Trivy not detecting vuln in Github database

[johnseekins-pathccm]

Description

In a relatively simple pnpm-based service, I have fastify installed. As of this morning, Github has a vuln about fastify: GHSA-mg2h-6x62-wpwc

Trivy doesn't detect this vuln in my lock file when I run a scan. Am I just being impatient?

Desired Behavior

Trivy detects the vulnerability in the dependency.

Actual Behavior

$ grep "fastify@" pnpm-lock.yaml             
  [email protected]:
  [email protected]:
$ trivy fs pnpm-lock.yaml 
2025-04-18T10:34:48-06:00	INFO	[vuln] Vulnerability scanning is enabled
2025-04-18T10:34:48-06:00	INFO	[secret] Secret scanning is enabled
2025-04-18T10:34:48-06:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-04-18T10:34:48-06:00	INFO	[secret] Please see also https://trivy.dev/v0.61/docs/scanner/secret#recommendation for faster secret detection
2025-04-18T10:34:48-06:00	INFO	[pnpm] To collect the license information of packages, "pnpm install" needs to be performed beforehand	dir="node_modules"
2025-04-18T10:34:48-06:00	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2025-04-18T10:34:48-06:00	INFO	Number of language-specific files	num=1
2025-04-18T10:34:48-06:00	INFO	[pnpm] Detecting vulnerabilities...

Report Summary

┌────────────────┬──────┬─────────────────┬─────────┐
│     Target     │ Type │ Vulnerabilities │ Secrets │
├────────────────┼──────┼─────────────────┼─────────┤
│ pnpm-lock.yaml │ pnpm │        0        │    -    │
└────────────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

Reproduction Steps

1. install `fastify` < 5.3.1
2. run `trivy fs`/`trivy repo` against the package

Target

Filesystem

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

2025-04-18T10:40:29-06:00	DEBUG	No plugins loaded
2025-04-18T10:40:29-06:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-04-18T10:40:29-06:00	DEBUG	Cache dir	dir="<>/Library/Caches/trivy"
2025-04-18T10:40:29-06:00	DEBUG	Cache dir	dir="<>/Library/Caches/trivy"
2025-04-18T10:40:29-06:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-04-18T10:40:29-06:00	DEBUG	Ignore statuses	statuses=[]
2025-04-18T10:40:29-06:00	DEBUG	DB update was skipped because the local DB is the latest
2025-04-18T10:40:29-06:00	DEBUG	DB info	schema=2 updated_at=2025-04-18T12:19:43.905426846Z next_update=2025-04-19T12:19:43.905426586Z downloaded_at=2025-04-18T16:30:41.846541Z
2025-04-18T10:40:29-06:00	DEBUG	[pkg] Package types	types=[os library]
2025-04-18T10:40:29-06:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-04-18T10:40:29-06:00	INFO	[vuln] Vulnerability scanning is enabled
2025-04-18T10:40:29-06:00	INFO	[secret] Secret scanning is enabled
2025-04-18T10:40:29-06:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-04-18T10:40:29-06:00	INFO	[secret] Please see also https://trivy.dev/v0.61/docs/scanner/secret#recommendation for faster secret detection
2025-04-18T10:40:29-06:00	DEBUG	Initializing scan cache...	type="memory"
2025-04-18T10:40:29-06:00	DEBUG	[secret] No secret config detected	config_path="trivy-secret.yaml"
2025-04-18T10:40:29-06:00	DEBUG	[fs] Analyzing...	root="pnpm-lock.yaml"
2025-04-18T10:40:29-06:00	DEBUG	[fs] Random cache key will be used	err="failed to open git repository: stat <>/pnpm-lock.yaml/.git: not a directory"
2025-04-18T10:40:29-06:00	INFO	[pnpm] To collect the license information of packages, "pnpm install" needs to be performed beforehand	dir="node_modules"
2025-04-18T10:40:29-06:00	DEBUG	OS is not detected.
2025-04-18T10:40:29-06:00	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2025-04-18T10:40:29-06:00	DEBUG	Detected OS: unknown
2025-04-18T10:40:29-06:00	INFO	Number of language-specific files	num=1
2025-04-18T10:40:29-06:00	INFO	[pnpm] Detecting vulnerabilities...
2025-04-18T10:40:29-06:00	DEBUG	[pnpm] Scanning packages for vulnerabilities	file_path="pnpm-lock.yaml"
2025-04-18T10:40:29-06:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-04-18T10:40:29-06:00	DEBUG	[vex] VEX filtering is disabled

Operating System

OS X Sequoia

Version

$ trivy --version
Version: 0.61.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-04-18 12:19:43.905426846 +0000 UTC
  NextUpdate: 2025-04-19 12:19:43.905426586 +0000 UTC
  DownloadedAt: 2025-04-18 16:30:41.846541 +0000 UTC

### Checklist

- [X] Run `trivy clean --all`
- [X] Read [the troubleshooting](https://trivy.dev/latest/docs/references/troubleshooting/)

[knqyf263]

Since our vulnerability database is updated every 6 hours now, there is some delay in reflecting the new advisories. I tested it today and the vulnerability was correctly detected.

./trivy fs ./pnpm-lock.yaml -q | grep CVE-2025-32442
│ fastify │ CVE-2025-32442   │ HIGH     │ fixed  │ 5.2.2             │ 5.3.2         │ Fastify vulnerable to invalid content-type parsing, which    │

Another possibility is that your package is installed as a development dependency. Trivy doesn't scan them for vulnerabilities by default. You can try --include-dev-deps.

[johnseekins-pathccm]

That makes sense. Thanks for the clarification.