Scan Tomcat with Trivy #5548

mike-miller-ct · 2023-11-09T13:07:20Z

mike-miller-ct
Nov 9, 2023

Description

I have a custom made Tomcat Image which is using Alpine as a base OS.
When I run the scan with trivy, it finds only CVEs related to Alpine.
Is this possible at all, or I am missing something?

Desired Behavior

To get a list of CVEs for both installed Tomcat as well as for the Alpine OS.

Actual Behavior

I get only CVEs for the Alpine OS.

tomcat:cve (alpine 3.18.4)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

Reproduction Steps

1. build the image
2. trivy image {image}:{tag}
3. get the following Output:
tomcat:cve (alpine 3.18.4)
==============================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
...

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

trivy image --debug tomcat:cve
2023-11-09T13:00:57.212Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-09T13:00:57.213Z        DEBUG   Ignore statuses {"statuses": null}
2023-11-09T13:00:57.221Z        DEBUG   cache dir:  /home/test/.cache/trivy
2023-11-09T13:00:57.222Z        DEBUG   DB update was skipped because the local DB is the latest
2023-11-09T13:00:57.222Z        DEBUG   DB Schema: 2, UpdatedAt: 2023-11-09 12:12:02.088302206 +0000 UTC, NextUpdate: 2023-11-09 18:12:02.088301696 +0000 UTC, DownloadedAt: 2023-11-09 12:56:05.994005535 +0000 UTC
2023-11-09T13:00:57.222Z        INFO    Vulnerability scanning is enabled
2023-11-09T13:00:57.222Z        DEBUG   Vulnerability type:  [os library]
2023-11-09T13:00:57.222Z        INFO    Secret scanning is enabled
2023-11-09T13:00:57.222Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-09T13:00:57.222Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-11-09T13:00:57.227Z        DEBUG   No secret config detected: trivy-secret.yaml
2023-11-09T13:00:57.227Z        DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-09T13:00:57.227Z        DEBUG   No secret config detected: trivy-secret.yaml
2023-11-09T13:00:57.227Z        DEBUG   Saving the container image to a local file to obtain the image config...
2023-11-09T13:00:58.911Z        DEBUG   Image ID: sha256:4dd0968a4d79ed42abdc7545d20ae0f896356ff0a9287042ced2c83ef06db7a1
2023-11-09T13:00:58.913Z        DEBUG   Diff IDs: [sha256:cc2447e1835a40530975ab80bb1f872fbab0f2a0faecf2ab16fbbb89b3589438 sha256:5e4c94bb436b7822fa1a89919833601d2e7378a2613fd28a816bb42cadd5a9f8 sha256:53479b028d2a5e73c51be999196e751165051022f2d9f02e24aa88bbdecbcc82 sha256:19549e3335a4af3344d1f020ce2a9c965794dbaa0c0ed45b73ece18ba6eaaf08 sha256:25e41bfc266f2c1c876490272827cc834963a261ae824f7d5872bfb067eb7d41 sha256:746e692fb1bc6c9fbdd879eb6f47e2f8de8fe57d2f0ece16da0df204ff123f62 sha256:ed6e923e0dd43476c7f217d4e8e52b574b71991c59f44d12bbf0a8ff56ca08a7 sha256:30b9700dda264a39fb2088c4ed2b725a0cafbdf05f7c60e2aad194941b793b16 sha256:cbf738170a9f2deda4009757409d96bc7a4eb299c5ebb2f2566e2c681818bac5 sha256:5ecbf8c88b519a4c6f414696234c747bdd95db7ddc1bc0a6ef6bc0e8e21b62d3]
2023-11-09T13:00:58.913Z        DEBUG   Base Layers: [sha256:cc2447e1835a40530975ab80bb1f872fbab0f2a0faecf2ab16fbbb89b3589438]
2023-11-09T13:00:58.935Z        DEBUG   Missing image ID in cache: sha256:4dd0968a4d79ed42abdc7545d20ae0f896356ff0a9287042ced2c83ef06db7a1
2023-11-09T13:00:58.935Z        DEBUG   Missing diff ID in cache: sha256:746e692fb1bc6c9fbdd879eb6f47e2f8de8fe57d2f0ece16da0df204ff123f62
2023-11-09T13:00:58.935Z        DEBUG   Missing diff ID in cache: sha256:53479b028d2a5e73c51be999196e751165051022f2d9f02e24aa88bbdecbcc82
2023-11-09T13:00:58.936Z        DEBUG   Missing diff ID in cache: sha256:19549e3335a4af3344d1f020ce2a9c965794dbaa0c0ed45b73ece18ba6eaaf08
2023-11-09T13:00:58.940Z        DEBUG   Missing diff ID in cache: sha256:25e41bfc266f2c1c876490272827cc834963a261ae824f7d5872bfb067eb7d41
2023-11-09T13:00:58.947Z        DEBUG   Missing diff ID in cache: sha256:ed6e923e0dd43476c7f217d4e8e52b574b71991c59f44d12bbf0a8ff56ca08a7
2023-11-09T13:00:58.953Z        DEBUG   Missing diff ID in cache: sha256:5e4c94bb436b7822fa1a89919833601d2e7378a2613fd28a816bb42cadd5a9f8
2023-11-09T13:00:59.012Z        DEBUG   Missing diff ID in cache: sha256:30b9700dda264a39fb2088c4ed2b725a0cafbdf05f7c60e2aad194941b793b16
2023-11-09T13:00:59.023Z        DEBUG   Missing diff ID in cache: sha256:cbf738170a9f2deda4009757409d96bc7a4eb299c5ebb2f2566e2c681818bac5
2023-11-09T13:00:59.101Z        DEBUG   Missing diff ID in cache: sha256:5ecbf8c88b519a4c6f414696234c747bdd95db7ddc1bc0a6ef6bc0e8e21b62d3
2023-11-09T13:01:00.703Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/bin/bootstrap.jar"}
2023-11-09T13:01:00.703Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/catalina.jar"}
2023-11-09T13:01:00.704Z        DEBUG   No such POM in the central repositories {"file": "bootstrap.jar"}
2023-11-09T13:01:00.704Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/ecj-4.20.jar"}
2023-11-09T13:01:00.703Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/bin/commons-daemon.jar"}
2023-11-09T13:01:00.708Z        DEBUG   No such POM in the central repositories {"file": "commons-daemon.jar"}
2023-11-09T13:01:00.703Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/bin/tomcat-juli.jar"}
2023-11-09T13:01:00.703Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/annotations-api.jar"}
2023-11-09T13:01:00.703Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/catalina-ant.jar"}
2023-11-09T13:01:00.703Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/catalina-ha.jar"}
2023-11-09T13:01:00.703Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/catalina-ssi.jar"}
2023-11-09T13:01:00.703Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/catalina-storeconfig.jar"}
2023-11-09T13:01:00.703Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/catalina-tribes.jar"}
2023-11-09T13:01:00.712Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-dbcp.jar"}
2023-11-09T13:01:00.712Z        DEBUG   No such POM in the central repositories {"file": "ecj-4.20.jar"}
2023-11-09T13:01:00.713Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-i18n-cs.jar"}
2023-11-09T13:01:00.714Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-i18n-de.jar"}
2023-11-09T13:01:00.714Z        DEBUG   POM was determined in a heuristic way   {"file": "ecj-4.20.jar", "artifact": "edu.gmu.cs:ecj:4.20"}
2023-11-09T13:01:00.714Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-i18n-es.jar"}
2023-11-09T13:01:00.713Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/jasper-el.jar"}
2023-11-09T13:01:00.713Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/jasper.jar"}
2023-11-09T13:01:00.716Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-i18n-ko.jar"}
2023-11-09T13:01:00.713Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/jaspic-api.jar"}
2023-11-09T13:01:00.716Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-i18n-pt-BR.jar"}
2023-11-09T13:01:00.713Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/jsp-api.jar"}
2023-11-09T13:01:00.713Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/servlet-api.jar"}
2023-11-09T13:01:00.713Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-api.jar"}
2023-11-09T13:01:00.713Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-coyote.jar"}
2023-11-09T13:01:00.713Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/el-api.jar"}
2023-11-09T13:01:00.715Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-i18n-fr.jar"}
2023-11-09T13:01:00.715Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-i18n-ja.jar"}
2023-11-09T13:01:00.717Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-i18n-zh-CN.jar"}
2023-11-09T13:01:00.717Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-i18n-ru.jar"}
2023-11-09T13:01:00.718Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-jdbc.jar"}
2023-11-09T13:01:00.719Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-util-scan.jar"}
2023-11-09T13:01:00.719Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-util.jar"}
2023-11-09T13:01:00.721Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/websocket-api.jar"}
2023-11-09T13:01:00.721Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/webapps/docs/appdev/sample/sample.war"}
2023-11-09T13:01:00.721Z        DEBUG   No such POM in the central repositories {"file": "sample.war"}
2023-11-09T13:01:00.721Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-websocket.jar"}
2023-11-09T13:01:00.722Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/webapps/examples/WEB-INF/lib/taglibs-standard-impl-1.2.5.jar"}
2023-11-09T13:01:00.722Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/webapps/examples/WEB-INF/lib/taglibs-standard-spec-1.2.5.jar"}
2023-11-09T13:01:00.718Z        DEBUG   Parsing Java artifacts...       {"file": "usr/local/tomcat/lib/tomcat-jni.jar"}
2023-11-09T13:01:00.736Z        DEBUG   No secrets found in container image config
2023-11-09T13:01:00.742Z        INFO    Detected OS: alpine
2023-11-09T13:01:00.742Z        INFO    Detecting Alpine vulnerabilities...
2023-11-09T13:01:00.742Z        DEBUG   alpine: os version: 3.18
2023-11-09T13:01:00.742Z        DEBUG   alpine: package repository: 3.18
2023-11-09T13:01:00.742Z        DEBUG   alpine: the number of packages: 51
2023-11-09T13:01:00.753Z        INFO    Number of language-specific files: 1
2023-11-09T13:01:00.756Z        INFO    Detecting jar vulnerabilities...
2023-11-09T13:01:00.757Z        DEBUG   Detecting library vulnerabilities, type: jar, path: 

tomcat:cve (alpine 3.18.4)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-5363 │ MEDIUM   │ fixed  │ 3.1.3-r0          │ 3.1.4-r0      │ openssl: Incorrect cipher key and IV length processing │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-5363              │
├────────────┤               │          │        │                   │               │                                                        │
│ libssl3    │               │          │        │                   │               │                                                        │
│            │               │          │        │                   │               │                                                        │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

Operating System

Ubuntu 20.04.5 LTS (Focal Fossa)

Version

$ trivy --version 
Version: 0.46.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-09 12:12:02.088302206 +0000 UTC
  NextUpdate: 2023-11-09 18:12:02.088301696 +0000 UTC
  DownloadedAt: 2023-11-09 12:56:05.994005535 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-11-09 00:45:57.654089553 +0000 UTC
  NextUpdate: 2023-11-12 00:45:57.654089383 +0000 UTC
  DownloadedAt: 2023-11-09 10:01:01.930361625 +0000 UTC
Policy Bundle:
  Digest: sha256:acf1cb62a4ade75773ec3d265cc4d90160d285bbacaa7b6947a34830c1e45c5c
  DownloadedAt: 2023-07-31 12:09:17.588185483 +0000 UTC

Checklist

Run trivy image --reset
Read the troubleshooting

knqyf263 · 2023-11-10T02:33:07Z

knqyf263
Nov 10, 2023
Maintainer

It depends on how Tomcat is installed in the image, but I suppose it is not supported.

0 replies

mike-miller-ct · 2024-11-15T10:15:28Z

mike-miller-ct
Nov 15, 2024
Author

I was able to solve my "problem" by using SBOM.
So what I did is the following:

Generate the SBOM for the custom build Tomcat image.
Scan the generated SBOM

These are the commands I have used:
trivy image --format cyclonedx --output {nameOfTheSBOMFile}.sbom.cdx {image}
trivy sbom {nameOfTheSBOMFile}.sbom.cdx

I also used this Doku for reference: https://aquasecurity.github.io/trivy/v0.47/docs/supply-chain/vex/

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Scan Tomcat with Trivy #5548

{{title}}

Replies: 2 comments

{{title}}

{{title}}

Select a reply

Scan Tomcat with Trivy #5548

mike-miller-ct Nov 9, 2023

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments

knqyf263 Nov 10, 2023 Maintainer

mike-miller-ct Nov 15, 2024 Author

mike-miller-ct
Nov 9, 2023

knqyf263
Nov 10, 2023
Maintainer

mike-miller-ct
Nov 15, 2024
Author