trivy/0.64.1-r2: cve remediation #61154
Merged
Chainguard Internal / elastic-build
succeeded
Jul 30, 2025 in 7m 15s
APKs built successfully
Build ID: 556d6fe4-e9dd-4c03-a1c5-b62a5d2731b0
Details
x86_64 Logs
Click to expand
06074731-71021a481237/LICENSE: MIT (1.000000) (notice)
pkg/fanal/analyzer/language/golang/mod/testdata/vendor-dir-exists/vendor/github.com/aquasecurity/go-dep-parser/LICENSE: Apache-2.0 (1.000000) (notice)
pkg/iac/scanners/helm/test/testdata/with-tarred-dep/LICENSE: Apache-2.0 (1.000000) (notice)
pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/!burnt!sushi/[email protected]/COPYING: MIT (1.000000) (notice)
docs/docs/scanner/license.md: NOASSERTION (0.000000 low-confidence) (unknown)
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: BeOpen (1.000000) (unknown)
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: CNRI-Python-GPL-Compatible (1.000000) (unknown)
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: Python-2.0 (0.955432) (notice)
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: LicenseRef-MIT-Lucent (0.860927 low-confidence) (unknown)
integration/testdata/fixtures/sbom/license-cyclonedx.json: NOASSERTION (0.000000 low-confidence) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/license-pattern-and-classifier-copyright: Zlib (0.984733) (notice)
pkg/licensing/testdata/LICENSE_apache2: Apache-2.0 (1.000000) (notice)
pkg/licensing/testdata/LICENSE_creativecommons: Commons-Clause (1.000000) (forbidden)
pkg/fanal/analyzer/language/java/gradle/testdata/poms/without-licenses-and-deps.pom: NOASSERTION (0.000000 low-confidence) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/common-license-copyright: NOASSERTION (0.000000 low-confidence) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/no-license-copyright: NOASSERTION (0.000000 low-confidence) (unknown)
checking gathered license information against the configuration
detected license differences:
pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/[email protected]/LICENSE: MIT not found
pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/!burnt!sushi/[email protected]/COPYING: MIT not found
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: BeOpen not found
NOTE! pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: BeOpen might be a restrictive license, please proceed with caution
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: CNRI-Python-GPL-Compatible not found
NOTE! pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: CNRI-Python-GPL-Compatible might be a restrictive license, please proceed with caution
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: Python-2.0 not found
pkg/fanal/analyzer/pkg/dpkg/testdata/license-pattern-and-classifier-copyright: Zlib not found
pkg/licensing/testdata/LICENSE_creativecommons: Commons-Clause not found
NOTE! pkg/licensing/testdata/LICENSE_creativecommons: Commons-Clause might be a restrictive license, please proceed with caution
detected license differences, please check the configuration
following license files could not be confidently assessed:
docs/docs/scanner/license.md: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: LicenseRef-MIT-Lucent (0.860927) (unknown)
integration/testdata/fixtures/sbom/license-cyclonedx.json: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/language/java/gradle/testdata/poms/without-licenses-and-deps.pom: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/common-license-copyright: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/no-license-copyright: NOASSERTION (0.000000) (unknown)
could not identify some licenses, please check the configuration
license information check complete
invalid license: NOASSERTION
writing SBOM for trivy
generating package trivy-0.64.1-r3
scanning for ld.so.conf.d files...
gathering list of vendored shlibs...
scanning for shared object dependencies...
interpreter for trivy => /lib64/ld-linux-x86-64.so.2
found lib libc.so.6 for usr/bin/trivy
scanning for commands...
found command usr/bin/trivy
scanning for -doc package...
scanning for pkg-config data...
scanning for python modules...
scanning for ruby gems...
scanning for shbang deps...
runtime:
so:ld-linux-x86-64.so.2
so:libc.so.6
provides:
cmd:trivy=0.64.1-r3
installed-size: 282875156
data.tar.gz digest: 1ff8f32626a144547cab50b4251bde22b6b493e80b5ae77d3185d54a2fc4546f
wrote packages/x86_64/trivy-0.64.1-r3.apk
cleaning Workspace by removing 41 file/directories in /home/build
generating apk index from packages in packages/x86_64
processing package packages/x86_64/trivy-0.64.1-r3.apk
updating index at packages/x86_64/APKINDEX.tar.gz with new packages: [trivy-0.64.1-r3]
qemu: sending shutdown signal
command "melange" completed successfully
build completed successfully
uploading packages...
