Trivy does not manage to identify issues on R programming language Docker image

[fdobal]

Description

Trivy does not find vulnerabilities on the R programming language image: r-base:4.4.1

Desired Behavior

It should at least identify the following vulnerabilities already identified by Docker scout:

• https://scout.docker.com/vulnerabilities/id/CVE-2022-4055
• https://scout.docker.com/vulnerabilities/id/CVE-2024-2646

Actual Behavior

It finish successfully without pointing out any vulnerability:

r-base:4.4.1 (debian trixie/sid)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Reproduction Steps

1.create an empty .trivyignore file
2.Execute $ trivy image --vuln-type os,library --scanners vuln r-base:4.4.1

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

$ trivy image --vuln-type os,library --scanners vuln r-base:4.4.1 --debug
2024-10-23T12:17:06+02:00	DEBUG	No plugins loaded
2024-10-23T12:17:06+02:00	WARN	'--vuln-type' is deprecated. Use '--pkg-types' instead.
2024-10-23T12:17:06+02:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-10-23T12:17:06+02:00	DEBUG	Cache dir	dir="/Users/gndma/Library/Caches/trivy"
2024-10-23T12:17:06+02:00	DEBUG	Cache dir	dir="/Users/gndma/Library/Caches/trivy"
2024-10-23T12:17:06+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-10-23T12:17:06+02:00	DEBUG	Ignore statuses	statuses=[]
2024-10-23T12:17:06+02:00	DEBUG	[vulndb] There is no valid metadata file	err="unable to open a file: open /Users/gndma/Library/Caches/trivy/db/metadata.json: no such file or directory"
2024-10-23T12:17:06+02:00	INFO	[vulndb] Need to update DB
2024-10-23T12:17:06+02:00	DEBUG	[vulndb] No metadata file
2024-10-23T12:17:06+02:00	INFO	[vulndb] Downloading vulnerability DB...
2024-10-23T12:17:06+02:00	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
54.72 MiB / 54.72 MiB [------------------------------------------------------------------------------------------------] 100.00% 7.89 MiB p/s 7.1s
2024-10-23T12:17:15+02:00	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T12:17:15+02:00	DEBUG	Updating database metadata...
2024-10-23T12:17:15+02:00	DEBUG	DB info	schema=2 updated_at=2024-10-23T06:16:55.145362881Z next_update=2024-10-24T06:16:55.14536257Z downloaded_at=2024-10-23T10:17:15.524367Z
2024-10-23T12:17:15+02:00	DEBUG	[pkg] Package types	types=[os library]
2024-10-23T12:17:15+02:00	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-10-23T12:17:15+02:00	INFO	[vuln] Vulnerability scanning is enabled
2024-10-23T12:17:15+02:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-10-23T12:17:15+02:00	DEBUG	Initializing scan cache...	type="fs"
2024-10-23T12:17:17+02:00	DEBUG	[image] Detected image ID	image_id="sha256:8f983d0e3c9bfa164dc2cd2162c68a53281a490b6c03b3f068e6088f34f50540"
2024-10-23T12:17:17+02:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:5969267de1a1ceed9966e87eca94c824c079c72a839c049e64ef2af0cbe9f101 sha256:58829ead47f079a9373d99b2cd5fa1b8721e0e862d42d07ca37bca05de057a13 sha256:90452ad6f5f40bdd8a4a2fceb2f0d049e2c3476924dd0a9d1e648d144013d7d6 sha256:44cdd08ac304dae0f22eed6e64f42f976d0ddc7450d3ac44c8adebd586c4b682 sha256:a1ecf8f78f54bf10fd51143c4768755d7adf7657e24fd78a04ed29d3999d1b5d sha256:c7350b3076fecdc966e41b0e2ff6d8cee60cd37aef77e445b35fdeeddcdba449]
2024-10-23T12:17:17+02:00	DEBUG	[image] Detected base layers	diff_ids=[sha256:5969267de1a1ceed9966e87eca94c824c079c72a839c049e64ef2af0cbe9f101]
2024-10-23T12:17:17+02:00	DEBUG	[image] Missing image ID in cache	image_id="sha256:8f983d0e3c9bfa164dc2cd2162c68a53281a490b6c03b3f068e6088f34f50540"
2024-10-23T12:17:17+02:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:5969267de1a1ceed9966e87eca94c824c079c72a839c049e64ef2af0cbe9f101"
2024-10-23T12:17:17+02:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:a1ecf8f78f54bf10fd51143c4768755d7adf7657e24fd78a04ed29d3999d1b5d"
2024-10-23T12:17:17+02:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:90452ad6f5f40bdd8a4a2fceb2f0d049e2c3476924dd0a9d1e648d144013d7d6"
2024-10-23T12:17:17+02:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:44cdd08ac304dae0f22eed6e64f42f976d0ddc7450d3ac44c8adebd586c4b682"
2024-10-23T12:17:17+02:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:58829ead47f079a9373d99b2cd5fa1b8721e0e862d42d07ca37bca05de057a13"
2024-10-23T12:17:18+02:00	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:c7350b3076fecdc966e41b0e2ff6d8cee60cd37aef77e445b35fdeeddcdba449"
2024-10-23T12:17:25+02:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-10-23T12:17:53+02:00	DEBUG	[dpkg] Unable to parse the available file	file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-10-23T12:17:53+02:00	DEBUG	No secrets found in container image config
2024-10-23T12:17:53+02:00	INFO	Detected OS	family="debian" version="trixie/sid"
2024-10-23T12:17:53+02:00	WARN	This OS version is not on the EOL list	family="debian" version="trixie/sid"
2024-10-23T12:17:53+02:00	INFO	[debian] Detecting vulnerabilities...	os_version="trixie/sid" pkg_num=277
2024-10-23T12:17:53+02:00	INFO	Number of language-specific files	num=0
2024-10-23T12:17:53+02:00	DEBUG	Found an ignore file	file_path=".trivyignore"
2024-10-23T12:17:53+02:00	DEBUG	[vex] VEX filtering is disabled

r-base:4.4.1 (debian trixie/sid)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Operating System

mac OS Sonoma

Version

$ trivy --version
Version: 0.56.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-10-23 06:16:55.145362881 +0000 UTC
  NextUpdate: 2024-10-24 06:16:55.14536257 +0000 UTC
  DownloadedAt: 2024-10-23 10:17:15.524367 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

R is not supported. If you want to scan it, you can raise a feature request.
https://aquasecurity.github.io/trivy/v0.56/docs/coverage/language/