trivy/0.64.1-r2: cve remediation #61154
Merged
Chainguard Internal / elastic-build (eco-2-28)
succeeded
Jul 30, 2025 in 6m 52s
APKs built successfully
Build ID: 4f928efd-7f8e-4590-9275-9e27ba4e172c
Details
x86_64 Logs
Click to expand
-4.4.0.dist-info/LICENSE.txt: BeOpen not found
NOTE! pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: BeOpen might be a restrictive license, please proceed with caution
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: CNRI-Python-GPL-Compatible not found
NOTE! pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: CNRI-Python-GPL-Compatible might be a restrictive license, please proceed with caution
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: Python-2.0 not found
pkg/fanal/analyzer/pkg/dpkg/testdata/license-pattern-and-classifier-copyright: Zlib not found
pkg/licensing/testdata/LICENSE_creativecommons: Commons-Clause not found
NOTE! pkg/licensing/testdata/LICENSE_creativecommons: Commons-Clause might be a restrictive license, please proceed with caution
detected license differences, please check the configuration
following license files could not be confidently assessed:
docs/docs/scanner/license.md: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: LicenseRef-MIT-Lucent (0.860927) (unknown)
integration/testdata/fixtures/sbom/license-cyclonedx.json: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/language/java/gradle/testdata/poms/without-licenses-and-deps.pom: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/common-license-copyright: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/no-license-copyright: NOASSERTION (0.000000) (unknown)
could not identify some licenses, please check the configuration
license information check complete
invalid license: NOASSERTION
writing SBOM for trivy
generating package trivy-0.64.1-r3
scanning for ld.so.conf.d files...
gathering list of vendored shlibs...
scanning for shared object dependencies...
interpreter for trivy => /lib64/ld-linux-x86-64.so.2
found lib libpthread.so.0 for usr/bin/trivy
found lib libdl.so.2 for usr/bin/trivy
found lib libc.so.6 for usr/bin/trivy
scanning for commands...
found command usr/bin/trivy
scanning for -doc package...
scanning for pkg-config data...
scanning for python modules...
scanning for ruby gems...
scanning for shbang deps...
runtime:
so:ld-linux-x86-64.so.2
so:libc.so.6
so:libdl.so.2
so:libpthread.so.0
provides:
cmd:trivy=0.64.1-r3
installed-size: 282889196
data.tar.gz digest: b6029ec3a21c7561c127384a039488fddd6f2d6709ffee39d9289c763f7ebe5e
wrote packages/x86_64/trivy-0.64.1-r3.apk
cleaning Workspace by removing 41 file/directories in /home/build
generating apk index from packages in packages/x86_64
processing package packages/x86_64/trivy-0.64.1-r3.apk
updating index at packages/x86_64/APKINDEX.tar.gz with new packages: [trivy-0.64.1-r3]
command "melange" completed successfully
build completed successfully
uploading packages...
running command tar [-C packages -cf packages.tar .]
command "tar" completed successfully
running command curl [-s --upload-file packages.tar -H Content-Type: application/octet-stream https://storage.googleapis.com/prod-bundle-staging/eco-2-28/x86_64/1753907661299396170-trivy-0.64.1-r3.tar.gz?Expires=1753950861&GoogleAccessId=ebuild-456o8jve9m82pzkyd0rxyya%40prod-enforce-fabc.iam.gserviceaccount.com&Signature=LwdPBDWZwq8H7vNsk6SvOqtSAupKAhlY0DECjESBA2zRf6Yo8Pxpb1%2BMu1AS4Lc1X35AHuiATqzJmo6nr%2FYWPxa8Krd4kjag1wWKxq6axoUk92gtdqD12WOoVwFwJ3PUZJpbT%2FukUbwB%2B8Hf1GIO5TbAX8Xy5TEx3JWXJevk8kfbQMW83L0kilKE9Mzyo4GJaqaIkdRTP1AT9jViAL7VEWZZNmVttzQM%2FkwFDSGMw8v92Bnscy%2FmXP%2BkHDUViF%2FkQO%2Bna4x93gEsaLaXHep6J49uZXcPX264lR%2BkgKujk0NfxTVrwU039BrVwfLoZLzOeP1hhJfm%2BwbCq5GKB51cRw%3D%3D]
command "curl" completed successfully
upload completed successfully
packages.tar sha256sum: 65663630616131633136393363346533333861656163336437373866353536353130303931366334616565633335663731373338353338343734303533383639
sha256sum "ef60aa1c1693c4e338aeac3d778f5565100916c4aeec35f71738538474053869" written to /dev/termination-log
build completed successfully
parsed env
configuring puller identity "e2fa069c57acc83f3f2748a8bed50e44dff064dc/dcb8fb2f15475910"...
running command chainctl [auth login --audience apk.cgr.dev --identity e2fa069c57acc83f3f2748a8bed50e44dff064dc/dcb8fb2f15475910]
Successfully exchanged token.
