Trivy is unable to detect CVE-2023-31419 for elasticsearch-7.10.2.jar #5573

navzen2000 · 2023-11-14T07:12:00Z

navzen2000
Nov 14, 2023

Description

Trivy is unable to detect CVE-2023-31419 for elasticsearch-7.10.2.jar

Desired Behavior

Grype is able to report, Trivy should also report

grype elasticsearch-7.10.2.jar
✔ Vulnerability DB [no update available]
✔ Indexed file system
✔ Cataloged packages [1 packages]
✔ Scanned for vulnerabilities [6 vulnerabilities]
├── 0 critical, 3 high, 3 medium, 0 low, 0 negligible
└── 0 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
elasticsearch 7.10.2 java-archive CVE-2023-31419 High
elasticsearch 7.10.2 java-archive CVE-2023-31418 High
elasticsearch 7.10.2 java-archive CVE-2023-31417 High
elasticsearch 7.10.2 java-archive CVE-2021-22145 Medium
elasticsearch 7.10.2 java-archive CVE-2021-22144 Medium
elasticsearch 7.10.2 java-archive CVE-2021-22134 Medium

Actual Behavior

trivy --scanners vuln fs elasticsearch-7.10.2.jar
2023-11-13T23:11:13.157-0800 INFO Vulnerability scanning is enabled
2023-11-13T23:11:13.159-0800 INFO Number of language-specific files: 0

Reproduction Steps

1.trivy --scanners vuln fs elasticsearch-7.10.2.jar
2023-11-13T23:08:07.330-0800    INFO    Vulnerability scanning is enabled
2023-11-13T23:08:07.331-0800    INFO    Number of language-specific files: 0

2.
3.
...

Target

Filesystem, Container

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

trivy --scanners vuln fs elasticsearch-7.10.2.jar --debug
2023-11-13T23:09:48.702-0800    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-13T23:09:48.703-0800    DEBUG   Ignore statuses {"statuses": null}
2023-11-13T23:09:48.705-0800    DEBUG   cache dir:  /home/navegupt/.cache/trivy
2023-11-13T23:09:48.705-0800    DEBUG   DB update was skipped because the local DB is the latest
2023-11-13T23:09:48.705-0800    DEBUG   DB Schema: 2, UpdatedAt: 2023-11-14 06:11:22.596137326 +0000 UTC, NextUpdate: 2023-11-14 12:11:22.596136965 +0000 UTC, DownloadedAt: 2023-11-14 07:02:27.097608587 +0000 UTC
2023-11-13T23:09:48.705-0800    INFO    Vulnerability scanning is enabled
2023-11-13T23:09:48.705-0800    DEBUG   Vulnerability type:  [os library]
2023-11-13T23:09:48.705-0800    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-13T23:09:48.705-0800    DEBUG   Walk the file tree rooted at 'elasticsearch-7.10.2.jar' in parallel
2023-11-13T23:09:48.707-0800    DEBUG   OS is not detected.
2023-11-13T23:09:48.707-0800    DEBUG   Detected OS: unknown
2023-11-13T23:09:48.707-0800    INFO    Number of language-specific files: 0

Operating System

linux

Version

trivy --version
Version: 0.46.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-14 06:11:22.596137326 +0000 UTC
  NextUpdate: 2023-11-14 12:11:22.596136965 +0000 UTC
  DownloadedAt: 2023-11-14 07:02:27.097608587 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-11-14 00:47:12.884424656 +0000 UTC
  NextUpdate: 2023-11-17 00:47:12.884424406 +0000 UTC
  DownloadedAt: 2023-11-14 05:42:29.138768601 +0000 UTC

Checklist

Run trivy image --reset
Read the troubleshooting

knqyf263 · 2023-11-14T07:22:02Z

knqyf263
Nov 14, 2023
Maintainer

https://aquasecurity.github.io/trivy/v0.47/docs/coverage/language/

12 replies

navzen2000 Nov 14, 2023
Author

jar files are copied directly, they are not rpms which get installed via OS package manager

navzen2000 Nov 14, 2023
Author

Please open a bug

navzen2000 Nov 14, 2023
Author

@knqyf263

knqyf263 Nov 14, 2023
Maintainer

You should give us how to replicate it if you have something else. The command you gave is fs and it is not a bug. Also, please refer to the existing issues and discussions first...

navzen2000 Nov 14, 2023
Author

Here is the difference, Trivy can detect through fs and image correctly for maven downloaded jar but not locally built jar from same source.
It is not about fs/non-fs but how Trivy detects a signature in given jar.
What am trying to figure out why such difference exists
Able to detect:

