Trivy reporting OS not supported

[Steveiwonder]

Description

When running

trivy image --format template --template "/agent/_work/1/s/ci/trivy/html.tpl" -o report.html "temp:latest"

I get the following

2024-12-02T17:07:24.806Z	INFO	Need to update DB
2024-12-02T17:07:24.806Z	INFO	Downloading DB...
4.70 MiB / 30.57 MiB [--------->____________________________________________________] 15.38% ? p/s ?10.54 MiB / 30.57 MiB [--------------------->_______________________________________] 34.46% ? p/s ?16.90 MiB / 30.57 MiB [--------------------------------->___________________________] 55.27% ? p/s ?23.56 MiB / 30.57 MiB [------------------------------------>___________] 77.06% 31.43 MiB p/s ETA 0s30.53 MiB / 30.57 MiB [----------------------------------------------->] 99.86% 31.43 MiB p/s ETA 0s30.57 MiB / 30.57 MiB [---------------------------------------------------] 100.00% 35.38 MiB p/s 1s
2024-12-02T17:07:41.329Z	INFO	Detected OS: alpine
2024-12-02T17:07:41.329Z	WARN	This OS version is not on the EOL list: alpine 3.20
2024-12-02T17:07:41.329Z	INFO	Detecting Alpine vulnerabilities...
2024-12-02T17:07:41.329Z	INFO	Number of PL dependency files: 0
2024-12-02T17:07:41.329Z	WARN	This OS version is no longer supported by the distribution: alpine 3.20.3
2024-12-02T17:07:41.329Z	WARN	The vulnerability detection may be insufficient because security updates are not provided

The docker image is based off FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.20 AS base which as far as I can see if fully supported.

This was working as recent as a few hours ago.

Is this something I need to change/fix or is something else going on?

Thanks

Desired Behavior

Command succeeds

Actual Behavior

Command fails with OS not supported

Reproduction Steps

Create docker file like this 
`FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.20`
Build docker
`docker build -t temp:latest .`
Execute trivy scan
`trivy image --format template --template "/agent/_work/1/s/ci/trivy/html.tpl" -o report.html "temp:latest"`