running command tar [-C packages -cf packages.tar .]
command "tar" completed successfully
running command curl [-s --upload-file packages.tar -H Content-Type: application/octet-stream https://storage.googleapis.com/prod-bundle-staging/wolfi/x86_64/1753907686378169714-trivy-0.64.1-r3.tar.gz?Expires=1753950886&GoogleAccessId=ebuild-zasv64d5x1oc4m3epw39yod%40prod-enforce-fabc.iam.gserviceaccount.com&Signature=oK5NddxOw2yqPilOHou69UUYxknwxSvXzWwuylTrdur1tvWSfi1Ile1SuZ%2BtD%2FnznleIPvAgJA1JGyi9%2F%2FBAF4QNB%2FdWfTXFdbcGZG%2BaHQemMBxOZIGwHJjRpqUUIBeJy7RY%2FSeYrS6vQmuDorRZNppinAF6gI1SGjw3EEun5LVDHwvXc8%2BZ4oSLIfdEhjT%2BY0OdaDtX5Jna%2BFPxpJ4NweWO20WP99v8yDJ99rrIGNlRD8u%2BOU6P4oFfk01zOWT2Vk0MFUCr1bZTkfLyMlTWsx01A%2BWm4LNMGSXw6Ce0b%2Fkbo66%2BC0rMz3Nh4%2BXh93hDVWjVhCRdR0xb9d3cq6st%2Bw%3D%3D]
command "curl" completed successfully
upload completed successfully
packages.tar sha256sum: 66656465623764353539643534333237656231333036636635636439613061393866663732383237346630353966343939633436303434643162376264663337
sha256sum "fedeb7d559d54327eb1306cf5cd9a0a98ff728274f059f499c46044d1b7bdf37" written to /dev/termination-log
build completed successfully
parsed env
configuring puller identity "720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69"...
running command chainctl [auth login --audience apk.cgr.dev --identity 720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69]
Successfully exchanged token.
Valid! Id: 720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69
command "chainctl" completed successfully
puller identity configured successfully
puller identity configured successfully
running tests...
running command /usr/bin/dind [dockerd] in background
command "/usr/bin/dind" started successfully
running command bash [-c
# Retry up to 60 seconds to wait for docker to start.
worked=false
for i in $(seq 60); do
if docker info >/dev/null 2>&1; then
worked=true
break
fi
echo "docker healthcheck failed, docker is not ready, retrying... ($i/60 seconds so far)..."
sleep 1
done
if [ "$worked" = "false" ]; then
echo "Failed to start docker after 60 seconds"
exit 1
fi
]
command "bash" completed successfully
running command melange [test trivy.yaml --gcplog --source-dir trivy --test-package-append wolfi-base --arch=x86_64 --env-file=build-x86_64.env --pipeline-dirs=pipelines --runner=qemu --keyring-append=https://packages.wolfi.dev/os/wolfi-signing.rsa.pub --repository-append=https://packages.wolfi.dev/os --repository-append=https://apk.cgr.dev/wolfi-presubmit/48f00a1adbf3526e21f89e9306e69dc559e1b7ac --repository-append=https://apk.cgr.dev/wolfi-presubmit/48f00a1adbf3526e21f89e9306e69dc559e1b7ac]
image configuration:
contents:
build repositories: []
runtime repositories: []
keyring: []
packages: [jq trivy]
accounts:
runas:
users:
- uid=1000(build) gid=1000
groups:
- gid=1000(build) members=[build]
installing wolfi-baselayout (20230201-r23)
installing ca-certificates-bundle (20250619-r4)
installing ld-linux (2.41-r56)
installing libgcc (15.1.0-r3)
installing glibc-locale-posix (2.41-r56)
installing glibc (2.41-r56)
installing oniguruma (6.9.10-r1)
installing jq (1.8.1-r1)
installing trivy (0.64.1-r3)
installing wolfi-keys (1-r12)
installing zlib (1.3.1-r51)
installing libcrypto3 (3.5.1-r1)
installing libssl3 (3.5.1-r1)
installing apk-tools (2.14.10-r6)
installing libxcrypt (4.4.38-r3)
installing libcrypt1 (2.41-r56)
installing busybox (1.37.0-r47)
installing wolfi-base (1-r7)
populating workspace /tmp/melange-workspace-1065241641 from trivy
qemu: generating ssh key pairs for ephemeral VM
qemu: generating initramfs
image configuration:
contents:
build repositories: [https://apk.cgr.dev/chainguard]
runtime repositories: []
keyring: []
