Alpine Linux¶
Trivy supports the following scanners for OS packages.
| Scanner | Supported |
|---|---|
| SBOM | ✓ |
| Vulnerability | ✓ |
| License | ✓ |
Please see here for supported versions.
The table below outlines the features offered by Trivy.
| Feature | Supported |
|---|---|
| Unfixed vulnerabilities | - |
| Dependency graph | ✓ |
SBOM¶
Trivy detects packages that have been installed through apk.
Vulnerability¶
Alpine Linux offers its own security advisories, and these are utilized when scanning Alpine for vulnerabilities.
Data Source¶
See here.
Fixed Version¶
When looking at fixed versions, it's crucial to consider the patches supplied by Alpine.
For example, for CVE-2023-0464, the fixed version for Alpine Linux is listed as 3.1.0-r1 in the secfixes.
Note that this is different from the upstream fixed version, which is 3.1.1.
Typically, only the upstream information gets listed on NVD, so it's important not to get confused.
Severity¶
For Alpine vulnerabilities, the severity is determined using the values set by NVD.
Status¶
Trivy supports the following vulnerability statuses for Alpine.
| Status | Supported |
|---|---|
| Fixed | ✓ |
| Affected | ✓ |
| Under Investigation | |
| Will Not Fix | |
| Fix Deferred | |
| End of Life |
License¶
Trivy identifies licenses by examining the metadata of APK packages.