CVE not reported on older Alpine, only on newer version

[ckcr4lyf]

Description

I was previously using Alpine 3.20 w/ icu-libs, and no errors were reported. I moved onto Alpine 3.23 today, and for some reasons I need to force the older version of icu-libs . However now trivy reports a vulnerability.

Why is it not reported for Alpine 3.20? If I'm not mistaken, and from past experience, trivy reports a vulnerability even if its not fixed yet. (In this example Alpine 3.20 does not have a fixed package, though the actual lib is eventually fixed).

I've made a PoC here: https://github.com/ckcr4lyf/trivy-old-alpine-poc/ w/ the dockerfiles

• [WRONG] Passing for Alpine 3.20 + icu-libs 74.2-r1 (https://github.com/ckcr4lyf/trivy-old-alpine-poc/actions/runs/20056999449/job/57524460417#step:5:53)
• [CORRECT] Failing for Alpine 3.23 + icu-libs 74.2-r1 (https://github.com/ckcr4lyf/trivy-old-alpine-poc/actions/runs/20056999449/job/57524460418#step:5:76)

Desired Behavior

Report the vulnerability

┌─────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│   Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                            │
├─────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ icu-data-en │ CVE-2025-5222 │ HIGH     │ fixed  │ 74.2-r1           │ 76.1-r1       │ icu: Stack buffer overflow in the SRBRoot::addTag function │
│             │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-5222                  │
├─────────────┤               │          │        │                   │               │                                                            │
│ icu-libs    │               │          │        │                   │               │                                                            │
│             │               │          │        │                   │               │                                                            │
└─────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Actual Behavior

It reported clean

Reproduction Steps

Install vuln lib on alpine 3.20, scan w/ trivy. PoC at https://github.com/ckcr4lyf/trivy-old-alpine-poc/

Dockerfile:

FROM alpine:3.20

RUN apk update
RUN apk add --no-cache icu-libs

RUN ["/bin/ash"]

Scanned via:

trivy image --severity HIGH,CRITICAL --exit-code 1 --scanners vuln [IMAGE_ID]

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2025-12-09T08:31:25Z	DEBUG	No plugins loaded
2025-12-09T08:31:25Z	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-12-09T08:31:25Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2025-12-09T08:31:25Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2025-12-09T08:31:25Z	DEBUG	Parsed severities	severities=[HIGH CRITICAL]
2025-12-09T08:31:25Z	DEBUG	Ignore statuses	statuses=[]
2025-12-09T08:31:25Z	DEBUG	[vulndb] There is no db file
2025-12-09T08:31:25Z	DEBUG	[vulndb] There is no valid metadata file	err.message="file open error" err.err="file open error: open /root/.cache/trivy/db/metadata.json: no such file or directory" err.time=2025-12-09T08:31:25.10805475Z err.trace="01KC13S6XMWKPXVT4DPVNHSKSC" err.context.file_path="/root/.cache/trivy/db/metadata.json" err.stacktrace="Oops: file open error\n  --- at /home/runner/go/pkg/mod/github.com/aquasecurity/trivy-db@v0.0.0-20250929072116-eba1ced2340a/pkg/metadata/metadata.go:43 Client.Get()\n  --- at /home/runner/work/trivy/trivy/pkg/db/db.go:111 Client.NeedsUpdate()\n  --- at /home/runner/work/trivy/trivy/pkg/commands/operation/operation.go:33 DownloadDB()\n  --- at /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:333 runner.initDB()\n  --- at /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:142 NewRunner()\n  --- at /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:422 run()\n  --- at /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:405 Run()\n  --- at /home/runner/work/trivy/trivy/pkg/commands/app.go:316 NewImageCommand.func2()\n  --- at /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.10.1/command.go:1015 Command.execute()\n  --- at /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.10.1/command.go:1148 Command.ExecuteC()"
2025-12-09T08:31:25Z	INFO	[vulndb] Need to update DB
2025-12-09T08:31:25Z	INFO	[vulndb] Downloading vulnerability DB...
2025-12-09T08:31:25Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-12-09T08:31:27Z	DEBUG	Created process-specific temp directory	path="/tmp/trivy-1"
24.02 MiB / 77.27 MiB [------------------>__________________________________________] 31.08% ? p/s ?68.14 MiB / 77.27 MiB [----------------------------------------------------->_______] 88.19% ? p/s ?77.27 MiB / 77.27 MiB [----------------------------------------------------------->] 100.00% ? p/s ?77.27 MiB / 77.27 MiB [---------------------------------------------->] 100.00% 88.68 MiB p/s ETA 0s77.27 MiB / 77.27 MiB [---------------------------------------------->] 100.00% 88.68 MiB p/s ETA 0s77.27 MiB / 77.27 MiB [---------------------------------------------->] 100.00% 88.68 MiB p/s ETA 0s77.27 MiB / 77.27 MiB [---------------------------------------------->] 100.00% 82.96 MiB p/s ETA 0s77.27 MiB / 77.27 MiB [---------------------------------------------->] 100.00% 82.96 MiB p/s ETA 0s77.27 MiB / 77.27 MiB [---------------------------------------------->] 100.00% 82.96 MiB p/s ETA 0s77.27 MiB / 77.27 MiB [---------------------------------------------->] 100.00% 77.61 MiB p/s ETA 0s77.27 MiB / 77.27 MiB [---------------------------------------------->] 100.00% 77.61 MiB p/s ETA 0s77.27 MiB / 77.27 MiB [---------------------------------------------->] 100.00% 77.61 MiB p/s ETA 0s77.27 MiB / 77.27 MiB [---------------------------------------------->] 100.00% 72.60 MiB p/s ETA 0s77.27 MiB / 77.27 MiB [-------------------------------------------------] 100.00% 30.58 MiB p/s 2.7s2025-12-09T08:31:30Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-12-09T08:31:30Z	DEBUG	Updating database metadata...
2025-12-09T08:31:30Z	DEBUG	DB info	schema=2 updated_at=2025-12-09T06:31:29.521459001Z next_update=2025-12-10T06:31:29.5214587Z downloaded_at=2025-12-09T08:31:30.078185951Z
2025-12-09T08:31:30Z	DEBUG	[pkg] Package types	types=[os library]
2025-12-09T08:31:30Z	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-12-09T08:31:30Z	INFO	[vuln] Vulnerability scanning is enabled
2025-12-09T08:31:30Z	DEBUG	Initializing scan cache...	type="fs"
2025-12-09T08:31:30Z	DEBUG	[notification] Running version check
2025-12-09T08:31:30Z	DEBUG	[image] Image found	image="trivy-poc:alpine-3.20" source="docker"
2025-12-09T08:31:30Z	DEBUG	[image] Detected image ID	image_id="sha256:ce3595316ae6d028b27a27c28e6c68a419409e2cd12cc4da71cdf4f1f3e4ef1e"
2025-12-09T08:31:30Z	DEBUG	[image] Detected diff ID	diff_ids=[sha256:abfcb263a58861178d439ff49c8d87ef7f1ec7b881ecaa9a906387366dea86d2 sha256:d6a4a1007b005185e8231de686d7e492c9ce0045609a698167ab573d768899ed sha256:14ff7499cf7bf4b5ea4187bf32ecd3805e0efc44740f861d0484f2e1d8a2b209 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef]
2025-12-09T08:31:30Z	DEBUG	[image] Detected base layers	diff_ids=[sha256:abfcb263a58861178d439ff49c8d87ef7f1ec7b881ecaa9a906387366dea86d2]
2025-12-09T08:31:30Z	DEBUG	[image] Missing image ID in cache	image_id="sha256:ce3595316ae6d028b27a27c28e6c68a419409e2cd12cc4da71cdf4f1f3e4ef1e"
2025-12-09T08:31:30Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:abfcb263a58861178d439ff49c8d87ef7f1ec7b881ecaa9a906387366dea86d2"
2025-12-09T08:31:30Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:d6a4a1007b005185e8231de686d7e492c9ce0045609a698167ab573d768899ed"
2025-12-09T08:31:30Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
2025-12-09T08:31:30Z	DEBUG	[image] Missing diff ID in cache	diff_id="sha256:14ff7499cf7bf4b5ea4187bf32ecd3805e0efc44740f861d0484f2e1d8a2b209"
2025-12-09T08:31:30Z	DEBUG	[notification] Version check completed	latest_version="0.68.1"
2025-12-09T08:31:32Z	DEBUG	[secret] Using streaming scanner	file_path="config.json"
2025-12-09T08:31:32Z	DEBUG	[secret] scanStream called	file_path="config.json" buffer_size=65536 overlap_size=4096
2025-12-09T08:31:32Z	DEBUG	[secret] scanChunk called	file_path="config.json" content_len=1360 num_rules=87
2025-12-09T08:31:32Z	DEBUG	[secret] scanChunk called	file_path="config.json" content_len=1360 num_rules=87
2025-12-09T08:31:32Z	DEBUG	No secrets found in container image config
2025-12-09T08:31:32Z	INFO	Detected OS	family="alpine" version="3.20.8"
2025-12-09T08:31:32Z	INFO	[alpine] Detecting vulnerabilities...	os_version="3.20" repository="3.20" pkg_num=18
2025-12-09T08:31:32Z	INFO	Number of language-specific files	num=0
2025-12-09T08:31:32Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/docs/v0.68/guide/scanner/vulnerability#severity-selection for details.
2025-12-09T08:31:32Z	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-12-09T08:31:32Z	DEBUG	[vex] VEX filtering is disabled

Report Summary

┌───────────────────────────────────────┬────────┬─────────────────┐
│                Target                 │  Type  │ Vulnerabilities │
├───────────────────────────────────────┼────────┼─────────────────┤
│ trivy-poc:alpine-3.20 (alpine 3.20.8) │ alpine │        0        │
└───────────────────────────────────────┴────────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2025-12-09T08:31:32Z	DEBUG	Cleaning up temp directory	path="/tmp/trivy-1"

Operating System

Github Actions Default ubuntu-latest

Version

Version: 0.68.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @ckcr4lyf
Thanks for your report.

Just like Alpine stores its advisories separately for each release, Trivy also uses a dedicated vulnerability database per Alpine version.

For Alpine 3.20 the fixed version is 74.2-r1,
while for Alpine 3.23 the fixed version is 76.1-r1.

Therefore, when you scan version 74.2-r1, Trivy marks this package as vulnerable only for Alpine 3.23, because in 3.23 the fixed version is higher (76.1-r1), but in 3.20 it is already fixed.

Links:

• https://secdb.alpinelinux.org/v3.23/main.json
• https://secdb.alpinelinux.org/v3.20/main.json
• https://security.alpinelinux.org/vuln/CVE-2025-5222

Regards, Dmitriy

[ckcr4lyf]

Thanks for the reply Dmitriy. So the way I understand it:

• 74.2-r1 is technically fixed regardless of Alpine version (the patch is applied)
• But since the Alpine 3.23 advisory recommends 76.1-r1 as the "fixed version" (since 74.2-r1 isn't even in the repository I guess), any version before that is considered vulnerable
• Even though I force install a patched library (from the 3.20 repos), because of the Alpine advisory DB for 3.23, it is reported a vulnerable, though technically it isn't

I think I understand the trivy scanning a bit better now; I assumed it was something like how for a Node project, the fixed version is determined just by library version, not the OS advisory, but I guess OS packaging etc. makes that more complicated.

Thanks for the reply, I guess I'll just use .trivyignore for now!