fix(vex): don't suppress vulns for packages with infinity loop #9465

DmitriyLewen · 2025-09-10T11:17:54Z

Description

This PR fixes an infinite loop issue in the VEX (Vulnerability Exchange) component tree traversal logic. The problem occurred when determining if a package component can reach the root component in dependency graphs with circular
dependencies.

Key Changes:

Modified the reachRoot function in pkg/vex/vex.go to detect circular dependencies by checking if all parent components have already been visited
Replaced the simple length check len(parents[c.ID()]) == 0 with a more robust circular dependency detection using lo.Every(lo.Keys(visited), parents[c.ID()])
Added comprehensive test coverage for the infinity loop scenario with OS packages that have circular dependencies
Updated test data to include a baseFilesPackage for testing circular dependency scenarios

Technical Details:

The fix prevents infinite loops when packages have circular dependencies (e.g., bash depends on base-files and base-files depends on bash). Instead of getting stuck in an endless loop, the algorithm now detects when it has visited all
parent components and safely returns true for fail-safe behavior.

Example

➜ trivy -q image --table-mode detailed registry.suse.com/suse/sles/15.7/libguestfs-tools:1.5.2-150700.3.5.2

registry.suse.com/suse/sles/15.7/libguestfs-tools:1.5.2-150700.3.5.2 (sles 15.7)

Total: 10 (UNKNOWN: 1, LOW: 0, MEDIUM: 4, HIGH: 5, CRITICAL: 0)

┌───────────────────────┬──────────────────────┬──────────┬────────┬───────────────────────┬───────────────────────┬───────────────────────────────────────────┐
│        Library        │    Vulnerability     │ Severity │ Status │   Installed Version   │     Fixed Version     │                   Title                   │
├───────────────────────┼──────────────────────┼──────────┼────────┼───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ container-suseconnect │ SUSE-SU-2025:02889-1 │ UNKNOWN  │ fixed  │ 2.5.5-150000.4.67.1   │ 2.5.5-150000.4.69.1   │ Security update for container-suseconnect │
├───────────────────────┼──────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ glibc                 │ SUSE-SU-2025:02964-1 │ MEDIUM   │        │ 2.38-150600.14.32.1   │ 2.38-150600.14.37.1   │ Security update for glibc                 │
├───────────────────────┼──────────────────────┤          │        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ libgcrypt20           │ SUSE-SU-2025:02719-1 │          │        │ 1.11.0-150700.3.5     │ 1.11.0-150700.5.7.1   │ Security update for libgcrypt             │
├───────────────────────┼──────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ libgnutls30           │ SUSE-SU-2025:02595-1 │ HIGH     │        │ 3.8.3-150600.4.6.2    │ 3.8.3-150600.4.9.1    │ Security update for gnutls                │
├───────────────────────┼──────────────────────┤          │        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ libpython3_6m1_0      │ SUSE-SU-2025:02778-1 │          │        │ 3.6.15-150300.10.84.1 │ 3.6.15-150300.10.97.1 │ Security update for python3               │
├───────────────────────┼──────────────────────┤          │        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ libsqlite3-0          │ SUSE-SU-2025:02672-1 │          │        │ 3.49.1-150000.3.27.1  │ 3.50.2-150000.3.33.1  │ Security update for sqlite3               │
├───────────────────────┼──────────────────────┤          │        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ libxml2-2             │ SUSE-SU-2025:02617-1 │          │        │ 2.12.10-150700.4.3.1  │ 2.12.10-150700.4.6.1  │ Security update for libxml2               │
├───────────────────────┼──────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ pam                   │ SUSE-SU-2025:02970-1 │ MEDIUM   │        │ 1.3.0-150000.6.83.1   │ 1.3.0-150000.6.86.1   │ Security update for pam                   │
├───────────────────────┼──────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ python3-base          │ SUSE-SU-2025:02778-1 │ HIGH     │        │ 3.6.15-150300.10.84.1 │ 3.6.15-150300.10.97.1 │ Security update for python3               │
├───────────────────────┼──────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ update-alternatives   │ SUSE-SU-2025:02734-1 │ MEDIUM   │        │ 1.19.0.4-150000.4.4.1 │ 1.19.0.4-150000.4.7.1 │ Security update for dpkg                  │
└───────────────────────┴──────────────────────┴──────────┴────────┴───────────────────────┴───────────────────────┴───────────────────────────────────────────┘
➜ cat scan.openvex.json| jq .statements
[
  {
    "vulnerability": {
      "name": "SUSE-SU-2025:02536-1"
    },
    "timestamp": "2025-08-04T14:27:44.671662369Z",
    "products": [
      {
        "@id": "pkg:oci/libguestfs-tools?repository_url=registry.suse.com/suse/sles/15.7/libguestfs-tools",
        "subcomponents": [
          {
            "@id": "pkg:rpm/suse/boost-license1_66_0"
          }
        ]
      }
    ],
    "status": "not_affected",
    "justification": "vulnerable_code_cannot_be_controlled_by_adversary"
  }
]

