Red Hat 8.6 EUS False positives

[wagde-orca]

IDs

CVE-2022-35252

Description

i am trying to scan a redhat 8.6 and I have many False positives for example i have curl 7.61.1-22.el8_6.12 installed, and when running trivy rootfs /tmp/redhat8.6 --format json -o trivy_res.json
I get the following FP (the CVE is fixed in 7.61.1-22.el8_6.12)

{
          "VulnerabilityID": "CVE-2022-35252",
          "VendorIDs": [
            "RHSA-2023:2963"
          ],
          "PkgID": "[email protected]_6.12.x86_64",
          "PkgName": "curl",
          "PkgIdentifier": {
            "PURL": "pkg:rpm/redhat/[email protected]_6.12?arch=x86_64\u0026distro=redhat-8.6",
            "UID": "b271e82ed1ddc7cf"
          },
          "InstalledVersion": "7.61.1-22.el8_6.12",
          "FixedVersion": "7.61.1-30.el8",
          "Status": "fixed",
          ...

Reproduction Steps

1. run trivy rootfs mode on red hat 8.6 EUS with latest curl installed

Target

Filesystem

Scanner

Vulnerability

Target OS

red hat 8.6

Debug Output

trivy rootfs /tmp/redhat8.6 --format json -o trivy_res.json --debug
2025-01-05T17:20:35+02:00	DEBUG	No plugins loaded
2025-01-05T17:20:35+02:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-01-05T17:20:35+02:00	DEBUG	Cache dir	dir="/Users/xxx/Library/Caches/trivy"
2025-01-05T17:20:35+02:00	DEBUG	Cache dir	dir="/Users/xxx/Library/Caches/trivy"
2025-01-05T17:20:35+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-01-05T17:20:35+02:00	DEBUG	Ignore statuses	statuses=[]
2025-01-05T17:20:35+02:00	DEBUG	DB update was skipped because the local DB is the latest
2025-01-05T17:20:35+02:00	DEBUG	DB info	schema=2 updated_at=2025-01-05T12:17:22.66072113Z next_update=2025-01-06T12:17:22.66072076Z downloaded_at=2025-01-05T15:13:29.233743Z
2025-01-05T17:20:35+02:00	DEBUG	[pkg] Package types	types=[os library]
2025-01-05T17:20:35+02:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-01-05T17:20:35+02:00	INFO	[vuln] Vulnerability scanning is enabled
2025-01-05T17:20:35+02:00	INFO	[secret] Secret scanning is enabled
2025-01-05T17:20:35+02:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-05T17:20:35+02:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2025-01-05T17:20:35+02:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-01-05T17:20:35+02:00	DEBUG	Initializing scan cache...	type="memory"
2025-01-05T17:20:35+02:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-01-05T17:20:35+02:00	INFO	Detected OS	family="redhat" version="8.6"
2025-01-05T17:20:35+02:00	INFO	[redhat] Detecting RHEL/CentOS vulnerabilities...	os_version="8" pkg_num=219
2025-01-05T17:20:36+02:00	INFO	Number of language-specific files	num=0
2025-01-05T17:20:36+02:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.58/docs/scanner/vulnerability#severity-selection for details.
2025-01-05T17:20:36+02:00	WARN	Unable to get vulnerability details (CVE may be rejected)	err="failed to get the vulnerability \"CVE-2022-22662\": no vulnerability details for CVE-2022-22662"
2025-01-05T17:20:36+02:00	WARN	Unable to get vulnerability details (CVE may be rejected)	err="failed to get the vulnerability \"CVE-2022-26700\": no vulnerability details for CVE-2022-26700"
2025-01-05T17:20:36+02:00	WARN	Unable to get vulnerability details (CVE may be rejected)	err="failed to get the vulnerability \"CVE-2022-26709\": no vulnerability details for CVE-2022-26709"
2025-01-05T17:20:36+02:00	WARN	Unable to get vulnerability details (CVE may be rejected)	err="failed to get the vulnerability \"CVE-2022-26710\": no vulnerability details for CVE-2022-26710"
2025-01-05T17:20:36+02:00	WARN	Unable to get vulnerability details (CVE may be rejected)	err="failed to get the vulnerability \"CVE-2022-26716\": no vulnerability details for CVE-2022-26716"
2025-01-05T17:20:36+02:00	WARN	Unable to get vulnerability details (CVE may be rejected)	err="failed to get the vulnerability \"CVE-2022-26717\": no vulnerability details for CVE-2022-26717"
2025-01-05T17:20:36+02:00	WARN	Unable to get vulnerability details (CVE may be rejected)	err="failed to get the vulnerability \"CVE-2022-26719\": no vulnerability details for CVE-2022-26719"
2025-01-05T17:20:36+02:00	WARN	Unable to get vulnerability details (CVE may be rejected)	err="failed to get the vulnerability \"CVE-2022-30293\": no vulnerability details for CVE-2022-30293"
2025-01-05T17:20:36+02:00	WARN	Unable to get vulnerability details (CVE may be rejected)	err="failed to get the vulnerability \"CVE-2022-32792\": no vulnerability details for CVE-2022-32792"
2025-01-05T17:20:36+02:00	WARN	Unable to get vulnerability details (CVE may be rejected)	err="failed to get the vulnerability \"CVE-2022-32816\": no vulnerability details for CVE-2022-32816"
2025-01-05T17:20:36+02:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-01-05T17:20:36+02:00	DEBUG	[vex] VEX filtering is disabled

Version

Version: 0.58.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-01-05 12:17:22.66072113 +0000 UTC
  NextUpdate: 2025-01-06 12:17:22.66072076 +0000 UTC
  DownloadedAt: 2025-01-05 15:13:29.233743 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-12-18 02:53:19.193069252 +0000 UTC
  NextUpdate: 2024-12-21 02:53:19.193069092 +0000 UTC
  DownloadedAt: 2024-12-18 22:25:53.714969 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct