Epochs never read from `/var/lib/rpmmanifest/container-manifest-2`. #9099

tofay · 2025-07-01T06:10:38Z

tofay
Jul 1, 2025

Description

Epoch's are not parsed from RPM entries in /var/lib/rpmmanifest/container-manifest-2.

I'm writing a container build tool which creates this file so that scanners can detect the contents. The parsing of this file, added for azure linux, assumes epoch's are all zero. This is also not the case as in azure linux 3.0 some packages have epochs (e.g ca-certificates-*).

Desired Behavior

Trivy to detect non-zero epochs from /var/lib/rpmmanifest/container-manifest-2.

Actual Behavior

Epoch's are never read from this file, resulting in false positive vulnerabilities and epoch's missing from package urls.

Reproduction Steps

1. `trivy image tofay/gnoci-curl:almalinux`. This scans an example image I pushed. Trivy successfully detects that alma linux packages are included.
2. observe openssl vulnerabilities present due to trivy not reading the epoch

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

trivy image --debug tofay/gnoci-curl:almalinux
2025-07-01T07:07:13+01:00       DEBUG   No plugins loaded
2025-07-01T07:07:13+01:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-07-01T07:07:13+01:00       DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-07-01T07:07:13+01:00       DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-07-01T07:07:13+01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-07-01T07:07:13+01:00       DEBUG   Ignore statuses statuses=[]
2025-07-01T07:07:13+01:00       DEBUG   DB update was skipped because the local DB is the latest
2025-07-01T07:07:13+01:00       DEBUG   DB info schema=2 updated_at=2025-06-30T06:31:42.66159197Z next_update=2025-07-01T06:31:42.66159184Z downloaded_at=2025-06-30T12:47:13.103181481Z
2025-07-01T07:07:13+01:00       DEBUG   [pkg] Package types     types=[os library]
2025-07-01T07:07:13+01:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-07-01T07:07:13+01:00       INFO    [vuln] Vulnerability scanning is enabled
2025-07-01T07:07:13+01:00       INFO    [secret] Secret scanning is enabled
2025-07-01T07:07:13+01:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-07-01T07:07:13+01:00       DEBUG   [notification] Running version check
2025-07-01T07:07:13+01:00       INFO    [secret] Please see also https://trivy.dev/v0.63/docs/scanner/secret#recommendation for faster secret detection
2025-07-01T07:07:13+01:00       DEBUG   Initializing scan cache...      type="fs"
2025-07-01T07:07:13+01:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-07-01T07:07:13+01:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-07-01T07:07:13+01:00       DEBUG   [image] Detected image ID       image_id="sha256:3c13e0fc9209f5b187c8dd1a3f2687d4d068929ce42be854a96261f7aa27140f"
2025-07-01T07:07:13+01:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:a4cd95f3a6156eddcdd62a7007d48b01d3a6888ece93653ddcab77690857ea31]
2025-07-01T07:07:13+01:00       DEBUG   [image] Detected base layers    diff_ids=[]
2025-07-01T07:07:13+01:00       INFO    Detected OS     family="alma" version="9.5"
2025-07-01T07:07:13+01:00       INFO    [alma] Detecting vulnerabilities...     os_version="9" pkg_num=21
2025-07-01T07:07:13+01:00       INFO    Number of language-specific files       num=0
2025-07-01T07:07:13+01:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-07-01T07:07:13+01:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌───────────────────────────────────────┬──────┬─────────────────┬─────────┐
│                Target                 │ Type │ Vulnerabilities │ Secrets │
├───────────────────────────────────────┼──────┼─────────────────┼─────────┤
│ tofay/gnoci-curl:almalinux (alma 9.5) │ alma │       36        │    -    │
└───────────────────────────────────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


tofay/gnoci-curl:almalinux (alma 9.5)

