detect container image liberica-runtime-container #9180

purnhar · 2025-07-10T09:25:40Z

purnhar
Jul 10, 2025

Description

The image liberica-runtime-container is based on Alpine Linux and can be used as secured base image for Java based applications. Currently trivy neither recognizes the underlying Alpine OS not the installed packages (APK).

Desired Behavior

trivy should recognize an OS derived from Alpine Linux. This could be achieved by falling back to ID_LIKE when parsing /etc/os-release and the ID-entry is unknown.

content of /etc/os-release

NAME="BellSoft Alpaquita Linux"
ID=alpaquita
ID_LIKE=alpine
VERSION="Stream"
VERSION_ID=stream
PRETTY_NAME="BellSoft Alpaquita Linux Stream (glibc)"
HOME_URL="https://bell-sw.com/"
BUG_REPORT_URL="https://bell-sw.com/support/"
LIBC_TYPE=glibc

Additionally the installed APK packages are not recognized, because in this image the APK db is located at /var/lib/apk/db which is not scanned by trivy. This path could be added to the scanned paths in apk.go.

For testing porpose I modified the os-releases file and copied the APK database /usr/lib/apk. Now all packages are identified correctly (verified by -f json --list-all-pkgs). The contained vulnerabilities are still not detected because of the OS version differing from an official Alpine version. I do not know if there is any way around this problem.

Actual Behavior

OS is unknown.
APK packages are not recognized because apk db is located at /var/lib/apk/db
Vulnerabilities are not found because of non matching version of distribution

Reproduction Steps

1. trivy image bellsoft/liberica-runtime-container:jdk-21.0.7-glibc --debug
2. Patch image for testing purpose using the following Dockerfile
   FROM bellsoft/liberica-runtime-container:jdk-21.0.7-glibc
   RUN sed -i 's/^ID=alpaquita$/ID=alpine/' /etc/os-release; \
       sed -i 's/^VERSION_ID=stream$/VERSION_ID=3.22.0/' /etc/os-release; \
       cp -r /var/lib/apk/db /usr/lib/apk/db;

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

trivy image bellsoft/liberica-runtime-container:jdk-21.0.7-glibc --debug
2025-07-10T10:37:30+02:00       DEBUG   No plugins loaded
2025-07-10T10:37:30+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-07-10T10:37:30+02:00       DEBUG   Cache dir       dir="C:\\Users\\purnhagen\\AppData\\Local\\trivy"
2025-07-10T10:37:30+02:00       DEBUG   Cache dir       dir="C:\\Users\\purnhagen\\AppData\\Local\\trivy"
2025-07-10T10:37:30+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-07-10T10:37:30+02:00       DEBUG   Ignore statuses statuses=[]
2025-07-10T10:37:30+02:00       DEBUG   DB update was skipped because the local DB is the latest
2025-07-10T10:37:30+02:00       DEBUG   DB info schema=2 updated_at=2025-07-10T06:19:22.441579021Z next_update=2025-07-11T06:19:22.441578841Z downloaded_at=2025-07-10T07:08:28.1432469Z
2025-07-10T10:37:30+02:00       DEBUG   [pkg] Package types     types=[os library]
2025-07-10T10:37:30+02:00       DEBUG   [notification] Running version check
2025-07-10T10:37:30+02:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-07-10T10:37:30+02:00       INFO    [vuln] Vulnerability scanning is enabled
2025-07-10T10:37:30+02:00       INFO    [secret] Secret scanning is enabled
2025-07-10T10:37:30+02:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-07-10T10:37:30+02:00       INFO    [secret] Please see also https://trivy.dev/v0.64/docs/scanner/secret#recommendation for faster secret detection
2025-07-10T10:37:30+02:00       DEBUG   Initializing scan cache...      type="fs"
2025-07-10T10:37:30+02:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-07-10T10:37:30+02:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-07-10T10:37:30+02:00       DEBUG   [image] Detected image ID       image_id="sha256:580cca3048b362ff9af85958a654621b46c61670af5c23461df58dbb40107bbc"
2025-07-10T10:37:30+02:00       DEBUG   Saving the container image to a local file to obtain the image config...
2025-07-10T10:37:30+02:00       DEBUG   [notification] Version check completed  latest_version="0.64.1"
2025-07-10T10:37:32+02:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:82eaca0c097898f020179f87c9c25b328dce7133472ff9b173c9ca1a4d191613 sha256:be14b0950a606a8774632cc163fbbc9bde48502e4203deb0d6a6b2066ca2e719]
2025-07-10T10:37:32+02:00       DEBUG   [image] Detected base layers    diff_ids=[]
2025-07-10T10:37:32+02:00       DEBUG   [image] Missing image ID in cache       image_id="sha256:580cca3048b362ff9af85958a654621b46c61670af5c23461df58dbb40107bbc"
2025-07-10T10:37:32+02:00       DEBUG   No secrets found in container image config
2025-07-10T10:37:32+02:00       DEBUG   OS is not detected.
2025-07-10T10:37:32+02:00       DEBUG   Detected OS: unknown
2025-07-10T10:37:32+02:00       INFO    Number of language-specific files       num=0
2025-07-10T10:37:32+02:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-07-10T10:37:32+02:00       DEBUG   [vex] VEX filtering is disabled
2025-07-10T10:37:32+02:00       WARN    [report] Supported files for scanner(s) not found.      scanners=[vuln]
2025-07-10T10:37:32+02:00       INFO    [report] No issues detected with scanner(s).    scanners=[secret]

