Articles in this section

Vulnerability scan clean in Cloudsmith but not when running locally (Trivy)


Cloudsmith's ability to scan for CVEs (Common Vulnerabilities and Exposures) is a key element utilized by our customers. We ensure that this information is accurate and up-to-date. This is crucial when staging your packages from development environments to critical production environments where packages must be clean or thoroughly tested before being released to the public. (You can read about our package promotion workflow here)

What is Trivy?

Trivy is a security scanner for your code and container images. It checks for weaknesses that could be exploited by attackers, helping you identify and fix potential problems.

How is Trivy used?

In Cloudsmith, you will see a security scanning feature for supported package formats in the UI for a package. In this example, we will look at the spring-petclinic Maven package:

Screenshot of Cloudsmith security scan results for spring-petclinic Maven package

In the screenshot, we see that the package is marked as "Clean," indicating that the package itself does not have any vulnerabilities. However, the package might depend on other libraries that may contain vulnerabilities.

This can be verified by running Trivy locally against the `.jar` file, which would result in the following:

trivy rootfs spring-petclinic-3.1.0-20240614.105443-2.jar

Trivy scan results for spring-petclinic .jar file

If we look closely at the output, we see that in the Library column, all referenced `.jar` files are dependencies of the spring-petclinic package. This means that despite being dependencies, the CVEs are not physically inside the package itself.

Cloudsmith treats each of the library elements individually. When you build a Maven project pointing to Cloudsmith, it will pull all packages depending on this specific package, and the scan results will then appear against these packages. In this example, if we build a project with the `spring-petclinic` package, it would download `logback-classic` as a dependency. This dependency would also appear in Cloudsmith, and the security scan for that package would show it as vulnerable with the specific CVE tagged against it.

The `logback-classic` package would then have the CVE scan result inside Cloudsmith:

Cloudsmith CVE scan results for logback-classic package

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.