Python 3.6.8 Pip 9.0.3 vulnerabilities not detected #5620
matjawor
started this conversation in
False Detection
Replies: 1 comment
-
|
Hello @matjawor For packages installed from package manager we use Vendor OS database - https://aquasecurity.github.io/trivy/v0.47/docs/scanner/vulnerability/#data-source-selection It looks like Rocky database doesn't have these CVEs or there are fixes for python38 or python27. Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
IDs
CVE-2022-48565,CVE-2022-37454,CVE-2021-3177,CVE-2020-27619,CVE-2019-9948,CVE-2019-9636,CVE-2019-10160
Description
Trivy Version 0.47.0 scanned an image based on Rocky Linux 8.5 and python core packages in version below:
Both python core packages installed by dnf package installer. Critical vulnerabilities listed in IDs section weren't detected by Trivy image scan.
Reproduction Steps
1. Build image based on Rocky Linux 8.5. 2. Install inside python core packages in above-mentioned versions. - dnf install python - dnf install pip 3. Run trivy image scanning 4. Get familiar with a report. Above-mentioned vulnerabilities will not be detected ...Target
Container Image
Scanner
Vulnerability
Target OS
Rocky Linux 8.5
Debug Output
Inluded in the Description section.Version
Checklist
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions