CSAF example not working

[santiagorr]

Description

Hello trivy developers,

Unless I am wrong, the "Scan with CSAF VEX" example provided in the v0.58 documentation https://trivy.dev/v0.58/docs/supply-chain/vex/file/#csaf doesn't seem to work as expected:

Desired Behavior

I would expect the same behavior described in the mentioned documentation:

$ trivy image debian:11 --vex debian11.vex.csaf
...
2024-01-02T10:28:26.704+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CSAF", "vulnerability-id": "CVE-2019-8457", "status": "not_affected"}

debian11.spdx.json (debian 11.6)
================================
Total: 80 (UNKNOWN: 0, LOW: 58, MEDIUM: 6, HIGH: 16, CRITICAL: 0)

Actual Behavior

$ trivy -d image debian:11 --vex debian11.vex.csaf | grep -C 2 CVE-2019-8457
2024-12-23T17:05:34-03:00	DEBUG	No plugins loaded
2024-12-23T17:05:34-03:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-12-23T17:05:34-03:00	DEBUG	Cache dir	dir="/home/santiago/.cache/trivy"
2024-12-23T17:05:34-03:00	DEBUG	Cache dir	dir="/home/santiago/.cache/trivy"
2024-12-23T17:05:34-03:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-12-23T17:05:34-03:00	DEBUG	Ignore statuses	statuses=[]
2024-12-23T17:05:34-03:00	DEBUG	DB update was skipped because the local DB is the latest
2024-12-23T17:05:34-03:00	DEBUG	DB info	schema=2 updated_at=2024-12-23T18:16:41.542223648Z next_update=2024-12-24T18:16:41.542223197Z downloaded_at=2024-12-23T20:05:15.012377942Z
2024-12-23T17:05:34-03:00	DEBUG	[pkg] Package types	types=[os library]
2024-12-23T17:05:34-03:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2024-12-23T17:05:34-03:00	INFO	[vuln] Vulnerability scanning is enabled
2024-12-23T17:05:34-03:00	INFO	[secret] Secret scanning is enabled
2024-12-23T17:05:34-03:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-23T17:05:34-03:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-23T17:05:34-03:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-12-23T17:05:34-03:00	DEBUG	Initializing scan cache...	type="fs"
2024-12-23T17:05:35-03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-12-23T17:05:35-03:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2024-12-23T17:05:35-03:00	DEBUG	[image] Detected image ID	image_id="sha256:ab22521fee6a874ede24f0eabc1193a0d4e4ca417aedf8e2a82911ce84ed0831"
2024-12-23T17:05:35-03:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:7b329afd97eb4c8a9f81c95a2d2d416de77859f73cb1540dcad0fdc1ee1167f6]
2024-12-23T17:05:35-03:00	DEBUG	[image] Detected base layers	diff_ids=[]
2024-12-23T17:05:35-03:00	INFO	Detected OS	family="debian" version="11.11"
2024-12-23T17:05:35-03:00	INFO	[debian] Detecting vulnerabilities...	os_version="11" pkg_num=96
2024-12-23T17:05:35-03:00	INFO	Number of language-specific files	num=0
2024-12-23T17:05:35-03:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.
2024-12-23T17:05:35-03:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
│                    │                     │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2019-9192                    │
├────────────────────┼─────────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libdb5.3           │ CVE-2019-8457       │ CRITICAL │ will_not_fix │ 5.3.28+dfsg1-0.8        │               │ sqlite: heap out-of-bound read in function rtreenode()       │
│                    │                     │          │              │                         │               │ https://avd.aquasec.com/nvd/cve-2019-8457                    │
├────────────────────┼─────────────────────┼──────────┼──────────────┼─────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤

Reproduction Steps

1. Install trivy 0.58
2. Create the CSAF VEX document as described at https://trivy.dev/v0.58/docs/supply-chain/vex/file/#create-the-csaf-document
3. Run `trivy image debian:11 --vex debian11.vex.csaf`

Target

Container Image

Scanner

None

Output Format

None

Mode

None

Debug Output

The same as the actual behaviour.

Operating System

Linux

Version

$ trivy --version
Version: 0.58.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-12-23 18:16:41.542223648 +0000 UTC
  NextUpdate: 2024-12-24 18:16:41.542223197 +0000 UTC
  DownloadedAt: 2024-12-23 20:05:15.012377942 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @santiagorr
Thanks for your interest to Trivy.

CSAF example uses distro qualifier (pkg:deb/debian/[email protected]%2Bdfsg1-0.8?arch=amd64\u0026distro=debian-11.8).
So this purl doesn't match libdb from debian 11.11.

example:

➜ trivy  image debian:11.8 --vex debian11.vex.csaf
...
2024-12-24T12:30:11+06:00	INFO	[vex] Filtered out the detected vulnerability	format="CSAF" vulnerability-id="CVE-2019-8457" product-id="LIBDB-5328" status="not_affected"
2024-12-24T12:30:11+06:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

debian:11.8 (debian 11.8)

Total: 153 (UNKNOWN: 1, LOW: 82, MEDIUM: 33, HIGH: 32, CRITICAL: 5)

Anyway i created #8166 to update docs

Regards, Dmitriy

[DmitriyLewen]

#8166 was merged