You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Alpine-based Temurin images such as eclipse-temurin:17-jre-alpine unpack the JRE into the image without installing an OS package. This means that trivy is not able to detect the JRE in the image and hence will not report any vulnerabilities or add it to the generated SBOM.
However, recent syft version are able to detect such JRE installations. Since we cannot switch to syft, it would be nice if trivy would support such cases as well.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Description
Alpine-based Temurin images such as
eclipse-temurin:17-jre-alpineunpack the JRE into the image without installing an OS package. This means that trivy is not able to detect the JRE in the image and hence will not report any vulnerabilities or add it to the generated SBOM.However, recent syft version are able to detect such JRE installations. Since we cannot switch to syft, it would be nice if trivy would support such cases as well.
Target
Container Image
Scanner
Vulnerability
Beta Was this translation helpful? Give feedback.
All reactions