Operating System

Microsoft Windows 11 24H2

Version

Version: 0.64.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-07-10 06:19:22.441579021 +0000 UTC
  NextUpdate: 2025-07-11 06:19:22.441578841 +0000 UTC
  DownloadedAt: 2025-07-10 07:08:28.1432469 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-07-10 04:05:49.490021484 +0000 UTC
  NextUpdate: 2025-07-13 04:05:49.490021284 +0000 UTC
  DownloadedAt: 2025-07-10 07:10:05.6378237 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

knqyf263 · 2025-07-10T11:47:13Z

knqyf263
Jul 10, 2025
Maintainer

Since it's another OS, people should not expect Trivy to work with that. Adding support for an OS that is not listed in https://trivy.dev/latest/docs/coverage/os/ should be a feature request.

2 replies

purnhar Jul 11, 2025
Author

I agree but I cannot change the label of this discussion. Would it be possible for you or do I have to create a new feature request and close this one?

knqyf263 Jul 11, 2025
Maintainer

Changed.

G00fY2 · 2026-05-10T13:42:22Z

G00fY2
May 10, 2026

Is there any way to tell trivy to treat Alpaquita as Alpine (3.23)? I tried to play around with the "distro" scanner option. But it seems like this can only be applied, if the OS is detected in the first place?

trivy/pkg/scan/local/service.go

Line 88 in a75a468

if !lo.IsEmpty(options.Distro) && !lo.IsEmpty(detail.OS) {

@knqyf263 Is the "--distro" flag only meat to overrite the version and not the family?

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

detect container image liberica-runtime-container #9180

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

detect container image liberica-runtime-container #9180

Uh oh!

purnhar Jul 10, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments · 2 replies

Uh oh!

knqyf263 Jul 10, 2025 Maintainer

Uh oh!

purnhar Jul 11, 2025 Author

Uh oh!

knqyf263 Jul 11, 2025 Maintainer

Uh oh!

Uh oh!

G00fY2 May 10, 2026

purnhar
Jul 10, 2025

Replies: 2 comments 2 replies

knqyf263
Jul 10, 2025
Maintainer

purnhar Jul 11, 2025
Author

knqyf263 Jul 11, 2025
Maintainer

G00fY2
May 10, 2026