Debian SID Scan Shows 0 Vulnerabilities #8889

orizerah · 2025-05-20T10:33:44Z

orizerah
May 20, 2025

Description

Scanning Debian Trixy SID version always results with 0 vulnerabilities. Even when we know that certain vulnerabilities exist. (for example, linux package has non-fixed vulnerabilities for Trixie as well)

Desired Behavior

Either:

Detect debian sid vulnerabilities
Throw Unsupported Os Version error

Actual Behavior

0 vulnerabilities

Reproduction Steps

1. run `trivy image debian:trixie`
3. There are 0 vulnerabilities

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

2025-05-20T13:32:36+03:00       DEBUG   No plugins loaded
2025-05-20T13:32:36+03:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-05-20T13:32:36+03:00       DEBUG   Cache dir       dir="/Users/orizerah/Library/Caches/trivy"
2025-05-20T13:32:36+03:00       DEBUG   Cache dir       dir="/Users/orizerah/Library/Caches/trivy"
2025-05-20T13:32:36+03:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-05-20T13:32:36+03:00       DEBUG   Ignore statuses statuses=[]
2025-05-20T13:32:36+03:00       DEBUG   DB update was skipped because the local DB is the latest
2025-05-20T13:32:36+03:00       DEBUG   DB info schema=2 updated_at=2025-05-20T06:23:46.936806598Z next_update=2025-05-21T06:23:46.936806366Z downloaded_at=2025-05-20T09:14:17.033669Z
2025-05-20T13:32:36+03:00       DEBUG   [pkg] Package types     types=[os library]
2025-05-20T13:32:36+03:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-05-20T13:32:36+03:00       INFO    [vuln] Vulnerability scanning is enabled
2025-05-20T13:32:36+03:00       INFO    [secret] Secret scanning is enabled
2025-05-20T13:32:36+03:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-05-20T13:32:36+03:00       INFO    [secret] Please see also https://trivy.dev/v0.61/docs/scanner/secret#recommendation for faster secret detection
2025-05-20T13:32:36+03:00       DEBUG   Initializing scan cache...      type="fs"
2025-05-20T13:32:36+03:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-05-20T13:32:36+03:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-05-20T13:32:36+03:00       DEBUG   [image] Detected image ID       image_id="sha256:653dfb9f86c3782e8369d5f7d29bb8faba1f4bff9025db46e807fa4c22903671"
2025-05-20T13:32:36+03:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:1918202ddf485db918b38497e96d79ccb4359179312ca36160f167d80084f4bf]
2025-05-20T13:32:36+03:00       DEBUG   [image] Detected base layers    diff_ids=[]
2025-05-20T13:32:36+03:00       INFO    Detected OS     family="debian" version="trixie/sid"
2025-05-20T13:32:36+03:00       WARN    This OS version is not on the EOL list  family="debian" version="trixie/sid"
2025-05-20T13:32:36+03:00       INFO    [debian] Detecting vulnerabilities...   os_version="trixie/sid" pkg_num=78
2025-05-20T13:32:36+03:00       INFO    Number of language-specific files       num=0
2025-05-20T13:32:36+03:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-05-20T13:32:36+03:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌───────────────────────────────────┬────────┬─────────────────┬─────────┐
│              Target               │  Type  │ Vulnerabilities │ Secrets │
├───────────────────────────────────┼────────┼─────────────────┼─────────┤
│ debian:trixie (debian trixie/sid) │ debian │        0        │    -    │
└───────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

Operating System

Mac

Version

Version: 0.61.10
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-05-20 06:23:46.936806598 +0000 UTC
  NextUpdate: 2025-05-21 06:23:46.936806366 +0000 UTC
  DownloadedAt: 2025-05-20 09:14:17.033669 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

orizerah · 2025-05-20T10:50:05Z

orizerah
May 20, 2025
Author

Also added a PR #8890

0 replies

DmitriyLewen · 2025-05-20T11:58:44Z

DmitriyLewen
May 20, 2025
Maintainer

Hello @orizerah

Trivy doesn't support advisories for sid Debian - #487

0 replies

DmitriyLewen · 2025-05-23T07:36:42Z

DmitriyLewen
May 23, 2025
Maintainer

It looks like debian has bug in debian:trixie image.
Not image use correctly OS name in debian_version:

➜  docker run -it --rm debian:trixie cat /etc/debian_version
13.0

And trivy can detect vulns:

➜  trivy image debian:trixie --table-mode summary --scanners vuln  
2025-05-23T13:35:02+06:00	INFO	[vuln] Vulnerability scanning is enabled
2025-05-23T13:35:03+06:00	INFO	Detected OS	family="debian" version="13.0"
2025-05-23T13:35:03+06:00	INFO	[debian] Detecting vulnerabilities...	os_version="13" pkg_num=78
2025-05-23T13:35:03+06:00	INFO	Number of language-specific files	num=0
2025-05-23T13:35:03+06:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.62/docs/scanner/vulnerability#severity-selection for details.

Report Summary

┌─────────────────────────────┬────────┬─────────────────┐
│           Target            │  Type  │ Vulnerabilities │
├─────────────────────────────┼────────┼─────────────────┤
│ debian:trixie (debian 13.0) │ debian │       52        │
└─────────────────────────────┴────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Debian SID Scan Shows 0 Vulnerabilities #8889

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 3 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Debian SID Scan Shows 0 Vulnerabilities #8889

Uh oh!

Uh oh!

orizerah May 20, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 3 comments

Uh oh!

orizerah May 20, 2025 Author

Uh oh!

DmitriyLewen May 20, 2025 Maintainer

Uh oh!

DmitriyLewen May 23, 2025 Maintainer

orizerah
May 20, 2025

orizerah
May 20, 2025
Author

DmitriyLewen
May 20, 2025
Maintainer

DmitriyLewen
May 23, 2025
Maintainer