Cannot scan otel/opentelemetry-collector-contrib images (no CPEs for all packages) #3179
Description
What happened:
Trying to scan using containerized anchore/grype:latest the latest stable image of The OpenTelemetry Collector (Contrib) i.e. otel/opentelemetry-collector-contrib:0.144.0.
The scanner could not find CPEs for any package so it produced no results (not even a single Negligible or Low vulnerability, which is not a very likely result).
Logs:
[0000] INFO grype version: 0.105.0
[0000] DEBUG config:
log:
quiet: false
level: debug
file: ""
dev:
profile: none
output: []
file: ""
pretty: false
distro: ""
add-cpes-if-none: false
output-template-file: ""
check-for-app-update: true
only-fixed: false
only-notfixed: false
ignore-states: ""
platform: ""
search:
scope: squashed
unindexed-archives: false
indexed-archives: true
ignore: []
exclude: []
external-sources:
enable: false
maven:
search-upstream: true
base-url: https://search.maven.org/solrsearch/select
rate-limit: 300ms
match:
java:
using-cpes: false
jvm:
using-cpes: true
dotnet:
using-cpes: false
golang:
using-cpes: false
always-use-cpe-for-stdlib: true
allow-main-module-pseudo-version-comparison: false
javascript:
using-cpes: false
python:
using-cpes: false
ruby:
using-cpes: false
rust:
using-cpes: false
stock:
using-cpes: true
fail-on-severity: ""
registry:
insecure-skip-tls-verify: false
insecure-use-http: false
auth: []
ca-cert: ""
show-suppressed: false
by-cve: false
sort-by: risk
name: ""
default-image-pull-source: ""
from: []
vex-documents: []
vex-add: []
match-upstream-kernel-headers: false
fix-channel:
redhat-eus:
apply: auto
versions: '>= 8.0'
timestamp: true
db:
cache-dir: /.cache/grype/db
update-url: https://grype.anchore.io/databases
ca-cert: ""
auto-update: true
validate-by-hash-on-start: true
validate-age: true
max-allowed-built-age: 120h0m0s
require-update-check: false
update-available-timeout: 30s
update-download-timeout: 5m0s
max-update-check-frequency: 2h0m0s
exp: {}
dev:
db:
debug: false
[0000] DEBUG gathering packages
[0000] DEBUG loading DB
[0000] DEBUG checking for available database updates
[0000] INFO docker pulling image from=stereoscope image=otel/opentelemetry-collector-contrib:0.144.0
[0000] DEBUG pulling docker image="otel/opentelemetry-collector-contrib:0.144.0" from=stereoscope
[0000] DEBUG using docker config="/.docker/config.json" from=stereoscope
[0000] DEBUG using docker credentials for "index.docker.io" from=stereoscope
[0000] DEBUG no new grype application update available
[0000] DEBUG cannot find existing metadata, using update...
[0000] DEBUG database update available: DB(version=v6.1.3 built=2026-01-23T06:17:01Z)
[0000] INFO downloading new vulnerability DB
[0002] INFO docker pulled image from=stereoscope image=otel/opentelemetry-collector-contrib:0.144.0 time=2.321329894s
[0004] INFO docker saved image from=stereoscope image=otel/opentelemetry-collector-contrib:0.144.0 path=/tmp/stereoscope-3368420416/docker-daemon-image-643899980/image.tar time=2.569140718s
[0004] DEBUG got uncompressed image tarball from=stereoscope image=/tmp/stereoscope-3368420416/docker-daemon-image-643899980/image.tar time=628.897µs
[0004] DEBUG reading image digest=sha256:84f0264d9edf6286e11a63ed2073ee7a4a5ff4a21d88185d62214ca4f4237012 from=stereoscope mediaType=application/vnd.docker.distribution.manifest.v2+json tags=[otel/opentelemetry-collector-contrib:0.144.0]