Before (Trivy supresses vulns for python3-base and `libpython3_6m1_0):

➜ trivy -q image --table-mode detailed --vex scan.openvex.json registry.suse.com/suse/sles/15.7/libguestfs-tools:1.5.2-150700.3.5.2 

registry.suse.com/suse/sles/15.7/libguestfs-tools:1.5.2-150700.3.5.2 (sles 15.7)

Total: 8 (UNKNOWN: 1, LOW: 0, MEDIUM: 4, HIGH: 3, CRITICAL: 0)

┌───────────────────────┬──────────────────────┬──────────┬────────┬───────────────────────┬───────────────────────┬───────────────────────────────────────────┐
│        Library        │    Vulnerability     │ Severity │ Status │   Installed Version   │     Fixed Version     │                   Title                   │
├───────────────────────┼──────────────────────┼──────────┼────────┼───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ container-suseconnect │ SUSE-SU-2025:02889-1 │ UNKNOWN  │ fixed  │ 2.5.5-150000.4.67.1   │ 2.5.5-150000.4.69.1   │ Security update for container-suseconnect │
├───────────────────────┼──────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ glibc                 │ SUSE-SU-2025:02964-1 │ MEDIUM   │        │ 2.38-150600.14.32.1   │ 2.38-150600.14.37.1   │ Security update for glibc                 │
├───────────────────────┼──────────────────────┤          │        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ libgcrypt20           │ SUSE-SU-2025:02719-1 │          │        │ 1.11.0-150700.3.5     │ 1.11.0-150700.5.7.1   │ Security update for libgcrypt             │
├───────────────────────┼──────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ libgnutls30           │ SUSE-SU-2025:02595-1 │ HIGH     │        │ 3.8.3-150600.4.6.2    │ 3.8.3-150600.4.9.1    │ Security update for gnutls                │
├───────────────────────┼──────────────────────┤          │        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ libsqlite3-0          │ SUSE-SU-2025:02672-1 │          │        │ 3.49.1-150000.3.27.1  │ 3.50.2-150000.3.33.1  │ Security update for sqlite3               │
├───────────────────────┼──────────────────────┤          │        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ libxml2-2             │ SUSE-SU-2025:02617-1 │          │        │ 2.12.10-150700.4.3.1  │ 2.12.10-150700.4.6.1  │ Security update for libxml2               │
├───────────────────────┼──────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ pam                   │ SUSE-SU-2025:02970-1 │ MEDIUM   │        │ 1.3.0-150000.6.83.1   │ 1.3.0-150000.6.86.1   │ Security update for pam                   │
├───────────────────────┼──────────────────────┤          │        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ update-alternatives   │ SUSE-SU-2025:02734-1 │          │        │ 1.19.0.4-150000.4.4.1 │ 1.19.0.4-150000.4.7.1 │ Security update for dpkg                  │
└───────────────────────┴──────────────────────┴──────────┴────────┴───────────────────────┴───────────────────────┴───────────────────────────────────────────┘

after:

➜ ./trivy -q image --table-mode detailed --vex scan.openvex.json registry.suse.com/suse/sles/15.7/libguestfs-tools:1.5.2-150700.3.5.2

registry.suse.com/suse/sles/15.7/libguestfs-tools:1.5.2-150700.3.5.2 (sles 15.7)

Total: 10 (UNKNOWN: 1, LOW: 0, MEDIUM: 4, HIGH: 5, CRITICAL: 0)

