Inconsitent data in VulerabililtyReport #2855
Description
We have trivy-operator running and I did have a deeper look into the reports generated by trivy and found some results which are not correct. Please find example below:
- fixedVersion: ''
installedVersion: 1:21.0.8.0.9-1.el8
lastModifiedDate: '2026-01-14T20:24:05Z'
links: []
packagePURL: >-
pkg:rpm/redhat/java-21-openjdk-headless@21.0.8.0.9-1.el8?arch=x86_64&distro=redhat-8.10&epoch=1
primaryLink: https://avd.aquasec.com/nvd/cve-2026-22184
publishedDate: '2026-01-07T21:16:01Z'
resource: java-21-openjdk-headless
score: 9.8
severity: HIGH
target: ''
title: >-
zlib: zlib: Arbitrary code execution via buffer overflow in untgz
utility
vulnerabilityID: CVE-2026-22184
First, from my understanding a 9.8 cannot be HIGH and must be CRITICAL. Also this is shown in the link provided by the CR: https://avd.aquasec.com/nvd/2026/cve-2026-22184/. There it is clearly stated as CRITICAL (which is my expectation).
Another inconsistency is about the generated data is that some CVEs don't have a fix where a fix exists, i.e.
- fixedVersion: ''
installedVersion: 3.40.1-2+deb12u2
lastModifiedDate: '2025-08-11T19:11:30Z'
links: []
packagePURL: >-
pkg:deb/debian/libsqlite3-0@3.40.1-2%2Bdeb12u2?arch=amd64&distro=debian-12.12
primaryLink: https://avd.aquasec.com/nvd/cve-2025-7458
publishedDate: '2025-07-29T13:15:28Z'
resource: libsqlite3-0
score: 9.1
severity: CRITICAL
target: ''
title: 'sqlite: SQLite integer overflow'
vulnerabilityID: CVE-2025-7458
see https://sqlite.org/forum/forumpost/5a50eb43f37c682c for comment that this is "fixed with version 3.42.0 which was released in May of 2023"
What did you expect to happen:
That the created VulnerabilitieReports match the linked data from aquasecurity page
Anything else you would like to add:
N/A
Environment:
- Trivy-Operator version (use
trivy-operator version):
{"level":"info","ts":"2026-01-15T12:38:10Z","logger":"main","msg":"Starting operator","buildInfo":{"Version":"0.29.0","Commit":"c8b31d9428fe730da7f306e43abc45c3de904c94","Date":"2025-09-23T06:46:35Z","Executable":""}}
{"level":"info","ts":"2026-01-15T12:38:10Z","logger":"operator","msg":"Resolved install mode","install mode":"AllNamespaces","operator namespace":"trivy","target namespaces":[],"exclude namespaces":"","target workloads":["pod","replicaset","replicationcontroller","statefulset","daemonset","cronjob","job"]}
{"level":"info","ts":"2026-01-15T12:38:10Z","logger":"operator","msg":"Watching all namespaces"}
- Kubernetes version (use
kubectl version):
Client Version: v1.34.3
Kustomize Version: v5.7.1
Server Version: v1.33.5-eks-3025e55
- OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc):
Default, which should be Amazon Linux