Trivy scans itself when scanning target image when running inside docker

[AlexeyTsvetkov]

Description

When I use Trivy for scanning a docker image it also reports its own vulnerabilities, which is unexpected.

Desired Behavior

Trivy does not scan itself

Actual Behavior

Trivy scans itself

Reproduction Steps

Run the following script:

#!/bin/bash

LOCAL_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
TRIVY_IMAGE=aquasec/trivy:0.51.1
TARGET_IMAGE=amazonlinux

function download_image_if_needed() {
  TARGET_IMAGE=$1

  if [[ "$(docker images -q $TARGET_IMAGE 2> /dev/null)" == "" ]]; then
    echo "Downloading '$TARGET_IMAGE' image"
    docker pull $TARGET_IMAGE
  fi
}

echo "Target docker image: $TARGET_IMAGE"
download_image_if_needed "$TARGET_IMAGE"
download_image_if_needed "$TRIVY_IMAGE"

LOCAL_CACHE="$LOCAL_DIR/cache"
mkdir -p "$LOCAL_CACHE"

LOCAL_TMP="$LOCAL_DIR/tmp"
mkdir -p "$LOCAL_TMP"

IMAGE_ID=$(docker images -q "$TARGET_IMAGE")
IMAGE_ARCHIVE="$LOCAL_TMP/$IMAGE_ID.tar"
if [ ! -f "$IMAGE_ARCHIVE" ]; then
    echo "Exporting $IMAGE_ID as $IMAGE_ARCHIVE archive"
    docker image save "$IMAGE_ID" -o "$IMAGE_ARCHIVE"
fi
DOCKER_IMAGE_ARCHIVE="/$(basename "$IMAGE_ARCHIVE")"

docker run \
      -v "$LOCAL_CACHE":/root/.cache/trivy \
      -v "$IMAGE_ARCHIVE":"$DOCKER_IMAGE_ARCHIVE" \
      "$TRIVY_IMAGE" \
      image --input "$DOCKER_IMAGE_ARCHIVE" \
      --scanners vuln \
      --severity MEDIUM,HIGH,CRITICAL

/310112cfddd5.tar (alpine 3.19.1)
=================================
Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/local/bin/trivy (gobinary)
==============================
Total: 2 (MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│     Library     │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version │                           Title                            │
├─────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ helm.sh/helm/v3 │ CVE-2019-25210 │ MEDIUM   │ affected │ v3.14.2           │               │ helm: shows secrets with --dry-run option in clear text    │
│                 │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-25210                 │
├─────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ stdlib          │ CVE-2024-24788 │ HIGH     │ fixed    │ 1.22.2            │ 1.22.3        │ golang: net: malformed DNS message can cause infinite loop │
│                 │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-24788                 │
└─────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴─

### Target

Container Image

### Scanner

Vulnerability

### Output Format

Table

### Mode

Standalone

### Debug Output

```bash
2024-05-15T10:08:03Z    DEBUG   Parsed severities       severities=[MEDIUM HIGH CRITICAL]
2024-05-15T10:08:03Z    DEBUG   Ignore statuses statuses=[]
2024-05-15T10:08:03Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2024-05-15T10:08:03Z    DEBUG   DB update was skipped because the local DB is the latest
2024-05-15T10:08:03Z    DEBUG   DB info schema=2 updated_at=2024-05-15T06:11:26.28841171Z next_update=2024-05-15T12:11:26.28841142Z downloaded_at=2024-05-15T09:59:45.085427877Z
2024-05-15T10:08:03Z    INFO    Vulnerability scanning is enabled
2024-05-15T10:08:03Z    DEBUG   Vulnerability type      type=[os library]
2024-05-15T10:08:03Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-15T10:08:03Z    DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-15T10:08:03Z    DEBUG   [image] Detected image ID       image_id="sha256:310112cfddd5231a34ad4fa64277f9d5a7f09cbd2508f58749eec6a1f6f82929"
2024-05-15T10:08:03Z    DEBUG   [image] Detected diff ID        diff_ids=[sha256:b09314aec293bcd9a8ee5e643539437b3846f9e5e55f79e282e5f67e3026de5e sha256:e7b5aaf336e20e6c564b3bd9d7f69d21cdcb5db17c60c38f97e1f5428325ad79 sha256:5201f20d2237a7f67023c5b06d0141891d48351247659cdb7011202806e44304 sha256:02184516874d13757f79bed1c145c22d857e18a08128e334eb36751afa719f03]
2024-05-15T10:08:03Z    DEBUG   [image] Detected base layers    diff_ids=[sha256:b09314aec293bcd9a8ee5e643539437b3846f9e5e55f79e282e5f67e3026de5e]
2024-05-15T10:08:03Z    INFO    Detected OS     family="alpine" version="3.19.1"
2024-05-15T10:08:03Z    INFO    [alpine] Detecting vulnerabilities...   os_version="3.19" repository="3.19" pkg_num=25
2024-05-15T10:08:03Z    INFO    Number of language-specific files       num=1
2024-05-15T10:08:03Z    INFO    [gobinary] Detecting vulnerabilities...
2024-05-15T10:08:03Z    DEBUG   [gobinary] Scanning packages from the file      file_path="usr/local/bin/trivy"
2024-05-15T10:08:03Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="github.com/aquasecurity/trivy"

### Operating System

macOS Big Sur

### Version

```bash
Target docker image: amazonlinux
Version: 0.51.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-15 06:11:26.28841171 +0000 UTC
  NextUpdate: 2024-05-15 12:11:26.28841142 +0000 UTC
  DownloadedAt: 2024-05-15 09:59:45.085427877 +0000 UTC

### Checklist

- [ ] Run `trivy image --reset`
- [ ] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)

[knqyf263]

Your $TARGET_IMAGE is overwritten here and your script is exporting aquasec/trivy:0.51.1.

function download_image_if_needed() {
  TARGET_IMAGE=$1

You can check it.

$ docker images -q aquasec/trivy:0.51.1
448532d89d14

[AlexeyTsvetkov]

@knqyf263 I'm an idiot, sorry!

[knqyf263]

No worries👌