Trivy and Docker Scout are not able to detect CVE-2025-49844 Redis vulnerability score 10.0 #482
Description
Hi,
I found out that latest score 10 vulnerability is not detect by Trivy, see details here aquasecurity/trivy#9595 .
It seems that one of the solution might be to distribute SBOM CycloneDX JSON files in one of the layers.
It is because Redis binary cannot be scanned for dependencies etc.
Would you consider support this?
Thank you
Ivos
From Trivy source-code (and docs):
- Files with suffix
*.cdxand*.cdx.jsonsomewhere at filesystem like/sbom/my-sbom-1.cdx.json. - https://github.com/aquasecurity/trivy/blob/v0.66.0/pkg/fanal/analyzer/sbom/sbom.go#L24-L29