┌───────────────────────┬──────────────────────┬──────────┬────────┬───────────────────────┬───────────────────────┬───────────────────────────────────────────┐
│        Library        │    Vulnerability     │ Severity │ Status │   Installed Version   │     Fixed Version     │                   Title                   │
├───────────────────────┼──────────────────────┼──────────┼────────┼───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ container-suseconnect │ SUSE-SU-2025:02889-1 │ UNKNOWN  │ fixed  │ 2.5.5-150000.4.67.1   │ 2.5.5-150000.4.69.1   │ Security update for container-suseconnect │
├───────────────────────┼──────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ glibc                 │ SUSE-SU-2025:02964-1 │ MEDIUM   │        │ 2.38-150600.14.32.1   │ 2.38-150600.14.37.1   │ Security update for glibc                 │
├───────────────────────┼──────────────────────┤          │        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ libgcrypt20           │ SUSE-SU-2025:02719-1 │          │        │ 1.11.0-150700.3.5     │ 1.11.0-150700.5.7.1   │ Security update for libgcrypt             │
├───────────────────────┼──────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ libgnutls30           │ SUSE-SU-2025:02595-1 │ HIGH     │        │ 3.8.3-150600.4.6.2    │ 3.8.3-150600.4.9.1    │ Security update for gnutls                │
├───────────────────────┼──────────────────────┤          │        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ libpython3_6m1_0      │ SUSE-SU-2025:02778-1 │          │        │ 3.6.15-150300.10.84.1 │ 3.6.15-150300.10.97.1 │ Security update for python3               │
├───────────────────────┼──────────────────────┤          │        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ libsqlite3-0          │ SUSE-SU-2025:02672-1 │          │        │ 3.49.1-150000.3.27.1  │ 3.50.2-150000.3.33.1  │ Security update for sqlite3               │
├───────────────────────┼──────────────────────┤          │        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ libxml2-2             │ SUSE-SU-2025:02617-1 │          │        │ 2.12.10-150700.4.3.1  │ 2.12.10-150700.4.6.1  │ Security update for libxml2               │
├───────────────────────┼──────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ pam                   │ SUSE-SU-2025:02970-1 │ MEDIUM   │        │ 1.3.0-150000.6.83.1   │ 1.3.0-150000.6.86.1   │ Security update for pam                   │
├───────────────────────┼──────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ python3-base          │ SUSE-SU-2025:02778-1 │ HIGH     │        │ 3.6.15-150300.10.84.1 │ 3.6.15-150300.10.97.1 │ Security update for python3               │
├───────────────────────┼──────────────────────┼──────────┤        ├───────────────────────┼───────────────────────┼───────────────────────────────────────────┤
│ update-alternatives   │ SUSE-SU-2025:02734-1 │ MEDIUM   │        │ 1.19.0.4-150000.4.4.1 │ 1.19.0.4-150000.4.7.1 │ Security update for dpkg                  │
└───────────────────────┴──────────────────────┴──────────┴────────┴───────────────────────┴───────────────────────┴───────────────────────────────────────────┘

Related Issues

Close bug(vex): Trivy incorrectly suppresses vulnerabilities if the report contains orphan packages. #9526

Checklist

I've read the guidelines for contributing to this repository.
I've followed the conventions in the PR title.
I've added tests that prove my fix is effective or that my feature works.
I've updated the documentation with the relevant information (if needed).
I've added usage information (if the PR introduces new options)
I've included a "before" and "after" example to the description (if the PR is a user interface change).

DmitriyLewen · 2025-09-10T11:21:47Z

Even though #9007 fixes the issue with missing links between packages with infinite loops and the root component, we should also catch such cases in the VEX package (just as we handle situations where a non-root package has no parent).

knqyf263 · 2025-09-25T05:38:14Z

@DmitriyLewen Is there an issue for this PR? I would add it to the milestone so we will not miss it.

