Vulnerable DLL and SO files not detected

[matjawor]

Description

Trivy have not detected vulnerabilities of below files while JFrog did.
List of example files:

• szafir_sdk-1.8.453.3-libgraphite64.x64.dll : CVE-2023-29402, CVE-2024-24790
• szafir_sdk-1.8.453.3-libCCGraphiteP11.so: CVE-2021-38297, CVE-2023-24538, CVE-2023-24540, CVE-2022-23806, CVE-2021-38297, CVE-2023-29402, CVE-2024-24790

Desired Behavior

Should the vulnerabilities have been detected? I would not like to complement Trivy Scanner with other scanners in our CI/CD.

Actual Behavior

Detect above the vulnerabilities. Maybe it is about trivy scan configuration?

Reproduction Steps

1. trivy image command does not detect vulnerable files inside an image
2. trivy rootfs does not detect vulnerabiles files in a file system
3. trivy fs does not detect vulnerabiles files in a file system
...

Target

None

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

Vulnerabilites have not been detected.

Operating System

Rocky 8.5, Rocky 8.10, Fedora 40

Version

0.56.2

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

How come did you think it's a bug? Our document is not saying it's supported. I changed the category from Bugs to Ideas, but I'm just curious.

[matjawor]

Sorry for that. I assumed that this kind of missed detection is a bug, unnecessarily. Thanks for moving the topic to ideas. Anyway, I need to implement the complementary solution into my CI/CD to cover above cases. Greetings.

[matjawor]

Do you know any open source solutions that are able to scan dll and so files as well? Greetings.