You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are using trivy:0.57.0 to scan our container image. The report of two times scans are not consistent on the same vun pakpath, they are with same PkgPath, VulnerabilityID, but one is with CWEID, the other is missing. Does anyone had the same issue?
triage/supportIndicates an issue that is a support question.
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Question
Hi,
We are using trivy:0.57.0 to scan our container image. The report of two times scans are not consistent on the same vun pakpath, they are with same PkgPath, VulnerabilityID, but one is with CWEID, the other is missing. Does anyone had the same issue?
The one without CWEID:
{
"VulnerabilityID": "CVE-2024-51127",
"PkgName": "org.hornetq:hornetq-core-client",
"PkgPath": "opt/wildfly/modules/system/layers/base/org/hornetq/client/main/hornetq-core-client-2.4.9.Final.jar",
"PkgIdentifier": {
"PURL": "pkg:maven/org.hornetq/[email protected]",
"UID": "342c228cf6228f86"
},
"InstalledVersion": "2.4.9.Final",
"Status": "affected",
"Layer": {
"DiffID": "sha256:d096c62d59cf7f2d97a071e05bb1079a0a109042cd48305a3106b018948686a2"
},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-51127",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Maven",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
},
"Title": "hornetq-core-client: Arbitrarily overwrite files or access sensitive information",
"Description": "An issue in the createTempFile method of hornetq v2.4.9 allows attackers to arbitrarily overwrite files or access sensitive information.",
"Severity": "HIGH",
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 9.1
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 7.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 7.1
}
}
The one with CWEID:
{
"VulnerabilityID": "CVE-2024-51127",
"PkgName": "org.hornetq:hornetq-core-client",
"PkgPath": "opt/wildfly/modules/system/layers/base/org/hornetq/client/main/hornetq-core-client-2.4.9.Final.jar",
"PkgIdentifier": {
"PURL": "pkg:maven/org.hornetq/[email protected]",
"UID": "342c228cf6228f86"
},
"InstalledVersion": "2.4.9.Final",
"Status": "affected",
"Layer": {
"DiffID": "sha256:d096c62d59cf7f2d97a071e05bb1079a0a109042cd48305a3106b018948686a2"
},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-51127",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Maven",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
},
"Title": "hornetq-core-client: Arbitrarily overwrite files or access sensitive information",
"Description": "An issue in the createTempFile method of hornetq v2.4.9 allows attackers to arbitrarily overwrite files or access sensitive information.",
"Severity": "HIGH",
"CweIDs": [
"CWE-22"
],
"VendorSeverity": {
"ghsa": 3,
"nvd": 3,
"redhat": 3
},
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 9.1
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 7.1
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"V3Score": 7.1
}
},
"References": [
"http://hornetq.com",
"https://access.redhat.com/security/cve/CVE-2024-51127",
"https://github.com/JAckLosingHeart/CWE-378/blob/main/CVE-2024-51127.md",
"https://github.com/darranl/hornetq",
"https://github.com/hornetq/hornetq/blob/HornetQ_2_4_9_Final/hornetq-core-client/src/main/java/org/hornetq/core/client/impl/ClientConsumerImpl.java#L665C35-L665C49",
"https://nvd.nist.gov/vuln/detail/CVE-2024-51127",
"https://www.cve.org/CVERecord?id=CVE-2024-51127"
],
"PublishedDate": "2024-11-04T18:15:05.113Z",
"LastModifiedDate": "2024-11-21T09:45:17.017Z"
}
Target
Container Image
Scanner
Vulnerability
Output Format
JSON
Mode
Standalone
Operating System
linux
Version
Beta Was this translation helpful? Give feedback.
All reactions