Azure Linux (CBL-Mariner)¶
CBL-Mariner was rebranded to Azure Linux for version 3.0 onwards.
Trivy supports the following scanners for OS packages.
| Version | SBOM | Vulnerability | License | 
|---|---|---|---|
| 1.0 | ✔ | ✔ | ✔ | 
| 1.0 (Distroless) | ✔ | ✔ | |
| 2.0 | ✔ | ✔ | ✔ | 
| 2.0 (Distroless) | ✔ | ✔ | |
| 3.0 | ✔ | ✔ | ✔ | 
| 3.0 (Distroless) | ✔ | ✔ | 
The following table provides an outline of the targets Trivy supports.
| Version | Container image | Virtual machine | Arch | 
|---|---|---|---|
| 1.0 | ✔ | ✔ | amd64, arm64 | 
| 2.0 | ✔ | ✔ | amd64, arm64 | 
| 3.0 | ✔ | ✔ | amd64, arm64 | 
The table below outlines the features offered by Trivy.
| Feature | Supported | 
|---|---|
| Detect unfixed vulnerabilities | ✓ | 
| Dependency graph | ✓ | 
SBOM¶
Trivy detects packages that have been installed through package managers such as tdnf, dnf and yum.
Vulnerability¶
Azure Linux offers its own security advisories, and these are utilized when scanning Azure Linux for vulnerabilities.
Data Source¶
See here.
Fixed Version¶
Trivy takes fixed versions from Azure Linux OVAL.
Severity¶
Trivy calculates the severity of an issue based on the severity provided in Azure Linux OVAL.
Status¶
Trivy supports the following vulnerability statuses for Azure Linux.
| Status | Supported | 
|---|---|
| Fixed | ✓ | 
| Affected | ✓ | 
| Under Investigation | |
| Will Not Fix | |
| Fix Deferred | |
| End of Life | 
License¶
Trivy identifies licenses by examining the metadata of RPM packages.
Note
License detection is not supported for Azure Linux Distroless images.