Scan Json Report missing CWEID

[jackliu2006]

Question

Hi,

We are using trivy:0.57.0 to scan our container image. The report of two times scans are not consistent on the same vun pakpath, they are with same PkgPath, VulnerabilityID, but one is with CWEID, the other is missing. Does anyone had the same issue?

The one without CWEID:
{
"VulnerabilityID": "CVE-2024-51127",
"PkgName": "org.hornetq:hornetq-core-client",
"PkgPath": "opt/wildfly/modules/system/layers/base/org/hornetq/client/main/hornetq-core-client-2.4.9.Final.jar",
"PkgIdentifier": {
"PURL": "pkg:maven/org.hornetq/[email protected]",
"UID": "342c228cf6228f86"
},
"InstalledVersion": "2.4.9.Final",
"Status": "affected",
"Layer": {
"DiffID": "sha256:d096c62d59cf7f2d97a071e05bb1079a0a109042cd48305a3106b018948686a2"
},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-51127",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Maven",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
},
"Title": "hornetq-core-client: Arbitrarily overwrite files or access sensitive information",
"Description": "An issue in the createTempFile method of hornetq v2.4.9 allows attackers to arbitrarily overwrite files or access sensitive information.",
"Severity": "HIGH",
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 9.1
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 7.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 7.1
}
}

The one with CWEID:
{
"VulnerabilityID": "CVE-2024-51127",
"PkgName": "org.hornetq:hornetq-core-client",
"PkgPath": "opt/wildfly/modules/system/layers/base/org/hornetq/client/main/hornetq-core-client-2.4.9.Final.jar",
"PkgIdentifier": {
"PURL": "pkg:maven/org.hornetq/[email protected]",
"UID": "342c228cf6228f86"
},
"InstalledVersion": "2.4.9.Final",
"Status": "affected",
"Layer": {
"DiffID": "sha256:d096c62d59cf7f2d97a071e05bb1079a0a109042cd48305a3106b018948686a2"
},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-51127",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Maven",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
},
"Title": "hornetq-core-client: Arbitrarily overwrite files or access sensitive information",
"Description": "An issue in the createTempFile method of hornetq v2.4.9 allows attackers to arbitrarily overwrite files or access sensitive information.",
"Severity": "HIGH",
"CweIDs": [
"CWE-22"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 9.1
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 7.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 7.1
}
},
"References": [
"http://hornetq.com",
"https://access.redhat.com/security/cve/CVE-2024-51127",
"https://github.com/JAckLosingHeart/CWE-378/blob/main/CVE-2024-51127.md",
"https://github.com/darranl/hornetq",
"https://github.com/hornetq/hornetq/blob/HornetQ_2_4_9_Final/hornetq-core-client/src/main/java/org/hornetq/core/client/impl/ClientConsumerImpl.java#L665C35-L665C49",
"https://nvd.nist.gov/vuln/detail/CVE-2024-51127",
"https://www.cve.org/CVERecord?id=CVE-2024-51127"
],
"PublishedDate": "2024-11-04T18:15:05.113Z",
"LastModifiedDate": "2024-11-21T09:45:17.017Z"
}

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Operating System

linux

Version

trivy:0.57.0

[DmitriyLewen]

Hello @jackliu2006
Thanks for your report!

This is weird case.
Is this reproducible consistently? Can you share example of how we can reproduce this?

Regards, Dmitriy

[jackliu2006]

hi @DmitriyLewen , thanks to the comment. Actually there is no chance to see when it will appear, it just shows up occasionally. I will close this discussion for now until see how to reproduce it.