This OS version is not on the EOL list

[pealtrufo]

Hi,

I am scanning image 'openjdk:9-b130-jdk' but I get below output:

Is this the expected behaviour? I am not sure I understand... If it is a no longer supported OS version, shouldn't trivy fail rather than report no vulnerabilities?

I am using trivy version 0.9.2

Thanks

[simar7]

hi @pealtrufo – looks like this image openjdk:9-b130-jdk is based on debian:sid which is an unstable version of debian https://wiki.debian.org/DebianUnstable. AFAIK there are no security advisories published for an unstable release https://www.debian.org/security/faq#unstable so Trivy is unable to determine if vulnerabilities exist or not.

Currently this is working as expected. If we don't have information about the image we don't fail out the scan. @knqyf263 may have more thoughts on this.

[knqyf263]

For example, Debian 7 has reached EOL and security patches will not be released anymore.
https://wiki.debian.org/DebianReleases

In this case, Trivy can detect vulnerabilities disclosed before EOL because there are security advisories. Even if it is no longer supported, I think we should detect vulnerabilities as much as possible. But they are not all vulnerabilities for the reason above. Therefore, Trivy displays the warning.

[acobaugh]

In my case, I'm building an image based on rocker/r-base:latest, which is based on debian:testing. I get the exact same warnings about the image not being EOL'd, but in this case the message about the OS "no longer supported by the distribution" is maybe just a bit misleading. Testing is supposed to be pretty new, but apparently there are no security advisories published for testing, so technically it was "not supported" or "never supported". The message led me to assume r-base wasn't being updated anymore.

[byteborg]

I also stumbled on this strange message when scanning an image based on Debian stable, but with selected packages from bullseye added.

2021-01-07T15:20:53.105+0100	DEBUG	debian: os version: bullseye/sid
...
2021-01-07T15:20:53.105+0100	WARN	This OS version is no longer supported by the distribution: debian bullseye/sid

A look at trivy's os detection reveals that the detection is implemented in fanal which parses /etc/debian_version to a version string.
https://github.com/aquasecurity/fanal/blob/3f85e04a8048aa6fbeabecee38af81ed7a9fd449/analyzer/os/debian/debian.go#L29

Trivy's os detector evaluates the returned flags to instantiate the corresponding scanner.

trivy/pkg/detector/ospkg/detect.go

Line 72 in 5b27862

case fos.Debian:

And here might be the problem:
osVer is „bullseye/sid“, but the EOL comparison is agains a map of „X.Y“ version numbers.

trivy/pkg/detector/ospkg/debian/debian.go

Line 21 in 5b27862

eolDates = map[string]time.Time{

trivy/pkg/detector/ospkg/debian/debian.go

Line 133 in 5b27862

eol, ok := eolDates[osVer]

So the returned message might be bogus.

Disclaimer: I'm not fluent in Go. Could somebody please verify my assumptions?

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.