not detecting vulnerabilities conan.lock file

[SemProvoost]

Description

For conan.lock files: Trivy does not seem to detect vulnerabilities when the version is not a semver. Specifically example here for openssl 1.1.1w.

Desired Behavior

In the example in reproduction steps, trivy does not detect any CVE. I would at least expect CVE-2024-0727 in there for the openssl package here. 😁
Page with CVE for openssl 1.1.1w here: https://www.cvedetails.com/vulnerability-list/vendor_id-217/product_id-383/version_id-1657305/year-2024/opdos-1/Openssl-Openssl-1.1.1w.html

Other scanners do seem to detect this vulnerability.

Actual Behavior

No vulnerabilities are found.

Reproduction Steps

- create a conan.lock with following content:
{
    "version": "0.5",
    "requires": [
        "zlib/1.2.11#fca992a7d96a1b92bd956caa8a97d18f%1705999194.642",
        "openssl/1.1.1w#a8f0792d7c5121b954578a7149d23e03%1717541485.78"
    ],
    "build_requires": [],
    "python_requires": [],
    "config_requires": []
}

- run `trivy fs . -f json`

- no results found.

Target

Git Repository

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

trivy fs . -f json --debug
2024-09-05T10:24:29+02:00       DEBUG   No plugins loaded
2024-09-05T10:24:29+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-09-05T10:24:29+02:00       DEBUG   Cache dir       dir="/Users/xyz/Library/Caches/trivy"
2024-09-05T10:24:29+02:00       DEBUG   Cache dir       dir="/Users/xyz/Library/Caches/trivy"
2024-09-05T10:24:29+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-09-05T10:24:29+02:00       DEBUG   Ignore statuses statuses=[]
2024-09-05T10:24:29+02:00       DEBUG   DB update was skipped because the local DB is the latest
2024-09-05T10:24:29+02:00       DEBUG   DB info schema=2 updated_at=2024-09-05T06:13:50.742324056Z next_update=2024-09-05T12:13:50.742323786Z downloaded_at=2024-09-05T08:03:40.238767Z
2024-09-05T10:24:29+02:00       DEBUG   [pkg] Package types     types=[os library]
2024-09-05T10:24:29+02:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-09-05T10:24:29+02:00       INFO    [vuln] Vulnerability scanning is enabled
2024-09-05T10:24:29+02:00       INFO    [secret] Secret scanning is enabled
2024-09-05T10:24:29+02:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-05T10:24:29+02:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-05T10:24:29+02:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-05T10:24:29+02:00       DEBUG   Initializing scan cache...      type="memory"
2024-09-05T10:24:29+02:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2024-09-05T10:24:29+02:00       DEBUG   [conan] Unable to parse cache directory to obtain licenses      err="the Conan cache directory was not found."
2024-09-05T10:24:29+02:00       DEBUG   [conan] Handling conan lockfile as v2.x
2024-09-05T10:24:29+02:00       DEBUG   OS is not detected.
2024-09-05T10:24:29+02:00       DEBUG   Detected OS: unknown
2024-09-05T10:24:29+02:00       INFO    Number of language-specific files       num=1
2024-09-05T10:24:29+02:00       INFO    [conan] Detecting vulnerabilities...
2024-09-05T10:24:29+02:00       DEBUG   [conan] Scanning packages for vulnerabilities   file_path="conan.lock"
2024-09-05T10:24:29+02:00       DEBUG   [vex] VEX filtering is disabled
{
  "SchemaVersion": 2,
  "CreatedAt": "2024-09-05T10:24:29.568239+02:00",
  "ArtifactName": ".",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "conan.lock",
      "Class": "lang-pkgs",
      "Type": "conan"
    }
  ]
}

Operating System

macOS 13.3.1

Version

trivy --version
Version: 0.55.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-09-05 06:13:50.742324056 +0000 UTC
  NextUpdate: 2024-09-05 12:13:50.742323786 +0000 UTC
  DownloadedAt: 2024-09-05 08:03:40.238767 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-09-01 01:09:02.204286528 +0000 UTC
  NextUpdate: 2024-09-04 01:09:02.204286408 +0000 UTC
  DownloadedAt: 2024-09-01 13:18:11.923787 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @SemProvoost
The problem is not in the version.
Trivy works correctly with the non-semver versions.
e.g.:

➜ cat conan.lock 
{
    "version": "0.5",
    "requires": [
        "zlib/1.2.11#fca992a7d96a1b92bd956caa8a97d18f%1705999194.642",
        "openssl/3.0.1w#a8f0792d7c5121b954578a7149d23e03%1717541485.78"
    ],
    "build_requires": [],
    "python_requires": [],
    "config_requires": []
}                                                                                                                                                                                   
➜ trivy -q fs ./conan.lock

conan.lock (conan)

Total: 31 (UNKNOWN: 0, LOW: 0, MEDIUM: 14, HIGH: 15, CRITICAL: 2)

We use GitLab advisory database (see https://aquasecurity.github.io/trivy/v0.55/docs/scanner/vulnerability/#data-sources_1)

Page with CVE for openssl 1.1.1w here: https://www.cvedetails.com/vulnerability-list/vendor_id-217/product_id-383/version_id-1657305/year-2024/opdos-1/Openssl-Openssl-1.1.1w.html

This page contains 2 CVEs (CVE-2024-2511 and CVE-2024-0727).
But GitLab doesn't contain these CVEs - https://gitlab.com/gitlab-org/advisories-community/-/tree/main/conan/openssl?ref_type=heads

You can create an issue/PR in GitLab to add these vulnerabilities

Regards, Dmitriy