Trivy doesn't detect open CVEs for conan (1) dependencies (for example related to pcre2)

[szigetics]

Question

I am trying to detect open CVEs in my conan dependencies using the following approach :

function runTrivyScan() {
	local RANDOM_NAME=$(openssl rand -hex 12)
	echo "$RANDOM_NAME"
	docker run --name "${RANDOM_NAME}" \
			--volume /var/run/docker.sock:/var/run/docker.sock \
			--volume /tmp/trivy_cache \
			--volume $(pwd):$(pwd) \
			ghcr.io/aquasecurity/trivy:0.56.2 fs --no-progress \
			--severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL \
			--format sarif \
			--output /tmp/trivy_scan_results.sarif \
			--exit-code 0 \
			--cache-dir /tmp/trivy_cache \
			--scanners vuln \
			--file-patterns 'conan-lock:conan.lock*' \
			$(pwd)
	
	docker ps -a
	
	docker cp "${RANDOM_NAME}":/tmp/trivy_scan_results.sarif .

	docker container remove "${RANDOM_NAME}"
}

runTrivyScan

Requirements for running the above :

• a Linux or macOS machine
• have docker installed on the system
• It must be ran in the same folder as where there is at least one conan lock file stored with the pattern : conan.lock* . Here is an example file (in a zip, which must be extracted before running the script) : conan.zip

The above conan.lock file contains pcre2 version 10.42, which is known for having open CVEs ( see the release hsitory of : https://github.com/PCRE2Project/pcre2/releases ) .

For some reason the trivy sarif result file doesn't contain anything about this : trivy_scan_results.zip

Could you please help me figure out why no CVEs are being reported? Is there something I am doing wrong, or is it Trivy that is not reporting these CVEs correctly? Or is it because I am still using conan1 instead of conan2?

Thank you for your help in advance! 🙏

Target

Filesystem

Scanner

Vulnerability

Output Format

SARIF

Mode

Standalone

Operating System

macOS Sequoia (15.7.1 (24G231))

Version

Version: 0.56.2

[DmitriyLewen]

hello @szigetics

We use GitLab advisory database for conan advisories - https://gitlab.com/gitlab-org/advisories-community/-/tree/main/conan/pcre2?ref_type=heads

GitLab contains 3 advisories - https://gitlab.com/gitlab-org/advisories-community/-/tree/main/conan/pcre2?ref_type=heads
fixed versions are 10.40 or 10.42.

That is why Trivy doesn't show vulnerabilies.
Detected packages you can see using json format.

Regards, Dmitriy