packages: [microvm-init]
installing wolfi-baselayout (20230201-r23)
installing ca-certificates-bundle (20250619-r4)
installing libgcc (15.1.0-r3)
installing glibc-locale-posix (2.41-r56)
installing glibc (2.41-r56)
installing ld-linux (2.41-r56)
installing gnutar (1.35-r5)
installing libattr1 (2.5.2-r52)
installing attr (2.5.2-r52)
installing zlib (1.3.1-r51)
installing libzstd1 (1.5.7-r3)
installing xz (5.8.1-r2)
installing libcrypto3 (3.5.1-r1)
installing kmod (34.2-r40)
installing libbz2-1 (1.0.8-r20)
installing libelf (0.193-r3)
installing libmnl (1.0.5-r6)
installing libnftnl (1.2.9-r1)
installing xtables (1.8.11-r25)
installing iproute2 (6.16.0-r0)
installing libpcre2-8-0 (10.45-r3)
installing libsepol (3.9-r1)
installing libselinux (3.9-r1)
installing libxcrypt (4.4.38-r3)
installing libcrypt1 (2.41-r56)
installing linux-pam (1.7.1-r1)
installing openssh-keygen (10.0_p1-r3)
installing openssh-server-config (10.0_p1-r3)
installing openssh-server (10.0_p1-r3)
installing libblkid (2.41.1-r3)
installing libmount (2.41.1-r3)
aarch64 Logs
Click to expand
ht: Zlib (0.984733) (notice)
pkg/licensing/testdata/LICENSE_apache2: Apache-2.0 (1.000000) (notice)
pkg/licensing/testdata/LICENSE_creativecommons: Commons-Clause (1.000000) (forbidden)
pkg/fanal/analyzer/language/java/gradle/testdata/poms/without-licenses-and-deps.pom: NOASSERTION (0.000000 low-confidence) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/common-license-copyright: NOASSERTION (0.000000 low-confidence) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/no-license-copyright: NOASSERTION (0.000000 low-confidence) (unknown)
checking gathered license information against the configuration
detected license differences:
pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/[email protected]/LICENSE: MIT not found
pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/!burnt!sushi/[email protected]/COPYING: MIT not found
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: BeOpen not found
NOTE! pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: BeOpen might be a restrictive license, please proceed with caution
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: CNRI-Python-GPL-Compatible not found
NOTE! pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: CNRI-Python-GPL-Compatible might be a restrictive license, please proceed with caution
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: Python-2.0 not found
pkg/fanal/analyzer/pkg/dpkg/testdata/license-pattern-and-classifier-copyright: Zlib not found
pkg/licensing/testdata/LICENSE_creativecommons: Commons-Clause not found
NOTE! pkg/licensing/testdata/LICENSE_creativecommons: Commons-Clause might be a restrictive license, please proceed with caution
detected license differences, please check the configuration
following license files could not be confidently assessed:
docs/docs/scanner/license.md: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/language/python/packaging/testdata/license-file-dist/typing_extensions-4.4.0.dist-info/LICENSE.txt: LicenseRef-MIT-Lucent (0.860927) (unknown)
integration/testdata/fixtures/sbom/license-cyclonedx.json: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/language/java/gradle/testdata/poms/without-licenses-and-deps.pom: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/common-license-copyright: NOASSERTION (0.000000) (unknown)
pkg/fanal/analyzer/pkg/dpkg/testdata/no-license-copyright: NOASSERTION (0.000000) (unknown)
could not identify some licenses, please check the configuration
license information check complete
invalid license: NOASSERTION
writing SBOM for trivy
generating package trivy-0.64.1-r3
scanning for ld.so.conf.d files...
