Why do Trivy-based scans not find the latest vulnerabilities?
Overview
Trivy is used by Container Scannning, and in case of Java-based projects,
the supplemental database trivy-java-db is used during such scans.
Environment
Impacted offerings:
- GitLab.com
- GitLab Dedicated
- GitLab Self-Managed
Answer
Due to factors such as rate limiting by Maven Central,
the trivy-java-db can become outdated.
See aquasecurity/trivy-java-db!52 for more information.
Additional information
We ask for your patience, until the upstream problem is fixed or mitigated.