Debian¶
Trivy supports the following scanners for OS packages.
Scanner | Supported |
---|---|
SBOM | ✓ |
Vulnerability | ✓ |
License | ✓ |
Please see here for supported versions.
The table below outlines the features offered by Trivy.
Feature | Supported |
---|---|
Unfixed vulnerabilities | ✓ |
Dependency graph | ✓ |
SBOM¶
Trivy detects packages that have been installed through package managers such as apt
and dpkg
.
While there are some exceptions, like Go binaries and JAR files, it's important to note that binaries that have been custom-built using make
or tools installed via curl
are generally not detected.
Vulnerability¶
Debian offers its own security advisories, and these are utilized when scanning Debian for vulnerabilities.
Data Source¶
See here.
Fixed Version¶
When looking at fixed versions, it's crucial to consider the patches supplied by Debian.
For example, for CVE-2023-3269, the fixed version for Debian 12 (bookworm) is listed as 6.1.37-1
in the Security Tracker.
This patch is provided in DSA-5448-1.
Note that this is different from the upstream fixed version, which is 6.5
.
Typically, only the upstream information gets listed on NVD, so it's important not to get confused.
Severity¶
Trivy calculates the severity of an issue based on the 'Urgency' metric found in the Security Tracker. If 'Urgency' isn't provided by Debian, the severity from the NVD is taken into account.
Using CVE-2019-15052 as an example, while it is rated as "Critical" in NVD, Debian has marked its "Urgency" as "Low". As a result, Trivy will display it as "Low".
Status¶
Trivy supports the following vulnerability statuses for Debian.
Status | Supported |
---|---|
Fixed | ✓ |
Affected | ✓ |
Under Investigation | |
Will Not Fix | |
Fix Deferred | ✓ |
End of Life | ✓ |
License¶
To identify the license of a package, Trivy checks the copyright file located at /usr/share/doc/*/copyright
.
However, this method has its limitations as the file isn't machine-readable, leading to situations where the license isn't detected.
In such scenarios, the --license-full
flag can be passed.
It compares the contents of known licenses with the copyright file to discern the license in question.
Please be aware that using this flag can increase memory usage, so it's disabled by default for efficiency.