Problem: ProGet does not surface OS-level vulnerabilities for Alpine (APK) based container images, while Ubuntu/Debian (dpkg) based images are scanned correctly and vulnerabilities are detected as expected.

Example: Image: hysnsec/nginx-advanced (Alpine 3.10.2)

Trivy detects multiple CVEs including CVE-2021-36159 (CRITICAL) in apk-tools 2.10.4-r2, CVE-2021-30139 (HIGH) in apk-tools, CVE-2021-28831 in busybox 1.30.1-r2, and CVE-2020-1967 in libcrypto1.1.
ProGet correctly extracts and displays the APK package inventory (package names, versions, and architecture are all visible in the Packages tab).
However, ProGet reports "None" for vulnerabilities on all Alpine packages.
Verified in PGVD: We confirmed that the relevant CVEs exist in the Inedo vulnerability database:

PGV-2156903 (CVE-2021-36159)
PGV-2156988 (CVE-2021-36159)
Despite the CVEs being present in PGVD, they are not matched against the detected APK packages.

What we have checked:

Vulnerability Database Updater job runs successfully and on schedule
Layer Scanning is enabled on the Docker feed
Package inventory is detected correctly (APK packages with versions are visible)
Ubuntu/Debian-based images DO return vulnerabilities correctly — confirming that container scanning, license, and PGVD are working
The issue is consistent across multiple Alpine-based images and multiple scans
The Compliance Analyzer scheduled job shows an error status (red icon)
Our assessment: It appears that PGVD has the CVE entries but lacks the affected-package mappings for Alpine APK packages. The CVE-to-package correlation works for dpkg (Debian/Ubuntu) but not for APK (Alpine). We suspect the Alpine Security Database (security.alpinelinux.org) may not be integrated as a data source for PGVD's package-level mappings.

Environment:

ProGet 2025.26 (Build 11), Trial Edition
Running on Docker (Linux VM)
Nginx reverse proxy in front of ProGet
PostgreSQL built-in database
Request: Could you confirm whether Alpine/APK vulnerability matching is currently supported in PGVD? If not, is there a timeline for adding Alpine Security Database as a data source? Are there any workarounds we can use in the meantime?

Thanks for sharing the details. I was able to confirm this is some kind of bug (data problem?) in ProGet. It appears to be in the datafile that's downloaded/imported into ProGet, though I'm not sure.

Stay tuned, and we'll let you know once a fix is ready.

Thanks,
Alana

This is partially fixed in our vulnerability aggregator. You should see alpine vulnerabilities showing up next time your vulnerability updated runs. I also recreated a situation where certain packages may not be removed upon update of the vulnerability. I have created ticket PG-3263 to fix that issue. That fix will be released next week in ProGet 2025.27.

Thanks,
Rich