Looks like trivy is reporting FP for ingress v1.12.1

[dsever]

IDs

CVE-2021-25742, CVE-2023-5043,CVE-2023-5044

Description

According to NVD and Aqua DB it should not be Vulnerable for v1.12.1

CVE-2021-25742, https://avd.aquasec.com/nvd/cve-2021-25742
CVE-2023-5043, https://avd.aquasec.com/nvd/cve-2023-5043
CVE-2023-5044, https://avd.aquasec.com/nvd/cve-2023-5044

Reproduction Steps

trivy k8s minikube --disable-node-collector --scanners vuln  --report all

Target

Kubernetes

Scanner

Vulnerability

Target OS

Minikube

Debug Output

2025-04-19T00:05:25+02:00	DEBUG	No plugins loaded
2025-04-19T00:05:25+02:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-04-19T00:05:25+02:00	DEBUG	Cache dir	dir="/Users/dsever/Library/Caches/trivy"
2025-04-19T00:05:25+02:00	DEBUG	Cache dir	dir="/Users/dsever/Library/Caches/trivy"
2025-04-19T00:05:25+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-04-19T00:05:25+02:00	DEBUG	Ignore statuses	statuses=[]
2025-04-19T00:05:25+02:00	DEBUG	DB update was skipped because the local DB is the latest
2025-04-19T00:05:25+02:00	DEBUG	DB info	schema=2 updated_at=2025-04-18T18:19:25.014803806Z next_update=2025-04-19T18:19:25.014803535Z downloaded_at=2025-04-18T21:20:01.697769Z
2025-04-19T00:05:25+02:00	DEBUG	[pkg] Package types	types=[os library]
2025-04-19T00:05:25+02:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-04-19T00:05:25+02:00	INFO	[vuln] Vulnerability scanning is enabled
2025-04-19T00:05:25+02:00	DEBUG	Initializing scan cache...	type="memory"
2025-04-19T00:05:25+02:00	INFO	Detected SBOM format	format="cyclonedx-json"
2025-04-19T00:05:25+02:00	DEBUG	Unmarshalling CycloneDX JSON...
2025-04-19T00:05:25+02:00	DEBUG	[sbom] Skipping a component with an unsupported type	file_path="/tmp/trivy.json" name="registry.k8s.io/ingress-nginx/controller" version="sha256:e6b8de175acda6ca913891f0f727bca4527e797d52688cbe9fec9040d6f6b6fa" type="oci"
2025-04-19T00:05:25+02:00	DEBUG	[sbom] Skipping a component with an unsupported type	file_path="/tmp/trivy.json" name="registry.k8s.io/kube-proxy" version="sha256:4bcb707da9898d2625f5d4edc6d0c96519a24f16db914fc673aa8f97e41dbabf" type="oci"
2025-04-19T00:05:25+02:00	DEBUG	[sbom] Skipping a component with an unsupported type	file_path="/tmp/trivy.json" name="registry.k8s.io/kube-scheduler" version="sha256:5897d7a97d23dce25cbf36fcd6e919180a8ef904bf5156583ffdb6a733ab04af" type="oci"
2025-04-19T00:05:25+02:00	DEBUG	[sbom] Skipping a component with an unsupported type	file_path="/tmp/trivy.json" name="registry.k8s.io/coredns/coredns" version="sha256:a0ead06651cf580044aeb0a0feba63591858fb2e43ade8c9dea45a6a89ae7e5e" type="oci"
2025-04-19T00:05:25+02:00	DEBUG	[sbom] Skipping a component with an unsupported type	file_path="/tmp/trivy.json" name="registry.k8s.io/etcd" version="sha256:51eae8381dcb1078289fa7b4f3df2630cdc18d09fb56f8e56b41c40e191d6c83" type="oci"
2025-04-19T00:05:25+02:00	DEBUG	[sbom] Skipping a component with an unsupported type	file_path="/tmp/trivy.json" name="registry.k8s.io/kube-apiserver" version="sha256:697cd88d94f7f2ef42144cb3072b016dcb2e9251f0e7d41a7fede557e555452d" type="oci"
2025-04-19T00:05:25+02:00	DEBUG	[sbom] Skipping a component with an unsupported type	file_path="/tmp/trivy.json" name="registry.k8s.io/kube-controller-manager" version="sha256:6286e500782ad6d0b37a1b8be57fc73f597dc931dfc73ff18ce534059803b265" type="oci"
2025-04-19T00:05:25+02:00	WARN	No OS package is detected. Make sure you haven't deleted any files that contain information about the installed packages.
2025-04-19T00:05:25+02:00	WARN	e.g. files under "/lib/apk/db/", "/var/lib/dpkg/" and "/var/lib/rpm"
2025-04-19T00:05:25+02:00	INFO	Detected OS	family="buildroot" version="2021.02.12"
2025-04-19T00:05:25+02:00	WARN	Unsupported os	family="buildroot"
2025-04-19T00:05:25+02:00	INFO	Number of language-specific files	num=2
2025-04-19T00:05:25+02:00	INFO	[gobinary] Detecting vulnerabilities...
2025-04-19T00:05:25+02:00	DEBUG	[gobinary] Scanning packages for vulnerabilities	file_path=""
2025-04-19T00:05:25+02:00	INFO	[kubernetes] Detecting vulnerabilities...
2025-04-19T00:05:25+02:00	DEBUG	[kubernetes] Scanning packages for vulnerabilities	file_path=""
2025-04-19T00:05:25+02:00	DEBUG	[kubernetes] Skipping vulnerability scan as no version is detected for the package	name="kube-dns"
2025-04-19T00:05:25+02:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-04-19T00:05:25+02:00	DEBUG	[vex] VEX filtering is disabled

Version

Version: 0.61.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-04-18 18:19:25.014803806 +0000 UTC
  NextUpdate: 2025-04-19 18:19:25.014803535 +0000 UTC
  DownloadedAt: 2025-04-18 21:20:01.697769 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-08-09 01:03:34.584171661 +0000 UTC
  NextUpdate: 2023-08-12 01:03:34.584171061 +0000 UTC
  DownloadedAt: 2023-08-09 14:23:47.359953 +0000 UTC
Check Bundle:
  Digest: sha256:2bc834fc222789e26b85dc3e92e3333b488e16a9bfa192aa971cca25db884837
  DownloadedAt: 2025-03-25 14:21:27.046378 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct