Trivy does not detect anything in a Windows container

[nicodur]

IDs

CVE-2024-11477

Description

Hello,

I’m encountering an issue with Trivy not detecting .exe files, specifically 7z1900-x64.exe. I’m scanning a Windows container using an offline vulnerability database, and I’ve tried running the following command:

trivy.exe image --skip-db-update --cache-dir D:\trivy_0.59.1_windows-64bit\cache IMAGE_NAME --scanners vuln
However, Trivy does not detect any vulnerabilities, only secret. The file is present in the directory, but no results are returned. I’m using an offline vulnerability database and scanning a Windows container.
I tried differents .exe like openssl or other and it never find anything. Only secrets are detected

Could you provide guidance on why Trivy might not detect .exe files in this environment? Is the file required to be installed, or is it sufficient for it to simply be present in the scanned directory?
Maybe for check windows container is not working perfectly?

Thank you for your help!

Best regards,

Reproduction Steps

1.trivy.exe image --skip-db-update --cache-dir D:\trivy_0.59.1_windows-64bit\cache IMAGE_NAME --scanners vuln

Target

Container Image

Scanner

Vulnerability

Target OS

Windows server core ltsc2022

Debug Output

2025-04-25T16:16:53+02:00       DEBUG   No plugins loaded
2025-04-25T16:16:53+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-04-25T16:16:53+02:00       DEBUG   Cache dir       dir="D:\\trivy_0.59.1_windows-64bit\\cache"
2025-04-25T16:16:53+02:00       DEBUG   Cache dir       dir="D:\\trivy_0.59.1_windows-64bit\\cache"
2025-04-25T16:16:53+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-04-25T16:16:53+02:00       DEBUG   Ignore statuses statuses=[]
2025-04-25T16:16:53+02:00       DEBUG   [vulndb] Skipping DB update...
2025-04-25T16:16:53+02:00       DEBUG   DB info schema=2 updated_at=2025-04-25T06:18:18.486465089Z next_update=2025-04-26T06:18:18.486464828Z downloaded_at=2025-04-25T09:54:28.2542063Z
2025-04-25T16:16:53+02:00       DEBUG   [pkg] Package types     types=[os library]
2025-04-25T16:16:53+02:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-04-25T16:16:53+02:00       INFO    [vuln] Vulnerability scanning is enabled
2025-04-25T16:16:53+02:00       DEBUG   Initializing scan cache...      type="fs"
2025-04-25T16:16:53+02:00       DEBUG   [image] Detected image ID       image_id="sha256:538a6f00756522ba8d3d57033096329b7c3d6769427099c9aa9886d1c124efd1"
2025-04-25T16:16:53+02:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:97c8018c72777d48bcb03de64237e9e08f5c542b1497e90e72b2a281f9a3ef1a sha256:d217546efcc9ad920de2607b16673d1ffe8d6431e0e8f6c1770fc9bf07239673 sha256:c6772238feb68d8e95278b4e3cf54f4d899069299243c29965c9d220028e2467 sha256:72794f5086cfbdbcfdcfae0a04c197b22437bedd2397b20a977312951d0e4578 sha256:0babc1795e1988ade82dc94dfc7dc214ad0ef0487fe0b538efbb94deb5d525a7 sha256:496b3f15dce35de5f69bb7a80d53eda8429bdb98a87ffcafa05fe8679628a17b sha256:1ebccb6414a0e17d45a958deb7128f6d08674c0d1f294e9ff8e9f08ffee5f132 sha256:19bd106d79fba3f7408266c287a634150cff324b7b3c3617b148bfe6b8261f34 sha256:1fdd06a1d56526dbef9383ac23dd4b7c13a15ee7e660cab8da822b8440e5c468 sha256:925dc4da79abe93151e05c7f3c449de81145c26f2e66a8f4b45c57ea0af694f1 sha256:95d77d4e70d59d64cefdbed403d0a299c21dcfcf63f36dd62eff4e888e7a3c4c sha256:b6aafcf761af857a74fe6b38a635dd0f6f08dbeec68d5136999f0bce306bd2ef sha256:2a7c6ce813dc387b78f131fa7f2d7de2b80042dd2b114e64a535712d0383ba9a sha256:0bab09f9bd5818fae66954a48e48fa379fd5f4258bd8c66095fc5cec93ef89a9 sha256:c35b23204d3da61a49a2c7bff378cf09635a9041738c81851f2c0fa6859481c0 sha256:f024e12e296ab0f341055a3532eba55624fd176ea5b44c8fac5f4524a21f4ef4 sha256:a9d6b468bd043398a98a3e541e90de6535e3d1674027edf168ccb21af64ea3e1 sha256:316e65aa26c4f768422537e14d1af40c08aeaa60fbf511d44725b4700a87dcc4 sha256:7bfa884a07d34efd60234d8f61d9413f798bf21547886ebf246d6a048b773f38]
2025-04-25T16:16:53+02:00       DEBUG   [image] Detected base layers    diff_ids=[]
2025-04-25T16:16:53+02:00       DEBUG   [image] Missing image ID in cache       image_id="sha256:538a6f00756522ba8d3d57033096329b7c3d6769427099c9aa9886d1c124efd1"
2025-04-25T16:16:53+02:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:f024e12e296ab0f341055a3532eba55624fd176ea5b44c8fac5f4524a21f4ef4"
2025-04-25T16:16:53+02:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:316e65aa26c4f768422537e14d1af40c08aeaa60fbf511d44725b4700a87dcc4"
2025-04-25T16:16:53+02:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:a9d6b468bd043398a98a3e541e90de6535e3d1674027edf168ccb21af64ea3e1"
2025-04-25T16:16:53+02:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:7bfa884a07d34efd60234d8f61d9413f798bf21547886ebf246d6a048b773f38"
2025-04-25T16:18:05+02:00       DEBUG   No secrets found in container image config
2025-04-25T16:18:05+02:00       DEBUG   OS is not detected.
2025-04-25T16:18:05+02:00       DEBUG   Detected OS: unknown
2025-04-25T16:18:05+02:00       INFO    Number of language-specific files       num=0
2025-04-25T16:18:05+02:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-04-25T16:18:05+02:00       DEBUG   [vex] VEX filtering is disabled

Version

Version: 0.59.1

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[nikpivkin]

Hi @nicodur !

Trivy does not scan .exe executable files. To read more about vulnerability detection and supported OS and languages, please refer to the documentation.

[Lemeri123]

It looks like Trivy doesn’t pick up vulnerabilities from standalone .exe files in Windows containers. That’s because it mainly scans OS packages and libraries, and in this case, it couldn’t even detect the Windows OS properly. Since .exe files aren’t part of a package manager, Trivy doesn’t know how to check them for vulnerabilities.

Right now (version 0.59.1), this seems to be a limitation. Trivy would need better support for Windows containers and standalone binaries to make this work.