Detect vulnerabilities of the main software in the image

[knqyf263]

Currently, Trivy detects vulnerabilities of packages installed by package manager such as yum and apt-get. But the main software in the image is usually installed by make install.

For example, redis binary in redis:5.0 is installed by make install.
https://github.com/docker-library/redis/blob/d3a0f3d95ac768db44dbcb87ecf88cfc436581d5/5.0/Dockerfile#L64

Apach HTTP Server in httpd:2.4 is installed by make install.
https://github.com/docker-library/httpd/blob/6c8e82e20ecefc94c616439f15d14c4bb215b200/2.4/Dockerfile#L131

The problem is that their versioning is different from the versioning of Linux distributions such as Debian and Red Hat. It means we need to use another vulnerability source to detect vulnerabilities. We probably can use NVD and CPE for the purpose, but it is not easy since we have to convert redis to cpe:2.3:a:redislabs:redis:*:*:*:*:*:*:*:*. For now, it looks difficult to convert it automatically and accurately. There are a lot of products out there with similar names.

[netrounds-fredrik]

How about allowing the user to manually provide a list of installed software, maybe as a complement to the list generated by the automatic detection? See proposal in #293.

[Johannestegner]

This would be a very nice addition, either by just letting us place a formatted file somewhere inside the image in question or by just scanning it directly with Trivy.

Is there any work being done on a feature like this?

[Henrique-Potter]

I have a related issue that could be solved if Trivy could scan dynamic/static links on .so and .a files and imports from header files.

Is it possible?

[Johannestegner]

if Trivy could scan dynamic/static links on .so and .a files and imports from header files.

Not sure if it is possible, but if it is, that would be gold worth! :)

[macedogm]

@knqyf263 is this feature planned to be in Trivy's roadmap? This seems to be an important feature to have, at least IMO. I'm willing to help implement this in my free time if some guidance is provided.

[Urth]

Reading through some of the other tickets it appears binary scanning is part of a commercial license and there are no plans to merge this into the open source version.

I could not find a working solution with SBOM either so as a workaround we're toying with adding entries to the distro package database. The caveats are that the software should be available on the image source distribution, the versions should match distro versioning and the distro needs to publish security advisories for the package.

$ trivy image redis:7.2.4 -q --format json | jq -r '.Results[0].Vulnerabilities[] | select(.PkgName == "redis-server") | [.VulnerabilityID, .Title] | @tsv'

$ cat Dockerfile 
FROM redis:7.2.4

RUN echo "Package: redis-server\nStatus: install ok installed\nVersion: 5:7.2.4\nSource: redis\n\n" >> /var/lib/dpkg/status

$ docker build -t redis:7.2.4-dpkg-db . 
Sending build context to Docker daemon  2.631MB
Step 1/2 : FROM redis:7.2.4
 ---> 9b38108e295d
Step 2/2 : RUN echo "Package: redis-server\nStatus: install ok installed\nVersion: 5:7.2.4\nSource: redis\n\n" >> /var/lib/dpkg/status
 ---> Using cache
 ---> 812c82118fe7
Successfully built 812c82118fe7
Successfully tagged redis:7.2.4-dpkg-db

$ trivy image redis:7.2.4-dpkg-db -q --format json | jq -r '.Results[0].Vulnerabilities[] | select(.PkgName == "redis-server") | [.VulnerabilityID, .Title] | @tsv'
CVE-2024-46981  redis: Redis' Lua library commands may lead to remote code execution
CVE-2024-51741  redis: Redis allows denial-of-service due to malformed ACL selectors
CVE-2020-21468  redis: Segmentation fault in the redis-server component
CVE-2022-3647   redis: crash in sigsegvHandler debug function