I am trying to scan the qcow2 image using Trivy, but it's failing the test ?
trivy --debug fs /home/user/fedora32_image.qcow2
2021-04-13T14:01:53.535-0700 DEBUG Severities: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
2021-04-13T14:01:53.557-0700 DEBUG cache dir: /home/user/.cache/trivy
2021-04-13T14:01:53.558-0700 DEBUG DB update was skipped because DB is the latest
2021-04-13T14:01:53.558-0700 DEBUG DB Schema: 1, Type: 1, UpdatedAt: 2021-04-13 12:07:40.493338704 +0000 UTC, NextUpdate: 2021-04-14 00:07:40.493338404 +0000 UTC, DownloadedAt: 2021-04-13 17:17:26.74233259 +0000 UTC
2021-04-13T14:01:53.558-0700 DEBUG Vulnerability type: [os library]
2021-04-13T14:01:53.624-0700 DEBUG Artifact ID: sha256:3404e98968ad338dc60ef74c0dd5bdd893478415cd2296b0c265a5650b3ae4d6
2021-04-13T14:01:53.624-0700 DEBUG Blob IDs: [sha256:3404e98968ad338dc60ef74c0dd5bdd893478415cd2296b0c265a5650b3ae4d6]
2021-04-13T14:01:53.624-0700 WARN OS is not detected and vulnerabilities in OS packages are not detected.
2021-04-13T14:01:53.624-0700 INFO Trivy skips scanning programming language libraries because no supported file was detected
Any advice on debugging?
Trivy's
fs
mode needs an actual unpacked filesystem to read. You could mount that disk image and that point Trivy at it, or run Trivy from inside the VM. The only packed image formats it understands are containers since it's mostly a container tool.