gathering list of vendored shlibs...
scanning for shared object dependencies...
interpreter for trivy => /lib/ld-linux-aarch64.so.1
found lib libc.so.6 for usr/bin/trivy
found lib ld-linux-aarch64.so.1 for usr/bin/trivy
scanning for commands...
found command usr/bin/trivy
scanning for -doc package...
scanning for pkg-config data...
scanning for python modules...
scanning for ruby gems...
scanning for shbang deps...
runtime:
so:ld-linux-aarch64.so.1
so:libc.so.6
provides:
cmd:trivy=0.64.1-r3
installed-size: 270961845
data.tar.gz digest: 62cab63dde9579bf8afbeb0b6b42ac132421ad5e12ddf88bdf80fbe75fa06440
wrote packages/aarch64/trivy-0.64.1-r3.apk
cleaning Workspace by removing 41 file/directories in /home/build
generating apk index from packages in packages/aarch64
processing package packages/aarch64/trivy-0.64.1-r3.apk
updating index at packages/aarch64/APKINDEX.tar.gz with new packages: [trivy-0.64.1-r3]
command "melange" completed successfully
build completed successfully
uploading packages...
running command tar [-C packages -cf packages.tar .]
command "tar" completed successfully
running command curl [-s --upload-file packages.tar -H Content-Type: application/octet-stream https://storage.googleapis.com/prod-bundle-staging/wolfi/aarch64/1753907686378119544-trivy-0.64.1-r3.tar.gz?Expires=1753950886&GoogleAccessId=ebuild-zasv64d5x1oc4m3epw39yod%40prod-enforce-fabc.iam.gserviceaccount.com&Signature=nNNfM2nEWu7fF3jHOy6H9DecBraNzQ0Lk4c6I92iR1kwK8irR8dgxMiKauwiRxBc7RcwTHQVwX3uwRyivZRsRQAhtgLJtggc7lHDCsz00qhqGYGZTXuUrOikwwYi%2Bj2wfigIe%2FLHmUn0MXkD22QsSmMaxsbBAMbEw527D6OIpJx7PVjcdrVaEJaRePFYHQ4PESdoWCLn3lA5iBz%2FZXVPGK08A3K8x5wsS3I0TyOhquQfQybJT%2BhtsNNFG5P41304RPBslAHeq%2BKKPGo5OIX8n3UIzHKjEM93kLB4Qwkloqd1oS1Q2tldRM92Pz%2FBMj2%2BE3gFSkNG8AjN58on3AQfQQ%3D%3D]
command "curl" completed successfully
upload completed successfully
packages.tar sha256sum: 33613135643065646431393864376361313233623766343462343638313065633039643734643363373462663839366564616531386436386134313138643036
sha256sum "3a15d0edd198d7ca123b7f44b46810ec09d74d3c74bf896edae18d68a4118d06" written to /dev/termination-log
build completed successfully
parsed env
configuring puller identity "720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69"...
running command chainctl [auth login --audience apk.cgr.dev --identity 720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69]
Successfully exchanged token.
Valid! Id: 720909c9f5279097d847ad02a2f24ba8f59de36a/a49c7fedc33adf69
command "chainctl" completed successfully
puller identity configured successfully
puller identity configured successfully
running tests...
running command /usr/bin/dind [dockerd] in background
command "/usr/bin/dind" started successfully
running command bash [-c
# Retry up to 60 seconds to wait for docker to start.
worked=false
for i in $(seq 60); do
if docker info >/dev/null 2>&1; then
worked=true
break
fi
echo "docker healthcheck failed, docker is not ready, retrying... ($i/60 seconds so far)..."
