docs/guide/coverage/os/oracle.md
Trivy supports the following scanners for OS packages.
| Scanner | Supported |
|---|---|
| SBOM | ✓ |
| Vulnerability | ✓ |
| License | ✓ |
Please see here for supported versions.
The table below outlines the features offered by Trivy.
| Feature | Supported |
|---|---|
| Unfixed vulnerabilities | - |
| Dependency graph | ✓ |
| End of life awareness | ✓ |
Trivy detects packages that have been installed through package managers such as dnf and yum.
Oracle Linux offers its own security advisories, and these are utilized when scanning Oracle Linux for vulnerabilities.
See here.
Trivy takes fixed versions from Oracle security advisories.
Trivy detects the flavor for version of the found package and finds vulnerabilities only for that flavor.
| Flavor | Format | Example |
|---|---|---|
| normal | version without fips and ksplice | 3.6.16-4.el8 |
| fips | *_fips | 10:3.6.16-4.0.1.el8_fips |
| ksplice | *.ksplice*.* | 2:2.34-60.0.3.ksplice1.el9_2.7, 151.0.1.ksplice2.el8 |
For example Trivy finds CVE-2021-33560 only for the normal and fips flavors.
For the ksplice flavor, CVE-2021-33560 will be skipped.
Trivy determines vulnerability severity based on the severity metric provided in Oracle security advisories. For example, the security patch for CVE-2023-0464 is provided as ELSA-2023-2645. Its severity is rated as "MODERATE". Thus, even though it's evaluated as "HIGH" in the NVD, Trivy displays it with a severity of "MEDIUM".
The table below is the mapping of Oracle's threat to Trivy's severity levels.
| Oracle | Trivy |
|---|---|
| Low | Low |
| Moderate | Medium |
| Important | High |
| Critical | Critical |
Trivy supports the following vulnerability statuses for Oracle Linux.
| Status | Supported |
|---|---|
| Fixed | ✓ |
| Affected | ✓ |
| Under Investigation | |
| Will Not Fix | |
| Fix Deferred | |
| End of Life |
Trivy identifies licenses by examining the metadata of RPM packages.