Valid! Id: e2fa069c57acc83f3f2748a8bed50e44dff064dc/dcb8fb2f15475910
command "chainctl" completed successfully
puller identity configured successfully
puller identity configured successfully
running tests...
running command /usr/bin/dind [dockerd] in background
command "/usr/bin/dind" started successfully
running command bash [-c
# Retry up to 60 seconds to wait for docker to start.
worked=false
for i in $(seq 60); do
if docker info >/dev/null 2>&1; then
worked=true
break
fi
echo "docker healthcheck failed, docker is not ready, retrying... ($i/60 seconds so far)..."
sleep 1
done
if [ "$worked" = "false" ]; then
echo "Failed to start docker after 60 seconds"
exit 1
fi
]
command "bash" completed successfully
running command melange [test trivy.yaml --gcplog --source-dir trivy --test-package-append wolfi-base --arch=x86_64 --env-file=build-x86_64.env --pipeline-dirs=pipelines --runner=docker --repository-append=https://apk.cgr.dev/chainguard --repository-append=https://apk.cgr.dev/chainguard-private --repository-append=https://apk.cgr.dev/chainguard-2.28 --repository-append=https://apk.cgr.dev/chainguard-2.28-presubmit/48f00a1adbf3526e21f89e9306e69dc559e1b7ac --test-package-append=ct-manylinux-2.28 --test-package-append=gcc-14-default --repository-append=https://apk.cgr.dev/chainguard-2.28-presubmit/48f00a1adbf3526e21f89e9306e69dc559e1b7ac]
image configuration:
contents:
build repositories: []
runtime repositories: []
keyring: []
packages: [jq trivy]
accounts:
runas:
users:
- uid=1000(build) gid=1000
groups:
- gid=1000(build) members=[build]
installing wolfi-baselayout (20230201-r23)
installing ca-certificates-bundle (20250619-r4)
installing glibc-locale-posix (2.41-r56)
installing glibc (2.41-r56)
installing ld-linux (2.41-r56)
installing libgcc (15.1.0-r3)
installing ct-manylinux-2.28 (1.27.0-r1)
installing libstdc++ (15.1.0-r3)
installing gmp (6.3.0-r8)
installing mpfr (4.2.2-r2)
installing mpc (1.3.1-r7)
installing posix-cc-wrappers (1-r7)
installing libstdc++-14 (14.3.0-r4)
installing libstdc++-14-dev (14.3.0-r4)
installing zlib (1.3.1-r51)
installing isl (0.27-r4)
installing libzstd1 (1.5.7-r3)
installing libquadmath (15.1.0-r3)
installing binutils (2.45-r0)
installing openssf-compiler-options (20240627-r26)
installing libxcrypt (4.4.38-r3)
installing libxcrypt-dev (4.4.38-r3)
installing nss-db (2.41-r56)
installing nss-hesiod (2.41-r56)
installing linux-headers (6.16-r0)
installing glibc-dev (2.41-r56)
installing gcc-14 (14.3.0-r4)
installing libgfortran-14 (14.3.0-r4)
installing gfortran-14 (14.3.0-r4)
installing libgfortran (15.1.0-r3)
installing gcc-14-default (14.3.0-r4)
installing oniguruma (6.9.10-r1)
installing jq (1.8.1-r1)
installing trivy (0.64.1-r3)
installing wolfi-keys (1-r12)
installing libcrypto3 (3.5.1-r1)
installing libssl3 (3.5.1-r1)
installing apk-tools (2.14.10-r6)
installing libcrypt1 (2.41-r56)
installing busybox (1.37.0-r47)
installing wolfi-base (1-r7)
layer digest: sha256:5799a4fb4dd97f63b5f4096635824952e2ffb83232b404e03a79402788f10a10
layer diffID: sha256:5890f885a95aef540bf171f626834620a9ec79deeeca671af95cb22a77ba9db1
saving OCI image locally: apko.local/cache:bb8482bb8bf4df4e66cb3676c119f6f099ef4fecd5fa5a42962cdcdf89a8ad5d
populating workspace /tmp/melange-workspace-2770487437 from trivy
running the main test pipeline
running step "Check trivy version"
Version: 0.64.1
Version: 0.64.1
Version: 0.64.1
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
Usage:
trivy [global flags] command [flags] target
trivy [command]
Examples:
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Scan local filesystem
$ trivy fs .
# Run in server mode
$ trivy server
Scanning Commands
config Scan config files for misconfigurations
filesystem Scan local filesystem
image Scan a container image
kubernetes [EXPERIMENTAL] Scan kubernetes cluster
repository Scan a repository
rootfs Scan rootfs
sbom Scan SBOM for vulnerabilities and licenses
vm [EXPERIMENTAL] Scan a virtual machine image
Management Commands
module Manage modules
plugin Manage plugins
vex [EXPERIMENTAL] VEX utilities
Utility Commands
clean Remove cached files
completion Generate the autocompletion script for the specified shell
convert Convert Trivy JSON report into a different format
help Help about any command
registry Manage registry authentication
server Server mode
version Print the version
Flags:
--cache-dir string cache directory (default "/home/build/.cache/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
-f, --format string version format (json)
--generate-default-config write the default config to trivy-default.yaml
-h, --help help for trivy
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
Use "trivy [command] --help" for more information about a command.
running step "Check trivy version as JSON"
{
"Version": "0.64.1"
}
pod 66b2d33955a197e795b1b93dcee3d9d65da2b83c5d1c8118cc2df656ed482bdd terminated
command "melange" completed successfully
tests completed successfully
aarch64 Logs
Click to expand
SE: MIT (1.000000) (notice)
pkg/fanal/analyzer/language/golang/mod/testdata/vendor-dir-exists/vendor/github.com/aquasecurity/go-dep-parser/LICENSE: Apache-2.0 (1.000000) (notice)
pkg/iac/scanners/helm/test/testdata/with-tarred-dep/LICENSE: Apache-2.0 (1.000000) (notice)
pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/!burnt!sushi/[email protected]/COPYING: MIT (1.000000) (notice)
docs/docs/scanner/license.md: NOASSERTION (0.000000 low-confidence) (unknown)
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: BeOpen (1.000000) (unknown)
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: CNRI-Python-GPL-Compatible (1.000000) (unknown)
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: Python-2.0 (0.955432) (notice)
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: LicenseRef-MIT-Lucent (0.860927 low-confidence) (unknown)
integration/testdata/fixtures/sbom/license-cyclonedx.json: NOASSERTION (0.000000 low-confidence) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/license-pattern-and-classifier-copyright: Zlib (0.984733) (notice)
pkg/licensing/testdata/LICENSE_apache2: Apache-2.0 (1.000000) (notice)
pkg/licensing/testdata/LICENSE_creativecommons: Commons-Clause (1.000000) (forbidden)
pkg/fanal/analyzer/language/java/gradle/testdata/poms/without-licenses-and-deps.pom: NOASSERTION (0.000000 low-confidence) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/common-license-copyright: NOASSERTION (0.000000 low-confidence) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/no-license-copyright: NOASSERTION (0.000000 low-confidence) (unknown)
checking gathered license information against the configuration
detected license differences:
pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/[email protected]/LICENSE: MIT not found
pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/!burnt!sushi/[email protected]/COPYING: MIT not found
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: BeOpen not found
NOTE! pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: BeOpen might be a restrictive license, please proceed with caution
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: CNRI-Python-GPL-Compatible not found
NOTE! pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: CNRI-Python-GPL-Compatible might be a restrictive license, please proceed with caution
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: Python-2.0 not found
pkg/fanal/analyzer/pkg/dpkg/testdata/license-pattern-and-classifier-copyright: Zlib not found
pkg/licensing/testdata/LICENSE_creativecommons: Commons-Clause not found
NOTE! pkg/licensing/testdata/LICENSE_creativecommons: Commons-Clause might be a restrictive license, please proceed with caution
detected license differences, please check the configuration
following license files could not be confidently assessed:
docs/docs/scanner/license.md: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: LicenseRef-MIT-Lucent (0.860927) (unknown)
integration/testdata/fixtures/sbom/license-cyclonedx.json: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/language/java/gradle/testdata/poms/without-licenses-and-deps.pom: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/common-license-copyright: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/no-license-copyright: NOASSERTION (0.000000) (unknown)
could not identify some licenses, please check the configuration
license information check complete
invalid license: NOASSERTION
writing SBOM for trivy
generating package trivy-0.64.1-r3
scanning for ld.so.conf.d files...
gathering list of vendored shlibs...
scanning for shared object dependencies...
interpreter for trivy => /lib/ld-linux-aarch64.so.1
found lib libpthread.so.0 for usr/bin/trivy
found lib libdl.so.2 for usr/bin/trivy
found lib libc.so.6 for usr/bin/trivy
found lib ld-linux-aarch64.so.1 for usr/bin/trivy
scanning for commands...
found command usr/bin/trivy
scanning for -doc package...
scanning for pkg-config data...
scanning for python modules...
scanning for ruby gems...
scanning for shbang deps...
runtime:
so:ld-linux-aarch64.so.1
so:libc.so.6
so:libdl.so.2
so:libpthread.so.0
provides:
cmd:trivy=0.64.1-r3
installed-size: 270986165
data.tar.gz digest: b85fea834ab5d8da1e623bd02a9b10588ad35d4ea67ec2e9056565b0dcfce71e
wrote packages/aarch64/trivy-0.64.1-r3.apk
cleaning Workspace by removing 41 file/directories in /home/build
generating apk index from packages in packages/aarch64
processing package packages/aarch64/trivy-0.64.1-r3.apk
updating index at packages/aarch64/APKINDEX.tar.gz with new packages: [trivy-0.64.1-r3]
command "melange" completed successfully
build completed successfully
uploading packages...
running command tar [-C packages -cf packages.tar .]
command "tar" completed successfully
running command curl [-s --upload-file packages.tar -H Content-Type: application/octet-stream https://storage.googleapis.com/prod-bundle-staging/eco-2-28/aarch64/1753907661299364289-trivy-0.64.1-r3.tar.gz?Expires=1753950861&GoogleAccessId=ebuild-456o8jve9m82pzkyd0rxyya%40prod-enforce-fabc.iam.gserviceaccount.com&Signature=ii66numiGosZp6MBvKR4%2FH%2B%2FrijzfmnSGLD17yd7ku6cznr1WLdTw484%2FYczTsd2UO6xy3vOv9zgZOwqlvsUi4oG566VDTIoDk%2BXbxzAZGAX5fD6P88c%2F9rQEU9GfoTirb8NyZmuAlkO%2FJMV9IAzdIox6RrrVk2UYv1Rd5TgsWBI%2F2zxZCopB9weB8R2QyhHy8EPWdFYJR3VPQjsp2nUO1NoNEq%2FK2zG5p9Ou5SrWdJaB0G%2BA9uNGzc7RZ%2ByfGIgpNUBjNK6GEgE7S9Be2cbaEV0CpOXuzOmzyXqTm0%2FGpHW9QPGqVtRT5JAVBgUiPASelOS5Jl%2FW2EbKfmxBR99nw%3D%3D]
command "curl" completed successfully
upload completed successfully
packages.tar sha256sum: 62303331356232313632386661613238336364633937363137666239613565616431653564636438653930313736363233663932313236613830313831353235
sha256sum "b0315b21628faa283cdc97617fb9a5ead1e5dcd8e90176623f92126a80181525" written to /dev/termination-log
build completed successfully
parsed env
configuring puller identity "e2fa069c57acc83f3f2748a8bed50e44dff064dc/dcb8fb2f15475910"...
running command chainctl [auth login --audience apk.cgr.dev --identity e2fa069c57acc83f3f2748a8bed50e44dff064dc/dcb8fb2f15475910]
Successfully exchanged token.