Total: 36 (UNKNOWN: 0, LOW: 8, MEDIUM: 20, HIGH: 8, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬────────┬──────────────────────────┬───────────────────┬──────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Status │    Installed Version     │   Fixed Version   │                            Title                             │
├──────────────┼────────────────┼──────────┼────────┼──────────────────────────┼───────────────────┼──────────────────────────────────────────────────────────────┤
│ glibc        │ CVE-2025-4802  │ MEDIUM   │ fixed  │ 2.34-168.el9_6.14.alma.1 │ 2.34-168.el9_6.19 │ glibc: static setuid binary dlopen may incorrectly search    │
│              │                │          │        │                          │                   │ LD_LIBRARY_PATH                                              │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2025-4802                    │
├──────────────┼────────────────┼──────────┤        ├──────────────────────────┼───────────────────┼──────────────────────────────────────────────────────────────┤
│ openssl-libs │ CVE-2022-3602  │ HIGH     │        │ 3.2.2-6.el9_5.1          │ 1:3.0.1-43.el9_0  │ OpenSSL: X.509 Email Address Buffer Overflow                 │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2022-3602                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-3786  │          │        │                          │                   │ OpenSSL: X.509 Email Address Variable Length Buffer Overflow │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2022-3786                    │
│              ├────────────────┤          │        │                          ├───────────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-4304  │          │        │                          │ 1:3.0.1-47.el9_1  │ openssl: timing attack in RSA Decryption implementation      │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2022-4304                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-4450  │          │        │                          │                   │ openssl: double free after calling PEM_read_bio_ex           │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2022-4450                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0215  │          │        │                          │                   │ openssl: use-after-free following BIO_new_NDEF               │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-0215                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0286  │          │        │                          │                   │ openssl: X.400 address type confusion in X.509 GeneralName   │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-0286                    │
│              ├────────────────┤          │        │                          ├───────────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2024-12797 │          │        │                          │ 1:3.2.2-6.el9_5.1 │ openssl: RFC7250 handshakes with unauthenticated servers     │
│              │                │          │        │                          │                   │ don't abort as expected                                      │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2024-12797                   │
│              ├────────────────┤          │        │                          ├───────────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2024-5535  │          │        │                          │ 1:3.2.2-6.el9_5   │ openssl: SSL_select_next_proto buffer overread               │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2024-5535                    │
│              ├────────────────┼──────────┤        │                          ├───────────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-1292  │ MEDIUM   │        │                          │ 1:3.0.1-41.el9_0  │ openssl: c_rehash script allows command injection            │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2022-1292                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-1343  │          │        │                          │                   │ openssl: Signer certificate verification returns inaccurate  │
│              │                │          │        │                          │                   │ response when using OCSP_NOCHECKS                            │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2022-1343                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-1473  │          │        │                          │                   │ openssl: OPENSSL_LH_flush() breaks reuse of memory           │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2022-1473                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-2068  │          │        │                          │                   │ openssl: the c_rehash script allows command injection        │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2022-2068                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-2097  │          │        │                          │                   │ openssl: AES OCB fails to encrypt some bytes                 │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2022-2097                    │
│              ├────────────────┤          │        │                          ├───────────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-4203  │          │        │                          │ 1:3.0.1-47.el9_1  │ openssl: read buffer overflow in X.509 certificate           │
│              │                │          │        │                          │                   │ verification                                                 │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2022-4203                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0216  │          │        │                          │                   │ openssl: invalid pointer dereference in d2i_PKCS7 functions  │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-0216                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0217  │          │        │                          │                   │ openssl: NULL dereference validating DSA public key          │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-0217                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0401  │          │        │                          │                   │ openssl: NULL dereference during PKCS7 data verification     │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-0401                    │
│              ├────────────────┤          │        │                          ├───────────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0464  │          │        │                          │ 1:3.0.7-16.el9_2  │ openssl: Denial of service by excessive resource usage in    │
│              │                │          │        │                          │                   │ verifying X509 policy...                                     │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-0464                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0465  │          │        │                          │                   │ openssl: Invalid certificate policies in leaf certificates   │
│              │                │          │        │                          │                   │ are silently ignored                                         │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-0465                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0466  │          │        │                          │                   │ openssl: Certificate policy check not enabled                │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-0466                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-1255  │          │        │                          │                   │ openssl: Input buffer over-read in AES-XTS implementation on │