[0005] INFO completed image read digest=sha256:84f0264d9edf6286e11a63ed2073ee7a4a5ff4a21d88185d62214ca4f4237012 from=stereoscope mediaType=application/vnd.docker.distribution.manifest.v2+json tags=[otel/opentelemetry-collector-contrib:0.144.0] time=434.169403ms
[0005] DEBUG selected 31 package cataloger tasks from=syft
[0005] DEBUG selected 4 file cataloger tasks from=syft
[0006] INFO task completed elapsed=82.775µs from=syft task=environment-cataloger
[0006] DEBUG discovered 0 packages cataloger=apk-db-cataloger from=syft
[0006] DEBUG discovered 0 packages cataloger=graalvm-native-image-cataloger from=syft
[0006] INFO task completed elapsed=258.153µs from=syft task=graalvm-native-image-cataloger
[0006] INFO task completed elapsed=275.887µs from=syft task=apk-db-cataloger
[0006] DEBUG discovered 0 packages cataloger=java-jvm-cataloger from=syft
[0006] INFO task completed elapsed=194.193µs from=syft task=java-jvm-cataloger
[0006] DEBUG discovered 0 packages cataloger=gguf-cataloger from=syft
[0006] DEBUG discovered 0 packages cataloger=alpm-db-cataloger from=syft
[0006] DEBUG discovered 0 packages cataloger=homebrew-cataloger from=syft
[0006] DEBUG discovered 0 packages cataloger=php-pear-serialized-cataloger from=syft
[0006] DEBUG discovered 0 packages cataloger=pe-binary-package-cataloger from=syft
[0006] DEBUG discovered 0 packages cataloger=ruby-installed-gemspec-cataloger from=syft
[0006] DEBUG discovered 0 packages cataloger=php-composer-installed-cataloger from=syft
[0006] INFO task completed elapsed=501.008µs from=syft task=php-composer-installed-cataloger
[0006] DEBUG discovered 0 packages cataloger=wordpress-plugins-cataloger from=syft
[0006] DEBUG discovered 0 packages cataloger=cargo-auditable-binary-cataloger from=syft
[0006] DEBUG discovered 0 packages cataloger=java-archive-cataloger from=syft
[0006] INFO task completed elapsed=715.048µs from=syft task=java-archive-cataloger
[0006] INFO task completed elapsed=373.68µs from=syft task=php-pear-serialized-cataloger
[0006] DEBUG discovered 0 packages cataloger=binary-classifier-cataloger from=syft
[0006] INFO task completed elapsed=695.962µs from=syft task=binary-classifier-cataloger
[0006] INFO task completed elapsed=571.67µs from=syft task=wordpress-plugins-cataloger
[0006] DEBUG discovered 0 packages cataloger=snap-cataloger from=syft
[0006] INFO task completed elapsed=804.706µs from=syft task=snap-cataloger
[0006] INFO task completed elapsed=555.349µs from=syft task=cargo-auditable-binary-cataloger
[0006] DEBUG discovered 0 packages cataloger=r-package-cataloger from=syft
[0006] INFO task completed elapsed=822.87µs from=syft task=r-package-cataloger
[0006] DEBUG discovered 0 packages cataloger=dotnet-packages-lock-cataloger from=syft
[0006] INFO task completed elapsed=833.339µs from=syft task=dotnet-packages-lock-cataloger
[0006] INFO task completed elapsed=380.722µs from=syft task=alpm-db-cataloger
[0006] DEBUG discovered 0 packages cataloger=portage-cataloger from=syft
[0006] INFO task completed elapsed=980.876µs from=syft task=portage-cataloger
[0006] INFO task completed elapsed=215.453µs from=syft task=gguf-cataloger
[0006] DEBUG discovered 0 packages cataloger=dotnet-deps-binary-cataloger from=syft
[0006] DEBUG discovered 0 packages cataloger=javascript-package-cataloger from=syft
[0006] INFO task completed elapsed=1.149261ms from=syft task=javascript-package-cataloger
[0006] INFO task completed elapsed=952.502µs from=syft task=dotnet-deps-binary-cataloger
[0006] DEBUG discovered 0 packages cataloger=conan-info-cataloger from=syft
[0006] INFO task completed elapsed=1.154942ms from=syft task=conan-info-cataloger