DmitriyLewen · 2025-09-25T06:14:09Z

Created #9526 as sub-issue for #9007

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [mirror.gcr.io/aquasec/trivy](https://www.aquasec.com/products/trivy/) ([source](https://github.com/aquasecurity/trivy)) | minor | `0.66.0` -> `0.67.0` | --- ### Release Notes <details> <summary>aquasecurity/trivy (mirror.gcr.io/aquasec/trivy)</summary> ### [`v0.67.0`](https://github.com/aquasecurity/trivy/blob/HEAD/CHANGELOG.md#0670-2025-09-30) [Compare Source](aquasecurity/trivy@v0.66.0...v0.67.0) ##### Features - add documentation URL for database lock errors ([#9531](aquasecurity/trivy#9531)) ([eba48af](aquasecurity/trivy@eba48af)) - **cli:** change --list-all-pkgs default to true ([#9510](aquasecurity/trivy#9510)) ([7b663d8](aquasecurity/trivy@7b663d8)) - **cloudformation:** support default values and list results in Fn::FindInMap ([#9515](aquasecurity/trivy#9515)) ([42b3bf3](aquasecurity/trivy@42b3bf3)) - **cyclonedx:** preserve SBOM structure when scanning SBOM files with vulnerability updates ([#9439](aquasecurity/trivy#9439)) ([aff03eb](aquasecurity/trivy@aff03eb)) - **redhat:** add os-release detection for RHEL-based images ([#9458](aquasecurity/trivy#9458)) ([cb25a07](aquasecurity/trivy@cb25a07)) - **sbom:** added support for CoreOS ([#9448](aquasecurity/trivy#9448)) ([6d562a3](aquasecurity/trivy@6d562a3)) - **seal:** add seal support ([#9370](aquasecurity/trivy#9370)) ([e4af279](aquasecurity/trivy@e4af279)) ##### Bug Fixes - **aws:** use `BuildableClient` insead of `xhttp.Client` ([#9436](aquasecurity/trivy#9436)) ([fa6f1bf](aquasecurity/trivy@fa6f1bf)) - close file descriptors and pipes on error paths ([#9536](aquasecurity/trivy#9536)) ([a4cbd6a](aquasecurity/trivy@a4cbd6a)) - **db:** Dowload database when missing but metadata still exists ([#9393](aquasecurity/trivy#9393)) ([92ebc7e](aquasecurity/trivy@92ebc7e)) - **k8s:** disable parallel traversal with fs cache for k8s images ([#9534](aquasecurity/trivy#9534)) ([c0c7a6b](aquasecurity/trivy@c0c7a6b)) - **misconf:** handle tofu files in module detection ([#9486](aquasecurity/trivy#9486)) ([bfd2f6b](aquasecurity/trivy@bfd2f6b)) - **misconf:** strip build metadata suffixes from image history ([#9498](aquasecurity/trivy#9498)) ([c938806](aquasecurity/trivy@c938806)) - **misconf:** unmark cty values before access ([#9495](aquasecurity/trivy#9495)) ([8e40d27](aquasecurity/trivy@8e40d27)) - **misconf:** wrap legacy ENV values in quotes to preserve spaces ([#9497](aquasecurity/trivy#9497)) ([267a970](aquasecurity/trivy@267a970)) - **nodejs:** parse workspaces as objects for package-lock.json files ([#9518](aquasecurity/trivy#9518)) ([404abb3](aquasecurity/trivy@404abb3)) - **nodejs:** use snapshot string as `Package.ID` for pnpm packages ([#9330](aquasecurity/trivy#9330)) ([4517e8c](aquasecurity/trivy@4517e8c)) - **vex:** don't suppress vulns for packages with infinity loop ([#9465](aquasecurity/trivy#9465)) ([78f0d4a](aquasecurity/trivy@78f0d4a)) - **vuln:** compare `nuget` package names in lower case ([#9456](aquasecurity/trivy#9456)) ([1ff9ac7](aquasecurity/trivy@1ff9ac7)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/1622 Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>

fix(vex): don't suppress packages with infinity loop

3a951eb

DmitriyLewen self-assigned this Sep 10, 2025

DmitriyLewen added the autoready Automatically mark PR as ready for review when all checks pass label Sep 10, 2025

github-actions bot marked this pull request as ready for review September 10, 2025 11:39

github-actions bot removed the autoready Automatically mark PR as ready for review when all checks pass label Sep 10, 2025

github-actions bot requested a review from knqyf263 as a code owner September 10, 2025 11:39

knqyf263 approved these changes Sep 30, 2025

View reviewed changes

knqyf263 added this pull request to the merge queue Sep 30, 2025

Merged via the queue into aquasecurity:main with commit 78f0d4a Sep 30, 2025
14 checks passed

aqua-bot mentioned this pull request Sep 30, 2025

release: v0.67.0 [main] #9432

Merged

DmitriyLewen deleted the fix/vex/infinity-loop branch September 30, 2025 07:14

This was referenced Nov 6, 2025

bug(vex): Trivy skips the rule if we check the same parent from different paths. #9757

Open

fix(vex): use a separate visited set for each DFS path #9760

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(vex): don't suppress vulns for packages with infinity loop #9465

fix(vex): don't suppress vulns for packages with infinity loop #9465

Uh oh!

DmitriyLewen commented Sep 10, 2025 •

edited

Loading

Uh oh!

DmitriyLewen commented Sep 10, 2025

Uh oh!

knqyf263 commented Sep 25, 2025

Uh oh!

DmitriyLewen commented Sep 25, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

fix(vex): don't suppress vulns for packages with infinity loop #9465

fix(vex): don't suppress vulns for packages with infinity loop #9465

Uh oh!

Conversation

DmitriyLewen commented Sep 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Key Changes:

Technical Details:

Example

Related Issues

Checklist

Uh oh!

DmitriyLewen commented Sep 10, 2025

Uh oh!

knqyf263 commented Sep 25, 2025

Uh oh!

DmitriyLewen commented Sep 25, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

DmitriyLewen commented Sep 10, 2025 •

edited

Loading