trivy -d rootfs ./elasticsearch-7.10.2_mvn.jar
2023-11-14T04:31:11.699-0800 DEBUG      Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-14T04:31:11.700-0800 DEBUG      Ignore statuses {"statuses": null}
2023-11-14T04:31:11.702-0800 DEBUG      cache dir:  /home/.cache/trivy
2023-11-14T04:31:11.702-0800 DEBUG      DB update was skipped because the local DB was downloaded during the last hour
2023-11-14T04:31:11.702-0800 DEBUG      DB Schema: 2, UpdatedAt: 2023-11-14 06:11:22.596137326 +0000 UTC, NextUpdate: 2023-11-14 12:11:22.596136965 +0000 UTC, DownloadedAt: 2023-11-14 12:11:59.295538505 +0000 UTC
2023-11-14T04:31:11.702-0800 INFO       Vulnerability scanning is enabled
2023-11-14T04:31:11.702-0800 DEBUG      Vulnerability type:  [os library]
2023-11-14T04:31:11.702-0800 INFO       Secret scanning is enabled
2023-11-14T04:31:11.702-0800 INFO       If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-14T04:31:11.702-0800 INFO       Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-11-14T04:31:11.702-0800 DEBUG      No secret config detected: trivy-secret.yaml
2023-11-14T04:31:11.702-0800 DEBUG      The nuget packages directory couldn't be found. License search disabled
2023-11-14T04:31:11.702-0800 DEBUG      Walk the file tree rooted at 'elasticsearch-7.10.2_mvn.jar' in parallel
2023-11-14T04:31:11.703-0800 DEBUG      Parsing Java artifacts...       {"file": "elasticsearch-7.10.2_mvn.jar"}
2023-11-14T04:31:11.728-0800 DEBUG      OS is not detected.
2023-11-14T04:31:11.728-0800 DEBUG      Detected OS: unknown
2023-11-14T04:31:11.728-0800 INFO       Number of language-specific files: 1
2023-11-14T04:31:11.728-0800 INFO       Detecting jar vulnerabilities...
2023-11-14T04:31:11.729-0800 DEBUG      Detecting library vulnerabilities, type: jar, path:
2023-11-14T04:31:11.731-0800 INFO       Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 0)

Unable to detect

 trivy -d rootfs ./elasticsearch-7.10.2_org.jar
2023-11-14T04:31:40.737-0800 DEBUG      Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-14T04:31:40.738-0800 DEBUG      Ignore statuses {"statuses": null}
2023-11-14T04:31:40.739-0800 DEBUG      cache dir:  /home/.cache/trivy
2023-11-14T04:31:40.739-0800 DEBUG      DB update was skipped because the local DB was downloaded during the last hour
2023-11-14T04:31:40.739-0800 DEBUG      DB Schema: 2, UpdatedAt: 2023-11-14 06:11:22.596137326 +0000 UTC, NextUpdate: 2023-11-14 12:11:22.596136965 +0000 UTC, DownloadedAt: 2023-11-14 12:11:59.295538505 +0000 UTC
2023-11-14T04:31:40.740-0800 INFO       Vulnerability scanning is enabled
2023-11-14T04:31:40.740-0800 DEBUG      Vulnerability type:  [os library]
2023-11-14T04:31:40.740-0800 INFO       Secret scanning is enabled
2023-11-14T04:31:40.740-0800 INFO       If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-14T04:31:40.740-0800 INFO       Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-11-14T04:31:40.740-0800 DEBUG      No secret config detected: trivy-secret.yaml
2023-11-14T04:31:40.740-0800 DEBUG      The nuget packages directory couldn't be found. License search disabled
2023-11-14T04:31:40.740-0800 DEBUG      Walk the file tree rooted at 'elasticsearch-7.10.2_org.jar' in parallel
2023-11-14T04:31:40.741-0800 DEBUG      Parsing Java artifacts...       {"file": "elasticsearch-7.10.2_org.jar"}
2023-11-14T04:31:40.763-0800 DEBUG      No such POM in the central repositories {"file": "elasticsearch-7.10.2_org.jar"}
2023-11-14T04:31:40.771-0800 DEBUG      POM was determined in a heuristic way   {"file": "elasticsearch-7.10.2_org.jar", "artifact": "software.amazon.awssdk:elasticsearch:7.10.2_org"}
2023-11-14T04:31:40.774-0800 DEBUG      OS is not detected.
2023-11-14T04:31:40.774-0800 DEBUG      Detected OS: unknown
2023-11-14T04:31:40.774-0800 INFO       Number of language-specific files: 1
2023-11-14T04:31:40.774-0800 INFO       Detecting jar vulnerabilities...
2023-11-14T04:31:40.774-0800 DEBUG      Detecting library vulnerabilities, type: jar, path:

Am following up on this on a separate thread, as you have closed this discussion in haste.

navzen2000 · 2023-11-14T08:53:11Z

navzen2000
Nov 14, 2023
Author

Not happy with response provided above, very illogical
The issue should be acknowledged properly

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy is unable to detect CVE-2023-31419 for elasticsearch-7.10.2.jar #5573

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 12 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Trivy is unable to detect CVE-2023-31419 for elasticsearch-7.10.2.jar #5573

navzen2000 Nov 14, 2023

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments · 12 replies

knqyf263 Nov 14, 2023 Maintainer

navzen2000 Nov 14, 2023 Author

navzen2000 Nov 14, 2023 Author

navzen2000 Nov 14, 2023 Author

knqyf263 Nov 14, 2023 Maintainer

navzen2000 Nov 14, 2023 Author

navzen2000 Nov 14, 2023 Author

navzen2000
Nov 14, 2023

Replies: 2 comments 12 replies

knqyf263
Nov 14, 2023
Maintainer

navzen2000 Nov 14, 2023
Author

navzen2000 Nov 14, 2023
Author

navzen2000 Nov 14, 2023
Author

knqyf263 Nov 14, 2023
Maintainer

navzen2000 Nov 14, 2023
Author

navzen2000
Nov 14, 2023
Author