[0006] DEBUG discovered 0 packages cataloger=elf-binary-package-cataloger from=syft
[0006] INFO task completed elapsed=1.145234ms from=syft task=elf-binary-package-cataloger
[0006] DEBUG discovered 0 packages cataloger=bitnami-cataloger from=syft
[0006] DEBUG discovered 0 packages cataloger=rpm-db-cataloger from=syft
[0006] DEBUG discovered 0 packages cataloger=linux-kernel-cataloger from=syft
[0006] INFO task completed elapsed=1.337934ms from=syft task=linux-kernel-cataloger
[0006] DEBUG discovered 0 packages cataloger=python-installed-package-cataloger from=syft
[0006] INFO task completed elapsed=1.334888ms from=syft task=python-installed-package-cataloger
[0006] INFO task completed elapsed=1.220905ms from=syft task=bitnami-cataloger
[0006] INFO task completed elapsed=402.052µs from=syft task=pe-binary-package-cataloger
[0006] DEBUG discovered 0 packages cataloger=nix-cataloger from=syft
[0006] INFO task completed elapsed=1.456707ms from=syft task=nix-cataloger
[0006] INFO task completed elapsed=1.296156ms from=syft task=rpm-db-cataloger
[0006] DEBUG discovered 0 packages cataloger=dpkg-db-cataloger from=syft
[0006] INFO task completed elapsed=1.573835ms from=syft task=dpkg-db-cataloger
[0006] INFO task completed elapsed=436.717µs from=syft task=ruby-installed-gemspec-cataloger
[0006] INFO task completed elapsed=303.248µs from=syft task=homebrew-cataloger
[0006] DEBUG discovered 0 packages cataloger=lua-rock-cataloger from=syft
[0006] INFO task completed elapsed=1.622296ms from=syft task=lua-rock-cataloger
[0006] DEBUG discovered 0 packages cataloger=php-interpreter-cataloger from=syft
[0006] INFO task completed elapsed=1.727232ms from=syft task=php-interpreter-cataloger
[0006] DEBUG discovered 1009 packages cataloger=go-module-binary-cataloger from=syft
[0006] INFO task completed elapsed=155.593049ms from=syft task=go-module-binary-cataloger
[0006] INFO task completed elapsed=671ns from=syft task=file-content-cataloger
[0006] DEBUG executable cataloger processed 1 files from=syft
[0006] INFO task completed elapsed=17.375622ms from=syft task=file-executable-cataloger
[0006] DEBUG file metadata cataloger processed 1 files from=syft
[0006] INFO task completed elapsed=17.478715ms from=syft task=file-metadata-cataloger
[0006] DEBUG file digests cataloger processed 1 files from=syft
[0006] INFO task completed elapsed=295.58556ms from=syft task=file-digest-cataloger
[0006] INFO task completed elapsed=116.438034ms from=syft task=relationships-cataloger
[0007] INFO task completed elapsed=33.577667ms from=syft task=unknowns-labeler
[0007] INFO task completed elapsed=2.655µs from=syft task=os-feature-detection
[0007] DEBUG no CPEs for package: Pkg(name="cel.dev/expr" version="v0.25.1" type="go-module" id="0e7003e13e4c0882")
[0007] DEBUG no CPEs for package: Pkg(name="cloud.google.com/go" version="v0.123.0" type="go-module" id="99359d580547ba0f")
[0007] DEBUG no CPEs for package: Pkg(name="code.cloudfoundry.org/clock" version="v0.0.0-20180518195852-02e53af36e6c" type="go-module" id="b8c23ef129f2612c")
[0007] DEBUG no CPEs for package: Pkg(name="code.cloudfoundry.org/go-diodes" version="v0.0.0-20241007161556-ec30366c7912" type="go-module" id="969615b6843b82d0")
[0007] DEBUG no CPEs for package: Pkg(name="code.cloudfoundry.org/go-loggregator" version="v7.4.0+incompatible" type="go-module" id="65b0bccafd0de9b8")
[0007] DEBUG no CPEs for package: Pkg(name="code.cloudfoundry.org/rfc5424" version="v0.0.0-20201103192249-000122071b78" type="go-module" id="fbde12ee82cbbefd")