Valid! Id: e2fa069c57acc83f3f2748a8bed50e44dff064dc/dcb8fb2f15475910
command "chainctl" completed successfully
puller identity configured successfully
puller identity configured successfully
running tests...
running command /usr/bin/dind [dockerd] in background
command "/usr/bin/dind" started successfully
running command bash [-c
# Retry up to 60 seconds to wait for docker to start.
worked=false
for i in $(seq 60); do
if docker info >/dev/null 2>&1; then
worked=true
break
fi
echo "docker healthcheck failed, docker is not ready, retrying... ($i/60 seconds so far)..."
sleep 1
done
if [ "$worked" = "false" ]; then
echo "Failed to start docker after 60 seconds"
exit 1
fi
]
command "bash" completed successfully
running command melange [test trivy.yaml --gcplog --source-dir trivy --test-package-append wolfi-base --arch=aarch64 --env-file=build-aarch64.env --pipeline-dirs=pipelines --runner=docker --repository-append=https://apk.cgr.dev/chainguard --repository-append=https://apk.cgr.dev/chainguard-private --repository-append=https://apk.cgr.dev/chainguard-2.28 --repository-append=https://apk.cgr.dev/chainguard-2.28-presubmit/48f00a1adbf3526e21f89e9306e69dc559e1b7ac --test-package-append=ct-manylinux-2.28 --test-package-append=gcc-14-default --repository-append=https://apk.cgr.dev/chainguard-2.28-presubmit/48f00a1adbf3526e21f89e9306e69dc559e1b7ac]
image configuration:
contents:
build repositories: []
runtime repositories: []
keyring: []
packages: [jq trivy]
accounts:
runas:
users:
- uid=1000(build) gid=1000
groups:
- gid=1000(build) members=[build]
installing wolfi-baselayout (20230201-r23)
installing ca-certificates-bundle (20250619-r4)
installing glibc-locale-posix (2.41-r56)
installing ld-linux (2.41-r56)
installing glibc (2.41-r56)
installing libgcc (15.1.0-r3)
installing ct-manylinux-2.28 (1.27.0-r1)
installing libstdc++ (15.1.0-r3)
installing gmp (6.3.0-r8)
installing mpfr (4.2.2-r2)
installing mpc (1.3.1-r7)
installing posix-cc-wrappers (1-r7)
installing libstdc++-14 (14.3.0-r4)
installing libstdc++-14-dev (14.3.0-r4)
installing zlib (1.3.1-r51)
installing isl (0.27-r4)
installing libzstd1 (1.5.7-r3)
installing libquadmath (15.1.0-r3)
installing binutils (2.45-r0)
installing openssf-compiler-options (20240627-r26)
installing libxcrypt (4.4.38-r3)
installing libxcrypt-dev (4.4.38-r3)
installing nss-db (2.41-r56)
installing nss-hesiod (2.41-r56)
installing linux-headers (6.16-r0)
installing glibc-dev (2.41-r56)
installing gcc-14 (14.3.0-r4)
installing libgfortran-14 (14.3.0-r4)
installing gfortran-14 (14.3.0-r4)
installing libgfortran (15.1.0-r3)
installing gcc-14-default (14.3.0-r4)
installing oniguruma (6.9.10-r1)
installing jq (1.8.1-r1)
installing trivy (0.64.1-r3)
installing wolfi-keys (1-r12)
installing libcrypto3 (3.5.1-r1)
installing libssl3 (3.5.1-r1)
installing apk-tools (2.14.10-r6)
installing libcrypt1 (2.41-r56)
installing busybox (1.37.0-r47)
installing wolfi-base (1-r7)
layer digest: sha256:3885a05f13c9edfff50dc4b1709987c92dc7887db24b6cea4c0c0093640d2e1e
layer diffID: sha256:a8e8affef1742849b99cfb3141d01f5e39bc823b69804ddc6dcc99a930766599
saving OCI image locally: apko.local/cache:69ca93eecc4f85852f261a2c5e50cfa0696e2656fbdba6c7a4fcacf40fa27af6
Indexes
https://apk.cgr.dev/chainguard-2.28-presubmit/48f00a1adbf3526e21f89e9306e69dc559e1b7ac
Packages
- ✅ trivy (success | 2m26s | x86_64 logs | aarch64 logs)
Tests
- ✅ trivy (success | 1m23s | x86_64 logs | aarch64 logs)
More Observability
Command
cg build log \
--build-id 4f928efd-7f8e-4590-9275-9e27ba4e172c \
--project prod-eco-8de7 \
--cluster elastic-pre \
--namespace pre-eco-2-28 \
--start 2025-07-30T20:31:41Z \
--end 2025-07-30T20:48:34Z
Loading