Trivy fails to detect CVE-2023-31419 for elasticsearch-7.10.2.jar

[navzen2000]

Description

Trivy is unable to detect CVE-2023-31419 for elasticsearch-7.10.2.jar

Desired Behavior

Grype is able to report, Trivy should also report

grype elasticsearch-7.10.2.jar
✔ Vulnerability DB [no update available]
✔ Indexed file system
✔ Cataloged packages [1 packages]
✔ Scanned for vulnerabilities [6 vulnerabilities]
├── 0 critical, 3 high, 3 medium, 0 low, 0 negligible
└── 0 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
elasticsearch 7.10.2 java-archive CVE-2023-31419 High
elasticsearch 7.10.2 java-archive CVE-2023-31418 High
elasticsearch 7.10.2 java-archive CVE-2023-31417 High
elasticsearch 7.10.2 java-archive CVE-2021-22145 Medium
elasticsearch 7.10.2 java-archive CVE-2021-22144 Medium
elasticsearch 7.10.2 java-archive CVE-2021-22134 Medium

Actual Behavior

trivy --scanners vuln fs elasticsearch-7.10.2.jar
2023-11-13T23:11:13.157-0800 INFO Vulnerability scanning is enabled
2023-11-13T23:11:13.159-0800 INFO Number of language-specific files: 0

Reproduction Steps

1.trivy --scanners vuln fs elasticsearch-7.10.2.jar
2023-11-13T23:08:07.330-0800    INFO    Vulnerability scanning is enabled
2023-11-13T23:08:07.331-0800    INFO    Number of language-specific files: 0

2.
3.
...

Target

Filesystem, Container

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

trivy --scanners vuln fs elasticsearch-7.10.2.jar --debug
2023-11-13T23:09:48.702-0800    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-13T23:09:48.703-0800    DEBUG   Ignore statuses {"statuses": null}
2023-11-13T23:09:48.705-0800    DEBUG   cache dir:  /home/navegupt/.cache/trivy
2023-11-13T23:09:48.705-0800    DEBUG   DB update was skipped because the local DB is the latest
2023-11-13T23:09:48.705-0800    DEBUG   DB Schema: 2, UpdatedAt: 2023-11-14 06:11:22.596137326 +0000 UTC, NextUpdate: 2023-11-14 12:11:22.596136965 +0000 UTC, DownloadedAt: 2023-11-14 07:02:27.097608587 +0000 UTC
2023-11-13T23:09:48.705-0800    INFO    Vulnerability scanning is enabled
2023-11-13T23:09:48.705-0800    DEBUG   Vulnerability type:  [os library]
2023-11-13T23:09:48.705-0800    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-13T23:09:48.705-0800    DEBUG   Walk the file tree rooted at 'elasticsearch-7.10.2.jar' in parallel
2023-11-13T23:09:48.707-0800    DEBUG   OS is not detected.
2023-11-13T23:09:48.707-0800    DEBUG   Detected OS: unknown
2023-11-13T23:09:48.707-0800    INFO    Number of language-specific files: 0

Operating System

linux

Version

trivy --version
Version: 0.46.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-14 06:11:22.596137326 +0000 UTC
  NextUpdate: 2023-11-14 12:11:22.596136965 +0000 UTC
  DownloadedAt: 2023-11-14 07:02:27.097608587 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-11-14 00:47:12.884424656 +0000 UTC
  NextUpdate: 2023-11-17 00:47:12.884424406 +0000 UTC
  DownloadedAt: 2023-11-14 05:42:29.138768601 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

Originally posted by @navzen2000 in #5573

[github-actions]

Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/