[0007] DEBUG no CPEs for package: Pkg(name="filippo.io/edwards25519" version="v1.1.0" type="go-module" id="6b63dd48424a72fc")
[0007] DEBUG no CPEs for package: Pkg(name="go.elastic.co/fastjson" version="v1.5.1" type="go-module" id="2b0cb5e7c6a392bc")
[0007] DEBUG no CPEs for package: Pkg(name="go.etcd.io/bbolt" version="v1.4.3" type="go-module" id="cd20f9ab3703e7a9")
[0007] DEBUG no CPEs for package: Pkg(name="go.mongodb.org/atlas" version="v0.38.0" type="go-module" id="a7ae17283c2f42c4")
[0007] DEBUG no CPEs for package: Pkg(name="go.mongodb.org/mongo-driver" version="v1.17.6" type="go-module" id="88b3e07d490399be")
[0007] DEBUG no CPEs for package: Pkg(name="go.opencensus.io" version="v0.24.0" type="go-module" id="973778afc398d499")
[0007] DEBUG no CPEs for package: Pkg(name="go.opentelemetry.io/collector" version="v0.144.0" type="go-module" id="d3836fb64622ca26")
[0007] DEBUG no CPEs for package: Pkg(name="go.opentelemetry.io/ebpf-profiler" version="v0.0.202601" type="go-module" id="0a04f253fa8d3c43")
[0007] DEBUG no CPEs for package: Pkg(name="go.opentelemetry.io/otel" version="v1.39.1-0.20260115134311-f809f7d71e2d" type="go-module" id="653425e41580874a")
[0007] DEBUG no CPEs for package: Pkg(name="go.uber.org/atomic" version="v1.11.0" type="go-module" id="fad5ca8acf3df9a9")
[0007] DEBUG no CPEs for package: Pkg(name="go.uber.org/automaxprocs" version="v1.6.0" type="go-module" id="bfc4485f718df89e")
[0007] DEBUG no CPEs for package: Pkg(name="go.uber.org/dig" version="v1.19.0" type="go-module" id="012ccc775c748075")
[0007] DEBUG no CPEs for package: Pkg(name="go.uber.org/fx" version="v1.24.0" type="go-module" id="7aaba374d734f241")
[0007] DEBUG no CPEs for package: Pkg(name="go.uber.org/goleak" version="v1.3.0" type="go-module" id="7872be85d6e8db4a")
[0007] DEBUG no CPEs for package: Pkg(name="go.uber.org/multierr" version="v1.11.0" type="go-module" id="6abfd257eb7617bd")
[0007] DEBUG no CPEs for package: Pkg(name="go.uber.org/zap" version="v1.27.1" type="go-module" id="c263fc5e8dd4eaf5")
[0007] DEBUG no CPEs for package: Pkg(name="gopkg.in/evanphx/json-patch.v4" version="v4.12.0" type="go-module" id="bb940eca1d31c562")
[0007] DEBUG no CPEs for package: Pkg(name="gopkg.in/inf.v0" version="v0.9.1" type="go-module" id="9adcc15775d90953")
[0007] DEBUG no CPEs for package: Pkg(name="gopkg.in/ini.v1" version="v1.67.0" type="go-module" id="abb871e7e7df11c8")
[0007] DEBUG no CPEs for package: Pkg(name="gopkg.in/natefinch/lumberjack.v2" version="v2.2.1" type="go-module" id="2e6302f64e8502de")
[0007] DEBUG no CPEs for package: Pkg(name="gopkg.in/yaml.v2" version="v2.4.0" type="go-module" id="4ab87c9aff6a2803")
[0007] DEBUG no CPEs for package: Pkg(name="k8s.io/api" version="v0.34.3" type="go-module" id="d6ce66ea0c817db2")
[0007] DEBUG no CPEs for package: Pkg(name="k8s.io/apimachinery" version="v0.35.0-alpha.0" type="go-module" id="e39008d85ef415d1")
[0007] DEBUG no CPEs for package: Pkg(name="k8s.io/client-go" version="v0.34.3" type="go-module" id="ff68a31067c96ae3")
[0007] DEBUG no CPEs for package: Pkg(name="k8s.io/kube-openapi" version="v0.0.0-20250710124328-f3f2b991d03b" type="go-module" id="47a2fb0259c67241")
[0007] DEBUG no CPEs for package: Pkg(name="k8s.io/kubelet" version="v0.34.3" type="go-module" id="316ff0008252f3fb")
[0007] DEBUG no CPEs for package: Pkg(name="k8s.io/utils" version="v0.0.0-20250604170112-4c0f3b243397" type="go-module" id="9b18ef5fc619f8e2")