Target

Container Image

Scanner

Vulnerability

Output Format

Template

Mode

None

Debug Output

2024-12-02T17:39:47.068ZDEBUGSeverities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2024-12-02T17:39:47.071ZDEBUGcache dir:  /root/.cache/trivy
2024-12-02T17:39:47.071ZDEBUGDB update was skipped because DB was downloaded during the last hour
2024-12-02T17:39:47.071ZDEBUGDB Schema: 1, Type: 1, UpdatedAt: 2023-02-08 12:48:16.989777838 +0000 UTC, NextUpdate: 2023-02-08 18:48:16.989777438 +0000 UTC, Do
wnloadedAt: 2024-12-02 17:13:31.612130217 +0000 UTC
2024-12-02T17:39:47.071ZDEBUGVulnerability type:  [os library]
2024-12-02T17:39:47.072ZDEBUGImage ID: sha256:dd849f1515ff02ae2fa048690b44ddc0ebae0eb622db1f46a5b1ba236c81009a
2024-12-02T17:39:47.072ZDEBUGDiff IDs: [sha256:75654b8eeebd3beae97271a102f57cdeb794cc91e442648544963a7e951e9558 sha256:36f498f2cf87ebe559b74fbef961a2d0bdecfc9d
9333df006f7167841e9ce71a sha256:87ef207e4d80de64e841d00cc99ad5712152a1c8e5991361186cdd32ddc71675 sha256:37dca50d7d6ec42979047faabb1e19386d3cdfff1d23e4ec850b944cba21ea1e s
ha256:8015818b5513d95bb3f7cf6db0d2f176e00d9ad91f6a5721a9f7b70cf6a76464 sha256:f5c1846c75e052098592f98ae82101573f7485095c9b7d4922e8de97e0125fe8 sha256:ec2f239c7aaa652ec140
71964e35bb2c970acd5cae110425b09fb3b912c8f45b sha256:4bdd189e1d64c60dab47c02e95c2e8dc097fb73191050e7ee90a18af094e275b sha256:4db69e2bb6279a2e73e9d4d3669c6f0d04c229a50e0b4d
54c9f68ca75b538f25 sha256:5ee465506138087b739677254ace7f45808a1dce6286089a4d2613ccf02957a8 sha256:1af3909e8a3654380eafbb4a1a8985390dc61d7684e8c60d07d7035e2b38e23e sha256:
875cafff9ad3a9efcaf841199954b84e27bc1a0e3f6ce0798a252cffa6d5d11c sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:4e46935c2dc5243caaaea60954
689a0a787dba1b663ebbf9c60b943520812c59 sha256:fc2684c5f9bb54320f3f9017816413af247deaffadc821b9a2f711257c085564 sha256:b1d980a74b82472e7d771ef31a038180be187ee2095fc4a648d4
a0440ff367be sha256:1d58c77566e9b5c6c18abc1270178c4f737de5dc696b2a1d380f347bc46ed576 sha256:997a5dca139c919d7a94c41a3eb1b737bc3d3e4db5111fec4a9939e438f45cd2]
2024-12-02T17:39:47.073ZINFODetected OS: alpine
2024-12-02T17:39:47.073ZWARNThis OS version is not on the EOL list: alpine 3.20
2024-12-02T17:39:47.073ZINFODetecting Alpine vulnerabilities...
2024-12-02T17:39:47.073ZDEBUGalpine: os version: 3.20
2024-12-02T17:39:47.073ZDEBUGalpine: the number of packages: 90
2024-12-02T17:39:47.074ZINFONumber of PL dependency files: 0
2024-12-02T17:39:47.074ZWARNThis OS version is no longer supported by the distribution: alpine 3.20.3
2024-12-02T17:39:47.074ZWARNThe vulnerability detection may be insufficient because security updates are not provided

Operating System

Ubuntu 22.04

Version

Version: 0.18.3

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @Steveiwonder

Version: 0.18.3

You use very old Trivy version.

It works correctly for v0.57.1:

...
2024-12-03T11:34:13+06:00	INFO	Detected OS	family="alpine" version="3.20.3"
2024-12-03T11:34:13+06:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.20" repository="3.20" pkg_num=16
2024-12-03T11:34:13+06:00	INFO	Number of language-specific files	num=2
2024-12-03T11:34:13+06:00	INFO	[dotnet-core] Detecting vulnerabilities...
2024-12-03T11:34:13+06:00	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="usr/share/dotnet/shared/Microsoft.NETCore.App/8.0.11/Microsoft.NETCore.App.deps.json"
2024-12-03T11:34:13+06:00	DEBUG	[dotnet-core] Scanning packages for vulnerabilities	file_path="usr/share/dotnet/shared/Microsoft.AspNetCore.App/8.0.11/Microsoft.AspNetCore.App.deps.json"
2024-12-03T11:34:13+06:00	DEBUG	[vex] VEX filtering is disabled

mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.20 (alpine 3.20.3)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Can you update Trivy and check again?

Regards, Dmitriy

[Steveiwonder]

@DmitriyLewen I see that now, thank you. I follow the install guide here
https://trivy.dev/v0.18.3/installation/#debianubuntu

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

This only offers me 0.18.3 as the latest available version

[Steveiwonder]

Trying this now.

[Steveiwonder]

For some reason, and I'm not 100% sure why, using the install scripts provided on the guide did not work

Official:

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

This is what worked for me:

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo tee /etc/apt/trusted.gpg.d/trivy.asc
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
trivy --version (Version: 0.57.1)

🤷

I can only image that because apt-key has been depreacted, it something to do with this.

Thanks for your help though

[DmitriyLewen]

Can you try to use last script?

sudo apt-get install wget gnupg
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

[Steveiwonder]

Yep, running

sudo apt-get install wget gnupg
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

Worked