fix(pkg/vulnerability): invalid PrimaryURLs produced - HTTP 404

[petermetz]

Description

When running the scan [1] on one of our containers [2] it finds CVE-2023-0163 and prints a link [3] that is broken.
The link is this: https://avd.aquasec.com/nvd/cve-2023-0163

[1] https://github.com/hyperledger/cacti/pull/1981
[2] https://github.com/hyperledger/cacti/actions/runs/5948364958/job/16132017903?pr=1981#step:5:42.
[3]

Desired Behavior

It doesn't print broken links. If it does print a link then that should work or no link should be printed.

Actual Behavior

It prints broken links.

Reproduction Steps

1. `git clone ...`
2. cd ./cacti
3. `DOCKER_BUILDKIT=1 docker build . -f ./packages/cactus-cmd-api-server/Dockerfile -t cactus-cmd-api-server`
4. `trivy image  --format table --exit-code  1 --ignore-unfixed --vuln-type  os,library --severity  CRITICAL,HIGH  cactus-cmd-api-server`
5. It prints the list of vulnerabilities found and then some of them have broken links.

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

I'm short on time right now but if it can't be debugged without this I'll make the time just let me know.

Operating System

Ubuntu-22.04

Version

v0.11.2

Checklist

• Run trivy image --reset
• Read the troubleshooting

[simar7]

Thanks for reporting, I don't see any details on this CVE on NVD either as it seems to be a reserved CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0163

v0.11.2
I also noticed you're using quite an older version of Trivy, does this also happen with a newer version of Trivy?

[petermetz]

@simar7 Sorry for the slow response! We've upgraded away from those dependencies triggering that CVE to be in the reports so I can't easily reproduce it anymore. We've also upgraded trivy in the meantime. Long story short: I can no longer reproduce the issue, so I'm thinking this was just a bug in the old code and has been fixed in the meantime.