[0007] DEBUG no CPEs for package: Pkg(name="modernc.org/libc" version="v1.67.4" type="go-module" id="9f17091dfa952e81")
[0007] DEBUG no CPEs for package: Pkg(name="modernc.org/mathutil" version="v1.7.1" type="go-module" id="93916ebf5af86aa5")
[0007] DEBUG no CPEs for package: Pkg(name="modernc.org/memory" version="v1.11.0" type="go-module" id="54af9c6fddb28977")
[0007] DEBUG no CPEs for package: Pkg(name="modernc.org/sqlite" version="v1.44.0" type="go-module" id="3968cb7bdcdfd41b")
[0007] DEBUG no CPEs for package: Pkg(name="sigs.k8s.io/controller-runtime" version="v0.22.4" type="go-module" id="8a339dcbddfe13af")
[0007] DEBUG no CPEs for package: Pkg(name="sigs.k8s.io/json" version="v0.0.0-20241014173422-cfa47c3a1cc8" type="go-module" id="0b1dc9e085bd5d48")
[0007] DEBUG no CPEs for package: Pkg(name="sigs.k8s.io/randfill" version="v1.0.0" type="go-module" id="29df6e792d7bd582")
[0007] DEBUG no CPEs for package: Pkg(name="sigs.k8s.io/yaml" version="v1.6.0" type="go-module" id="01e5a01ddd0b3f6d")
[0007] INFO gathered packages packages=1009 time=7.22332781s
[0013] INFO downloaded vulnerability DB time=13.221892177s url=https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2026-01-23T00:32:22Z_1769149021.tar.zst?checksum=sha256%3Ab0251899aa859701bc5b11f0129ab07a21c95418e2cb0d6f6c1dcf32be1ff323
[0013] DEBUG using writable DB statements path=/.cache/grype/db/grype-db-download1680502180/vulnerability.db
[0013] DEBUG applying DB migrations path=/.cache/grype/db/grype-db-download1680502180/vulnerability.db
[0031] DEBUG moved database directory to activate error=<nil> from=/.cache/grype/db/grype-db-download1680502180 to=/.cache/grype/db/6
[0031] INFO installed new vulnerability DB built=2026-01-23T06:17:01Z version=v6.1.3
[0032] INFO loaded DB status=valid time=32.266208038s
[0032] DEBUG ├── schema=v6.1.3
[0032] DEBUG ├── built=2026-01-23T06:17:01Z
[0032] DEBUG ├── from=https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.3_2026-01-23T00:32:22Z_1769149021.tar.zst?checksum=sha256%3Ab0251899aa859701bc5b11f0129ab07a21c95418e2cb0d6f6c1dcf32be1ff323
[0032] DEBUG └── path=/.cache/grype/db/6/vulnerability.db
[0032] INFO found 0 vulnerability matches across 1009 packages
[0032] DEBUG ├── fixed: 0
[0032] DEBUG ├── ignored: 0 (due to user-provided rule)
[0032] DEBUG ├── dropped: 0 (due to hard-coded correction)
[0032] DEBUG └── matched: 0
[0032] DEBUG ├── unknown: 0
[0032] DEBUG ├── negligible: 0
[0032] DEBUG ├── low: 0
[0032] DEBUG ├── medium: 0
[0032] DEBUG ├── high: 0
[0032] DEBUG └── critical: 0
[0032] INFO found vulnerability matches time=660.352398ms
No vulnerabilities found
What you expected to happen:
The scan should detect at least some Low-level vulnerabilities for these containers (even though they are built from scratch, so no OS is present, they do contain some libraries that are vulnerable, as seen from this listing: https://opentelemetry.io/docs/security/cve/).
How to reproduce it (as minimally and precisely as possible):
$ docker run --rm --name grype-test -v /var/run/docker.sock:/var/run/docker.sock anchore/grype:latest -vv otel/opentelemetry-collector-contrib:0.144.0
Link to Dockerhub, GitHub, GitLab, maven central, quay.io, etc to a public artifact we can try scanning
Environment:
- Output of
grype version:
Application: grype
Version: 0.105.0
BuildDate: 2026-01-15T22:51:45Z
GitCommit: 32e7c0d3561dcca0cc4b000a850f681e5fb79a27
GitDescription: v0.105.0
Platform: linux/amd64
GoVersion: go1.25.5
Compiler: gc
Syft Version: v1.40.1
Supported DB Schema: 6