sleep 1
done
if [ "$worked" = "false" ]; then
echo "Failed to start docker after 60 seconds"
exit 1
fi
]
command "bash" completed successfully
running command melange [test trivy.yaml --gcplog --source-dir trivy --test-package-append wolfi-base --arch=aarch64 --env-file=build-aarch64.env --pipeline-dirs=pipelines --runner=docker --keyring-append=https://packages.wolfi.dev/os/wolfi-signing.rsa.pub --repository-append=https://packages.wolfi.dev/os --repository-append=https://apk.cgr.dev/wolfi-presubmit/48f00a1adbf3526e21f89e9306e69dc559e1b7ac --repository-append=https://apk.cgr.dev/wolfi-presubmit/48f00a1adbf3526e21f89e9306e69dc559e1b7ac]
image configuration:
contents:
build repositories: []
runtime repositories: []
keyring: []
packages: [jq trivy]
accounts:
runas:
users:
- uid=1000(build) gid=1000
groups:
- gid=1000(build) members=[build]
installing wolfi-baselayout (20230201-r23)
installing ca-certificates-bundle (20250619-r4)
installing libgcc (15.1.0-r3)
installing ld-linux (2.41-r56)
installing glibc-locale-posix (2.41-r56)
installing glibc (2.41-r56)
installing oniguruma (6.9.10-r1)
installing jq (1.8.1-r1)
installing trivy (0.64.1-r3)
installing wolfi-keys (1-r12)
installing zlib (1.3.1-r51)
installing libcrypto3 (3.5.1-r1)
installing libssl3 (3.5.1-r1)
installing apk-tools (2.14.10-r6)
installing libxcrypt (4.4.38-r3)
installing libcrypt1 (2.41-r56)
installing busybox (1.37.0-r47)
installing wolfi-base (1-r7)
layer digest: sha256:591f9e37f6b99625c9e0deda0e117827b77651f1dfe6e42073fc288ada461e5f
layer diffID: sha256:0fa8aac5d9ffb3faeeef187442c9cbd07cecb00878c295cd56c2c78faa07e710
saving OCI image locally: apko.local/cache:5f763656c45614d6b1def47514debce7460143bb44ba5870116a31a4cdc514d9
populating workspace /tmp/melange-workspace-1066202374 from trivy
running the main test pipeline
running step "Check trivy version"
Version: 0.64.1
Version: 0.64.1
Version: 0.64.1
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets
Usage:
trivy [global flags] command [flags] target
trivy [command]
Examples:
# Scan a container image
$ trivy image python:3.4-alpine
# Scan a container image from a tar archive
$ trivy image --input ruby-3.1.tar
# Scan local filesystem
$ trivy fs .
# Run in server mode
$ trivy server
Scanning Commands
config Scan config files for misconfigurations
filesystem Scan local filesystem
image Scan a container image
kubernetes [EXPERIMENTAL] Scan kubernetes cluster
repository Scan a repository
rootfs Scan rootfs
sbom Scan SBOM for vulnerabilities and licenses
vm [EXPERIMENTAL] Scan a virtual machine image
Management Commands
module Manage modules
plugin Manage plugins
vex [EXPERIMENTAL] VEX utilities
Utility Commands
clean Remove cached files
completion Generate the autocompletion script for the specified shell
convert Convert Trivy JSON report into a different format
help Help about any command
registry Manage registry authentication
server Server mode
version Print the version
Flags:
--cache-dir string cache directory (default "/home/build/.cache/trivy")
-c, --config string config path (default "trivy.yaml")
-d, --debug debug mode
-f, --format string version format (json)
--generate-default-config write the default config to trivy-default.yaml
-h, --help help for trivy
--insecure allow insecure server connections
-q, --quiet suppress progress bar and log output
--timeout duration timeout (default 5m0s)
-v, --version show version
Use "trivy [command] --help" for more information about a command.
running step "Check trivy version as JSON"
{
"Version": "0.64.1"
}
pod 9e910c1f5008d81de62e47208079244ed1e7ca6907bf703015b3e8fbbee46feb terminated
command "melange" completed successfully
tests completed successfully
Indexes
https://apk.cgr.dev/wolfi-presubmit/48f00a1adbf3526e21f89e9306e69dc559e1b7ac
Packages
- ✅ trivy (success | 2m21s | x86_64 logs | aarch64 logs)
Tests
- ✅ trivy (success | 1m30s | x86_64 logs | aarch64 logs)
More Observability
Command
cg build log \
--build-id 556d6fe4-e9dd-4c03-a1c5-b62a5d2731b0 \
--project prod-wolfi-os \
--cluster elastic-pre-a \
--namespace pre-wolfi \
--start 2025-07-30T20:31:43Z \
--end 2025-07-30T20:48:59Z
Loading