│              │                │          │        │                          │                   │ 64 bit ARM                                                   │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-1255                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-2650  │          │        │                          │                   │ openssl: Possible DoS translating ASN.1 object identifiers   │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-2650                    │
│              ├────────────────┤          │        │                          ├───────────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-5363  │          │        │                          │ 1:3.0.7-25.el9_3  │ openssl: Incorrect cipher key and IV length processing       │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-5363                    │
│              ├────────────────┤          │        │                          ├───────────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-6129  │          │        │                          │ 1:3.0.7-27.el9    │ openssl: POLY1305 MAC implementation corrupts vector         │
│              │                │          │        │                          │                   │ registers on PowerPC                                         │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-6129                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-6237  │          │        │                          │                   │ openssl: Excessive time spent checking invalid RSA public    │
│              │                │          │        │                          │                   │ keys                                                         │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-6237                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2024-0727  │          │        │                          │                   │ openssl: denial of service via null dereference              │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2024-0727                    │
│              ├────────────────┤          │        │                          ├───────────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2024-6119  │          │        │                          │ 1:3.0.7-28.el9_4  │ openssl: Possible denial of service in X.509 name checks     │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2024-6119                    │
│              ├────────────────┼──────────┤        │                          ├───────────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2022-3358  │ LOW      │        │                          │ 1:3.0.7-6.el9_2   │ openssl: Using a Custom Cipher with NID_undef may lead to    │
│              │                │          │        │                          │                   │ NULL encryption...                                           │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2022-3358                    │
│              ├────────────────┤          │        │                          ├───────────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-2975  │          │        │                          │ 1:3.0.7-27.el9    │ openssl: AES-SIV cipher implementation contains a bug that   │
│              │                │          │        │                          │                   │ causes it to ignore...                                       │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-2975                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-3446  │          │        │                          │                   │ openssl: Excessive time spent checking DH keys and           │
│              │                │          │        │                          │                   │ parameters                                                   │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-3446                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-3817  │          │        │                          │                   │ OpenSSL: Excessive time spent checking DH q parameter value  │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-3817                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2023-5678  │          │        │                          │                   │ openssl: Generating excessively long X9.42 DH keys or        │
│              │                │          │        │                          │                   │ checking excessively long X9.42...                           │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2023-5678                    │
│              ├────────────────┤          │        │                          ├───────────────────┼──────────────────────────────────────────────────────────────┤
│              │ CVE-2024-2511  │          │        │                          │ 1:3.2.2-6.el9_5   │ openssl: Unbounded memory growth with session handling in    │
│              │                │          │        │                          │                   │ TLSv1.3                                                      │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2024-2511                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2024-4603  │          │        │                          │                   │ openssl: Excessive time spent checking DSA keys and          │
│              │                │          │        │                          │                   │ parameters                                                   │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2024-4603                    │
│              ├────────────────┤          │        │                          │                   ├──────────────────────────────────────────────────────────────┤
│              │ CVE-2024-4741  │          │        │                          │                   │ openssl: Use After Free with SSL_free_buffers                │
│              │                │          │        │                          │                   │ https://avd.aquasec.com/nvd/cve-2024-4741                    │
└──────────────┴────────────────┴──────────┴────────┴──────────────────────────┴───────────────────┴──────────────────────────────────────────────────────────────┘

Operating System

Ubuntu 24.04

Version

Version: 0.63.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-06-30 18:34:34.816862226 +0000 UTC
  NextUpdate: 2025-07-01 18:34:34.816861955 +0000 UTC
  DownloadedAt: 2025-06-30 18:43:27.018044731 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

knqyf263 · 2025-07-01T06:15:17Z

knqyf263
Jul 1, 2025
Maintainer

Thanks for your report. Created #9100

2 replies

rriemann Aug 19, 2025

@tofay I think it has been shipped. Can this issue be closed?

tofay Aug 19, 2025
Author

This is closed.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Epochs never read from `/var/lib/rpmmanifest/container-manifest-2`. #9099

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Epochs never read from /var/lib/rpmmanifest/container-manifest-2. #9099

Uh oh!

tofay Jul 1, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 1 comment · 2 replies

Uh oh!

knqyf263 Jul 1, 2025 Maintainer

Uh oh!

rriemann Aug 19, 2025

Uh oh!

tofay Aug 19, 2025 Author

Epochs never read from `/var/lib/rpmmanifest/container-manifest-2`. #9099

tofay
Jul 1, 2025

Replies: 1 comment 2 replies

knqyf263
Jul 1, 2025
Maintainer

tofay Aug 19, 2025
Author