No vulnerabilities identified for pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

[biehl1]

Description

No advisories are found for pkg:maven/org.apache.tomcat.embed/[email protected] while multiple are reported for such version, namely CVE-2023-46589, CVE-2023-45648, CVE-2023-44487, CVE-2023-42795.
Ref: https://tomcat.apache.org/security-10.html

Desired Behavior

Advisories related to tomcat-embed-core should be identified

Actual Behavior

While trivy is able to report vulnerabilities for certain jar components (example below) the tool provides empty results for tomcat-embed-core instance.

Reproduction Steps

1. Considering the following SBOM, which contains references to an affected tomcat-embed-core version and also to another library for which trivy actually detects some advisories for:

cat <<EOF >>sbom.json
{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:56de7048-3227-493a-ab8d-3e2fb9479409",
  "version": 1,
  "metadata": {
    "timestamp": "2023-12-21T02:36:30+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "0.47.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:maven/ch.qos.logback/[email protected]?file_path=app%2Fdemo.jar%2FBOOT-INF%2Flib%2Flogback-classic-1.4.11.jar",
      "type": "library",
      "group": "ch.qos.logback",
      "name": "logback-classic",
      "version": "1.4.11",
      "purl": "pkg:maven/ch.qos.logback/[email protected]",
      "properties": []
    },
    {
      "bom-ref": "pkg:maven/org.apache.tomcat.embed/[email protected]?file_path=app%2Fdemo.jar%2FBOOT-INF%2Flib%2Ftomcat-embed-core-10.1.13.jar",
      "type": "library",
      "group": "org.apache.tomcat.embed",
      "name": "tomcat-embed-core",
      "version": "10.1.13",
      "purl": "pkg:maven/org.apache.tomcat.embed/[email protected]",
      "properties": []
    }
  ],
  "dependencies": [],
  "vulnerabilities": []
}
EOF


2. Run trivy against it:
docker run --rm -v ${PWD}/sbom.json:/sbom.json aquasec/trivy /sbom.json

The above will output one vulnerability found for ch.qos.logback:logback-classic but zero findings for tomcat-embed-core

Target

SBOM

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

$ docker run --rm -v ${PWD}/sbom.json:/sbom.json aquasec/trivy sbom /sbom.json --debug 
2023-12-21T02:55:34.314Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-12-21T02:55:34.316Z        DEBUG   Ignore statuses {"statuses": null}
2023-12-21T02:55:34.326Z        DEBUG   cache dir:  /root/.cache/trivy
2023-12-21T02:55:34.326Z        DEBUG   There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2023-12-21T02:55:34.326Z        INFO    Need to update DB
2023-12-21T02:55:34.326Z        INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-12-21T02:55:34.326Z        INFO    Downloading DB...
2023-12-21T02:55:34.326Z        DEBUG   no metadata file
41.98 MiB [-------------------------------------------------] 100.00% 11.50 MiB p/s 3.9
2023-12-21T02:55:39.011Z        DEBUG   DB Schema: 2, UpdatedAt: 2023-12-21 00:18:19.247896167 +0000 UTC, NextUpdate: 2023-12-21 06:18:19.247895666 +0000 UTC, DownloadedAt: 2023-12-21 02:55:39.011673 +0000 UTC
2023-12-21T02:55:39.012Z        INFO    Vulnerability scanning is enabled
2023-12-21T02:55:39.012Z        DEBUG   Vulnerability type:  [os library]
2023-12-21T02:55:39.016Z        INFO    Detected SBOM format: cyclonedx-json
2023-12-21T02:55:39.016Z        DEBUG   Unmarshaling CycloneDX JSON...
2023-12-21T02:55:39.018Z        WARN    Ignore the OS package as no OS information is found.
2023-12-21T02:55:39.357Z        DEBUG   OS is not detected.
2023-12-21T02:55:39.357Z        DEBUG   Detected OS: unknown
2023-12-21T02:55:39.358Z        INFO    Number of language-specific files: 1
2023-12-21T02:55:39.358Z        INFO    Detecting jar vulnerabilities...
2023-12-21T02:55:39.358Z        DEBUG   Detecting library vulnerabilities, type: jar, path: 

Java (jar)
==========
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Status │ Installed Version │     Fixed Version      │                          Title                           │
├────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────┤
│ ch.qos.logback:logback-classic │ CVE-2023-6378 │ HIGH     │ fixed  │ 1.4.11            │ 1.3.12, 1.4.12, 1.2.13 │ logback: serialization vulnerability in logback receiver │
│                                │               │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-6378                │
└────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────┘

Operating System

macOS / docker

Version

0.47.0

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @biehl1
Thanks for your report!

I can't find info that artifacts for org.apache.tomcat.embed are vulnerable.
e.g. Github says only org.apache.tomcat GroupID.
e.g.:
GHSA-fccv-jmmp-qg76
GHSA-r6j3-px5g-cq3x

We use GitHub advisory database for java vulnerabilities - https://aquasecurity.github.io/trivy/v0.48/docs/scanner/vulnerability/#data-sources_1
If you are confident that pkg:maven/org.apache.tomcat.embed/[email protected] contains these CVEs - please suggest changes in GitHub Advisory Database (existing advisories contain Suggest improvements for this vulnerability link for this).

Regards, Dmitriy