/trivy
2023-09-19T09:50:22.486-0400	DEBUG	DB update was skipped because the local DB is the latest
2023-09-19T09:50:22.486-0400	DEBUG	DB Schema: 2, UpdatedAt: 2023-09-19 12:16:05.220556166 +0000 UTC, NextUpdate: 2023-09-19 18:16:05.220555566 +0000 UTC, DownloadedAt: 2023-09-19 13:28:06.744213 +0000 UTC
2023-09-19T09:50:22.486-0400	INFO	Vulnerability scanning is enabled
2023-09-19T09:50:22.486-0400	DEBUG	Vulnerability type:  [library]
2023-09-19T09:50:22.486-0400	INFO	Secret scanning is enabled
2023-09-19T09:50:22.486-0400	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-09-19T09:50:22.486-0400	INFO	Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
Enumerating objects: 6, done.
Counting objects: 100% (6/6), done.
Compressing objects: 100% (5/5), done.
Total 6 (delta 0), reused 3 (delta 0), pack-reused 0
2023-09-19T09:50:22.855-0400	DEBUG	No secret config detected: trivy-secret.yaml
2023-09-19T09:50:22.856-0400	DEBUG	Walk the file tree rooted at '/var/folders/5r/nsf7mmqx2wl6z1jzj7s0wcb00000gp/T/fanal-remote4169417005' in parallel
2023-09-19T09:50:22.865-0400	DEBUG	Cargo: Cargo.toml not found
2023-09-19T09:50:22.905-0400	DEBUG	OS is not detected.
2023-09-19T09:50:22.905-0400	INFO	Number of language-specific files: 1
2023-09-19T09:50:22.905-0400	INFO	Detecting cargo vulnerabilities...
2023-09-19T09:50:22.905-0400	DEBUG	Detecting library vulnerabilities, type: cargo, path: Cargo.lock

Cargo.lock (cargo)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

[DmitriyLewen]

Hello @synack-security
Thanks for your report!

We are working on this task.

I'll write to you when we fix it.

Regards, Dmitriy

[DmitriyLewen]

Hello @synack-security
We fixed this problem.

Redownload Trvy-db to get list of vulnerability.

➜ trivy repo https://github.com/aquasecurity/rust-app --debug --list-all-pkgs
...

Cargo.lock (cargo)

Total: 10 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 3, CRITICAL: 4)