1. Home
  2. Categories
  3. Support
  4. Alpine/APK-based container images show no vulnerabilities despite CVEs existing in PGVD

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Alpine/APK-based container images show no vulnerabilities despite CVEs existing in PGVD

  • K

    We are evaluating ProGet for container image vulnerability scanning and comparing results with Trivy. We have identified an inconsistency in vulnerability detection specifically for Alpine Linux-based container images.

    Problem: ProGet does not surface OS-level vulnerabilities for Alpine (APK) based container images, while Ubuntu/Debian (dpkg) based images are scanned correctly and vulnerabilities are detected as expected.

    Example: Image: hysnsec/nginx-advanced (Alpine 3.10.2)

    Trivy detects multiple CVEs including CVE-2021-36159 (CRITICAL) in apk-tools 2.10.4-r2, CVE-2021-30139 (HIGH) in apk-tools, CVE-2021-28831 in busybox 1.30.1-r2, and CVE-2020-1967 in libcrypto1.1.
    ProGet correctly extracts and displays the APK package inventory (package names, versions, and architecture are all visible in the Packages tab).
    However, ProGet reports "None" for vulnerabilities on all Alpine packages.
    Verified in PGVD: We confirmed that the relevant CVEs exist in the Inedo vulnerability database:

    PGV-2156903 (CVE-2021-36159)
    PGV-2156988 (CVE-2021-36159)
    Despite the CVEs being present in PGVD, they are not matched against the detected APK packages.

    What we have checked:

    Vulnerability Database Updater job runs successfully and on schedule
    Layer Scanning is enabled on the Docker feed
    Package inventory is detected correctly (APK packages with versions are visible)
    Ubuntu/Debian-based images DO return vulnerabilities correctly — confirming that container scanning, license, and PGVD are working
    The issue is consistent across multiple Alpine-based images and multiple scans
    The Compliance Analyzer scheduled job shows an error status (red icon)
    Our assessment: It appears that PGVD has the CVE entries but lacks the affected-package mappings for Alpine APK packages. The CVE-to-package correlation works for dpkg (Debian/Ubuntu) but not for APK (Alpine). We suspect the Alpine Security Database (security.alpinelinux.org) may not be integrated as a data source for PGVD's package-level mappings.

    Environment:

    ProGet 2025.26 (Build 11), Trial Edition
    Running on Docker (Linux VM)
    Nginx reverse proxy in front of ProGet
    PostgreSQL built-in database
    Request: Could you confirm whether Alpine/APK vulnerability matching is currently supported in PGVD? If not, is there a timeline for adding Alpine Security Database as a data source? Are there any workarounds we can use in the meantime?
    Image (3).png image (2).png image (1).png

    0
  • atripp
    inedo-engineer

    Hi @kien-buit_2449 ,

    Thanks for sharing the details. I was able to confirm this is some kind of bug (data problem?) in ProGet. It appears to be in the datafile that's downloaded/imported into ProGet, though I'm not sure.

    Stay tuned, and we'll let you know once a fix is ready.

    Thanks,
    Alana

    0
  • rhessinger
    inedo-engineer

    Hi @kien-buit_2449,

    This is partially fixed in our vulnerability aggregator. You should see alpine vulnerabilities showing up next time your vulnerability updated runs. I also recreated a situation where certain packages may not be removed upon update of the vulnerability. I have created ticket PG-3263 to fix that issue. That fix will be released next week in ProGet 2025.27.

    Thanks,
    Rich

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation