Discrepancy in CVE Detection Between Grype and Trivy for the Same SBOM

[carusojfr]

Question

Hi,

I need assistance regarding a discrepancy found during the comparison of vulnerability scanning results between Grype and Trivy on the same SBOM file. While Grype detects multiple CVEs, Trivy identifies only one CVE for the exact same SBOM.

Could you please help us understand the possible reasons for this difference in results and advise us on how to proceed to ensure accuracy and completeness in our vulnerability assessments?

trivy sbom  cyclonedx.json
2026-03-26T14:45:28+01:00       INFO    [vuln] Vulnerability scanning is enabled
2026-03-26T14:45:28+01:00       INFO    Detected SBOM format    format="cyclonedx-json"
2026-03-26T14:45:28+01:00       INFO    Number of language-specific files       num=1
2026-03-26T14:45:28+01:00       INFO    [conan] Detecting vulnerabilities...

Report Summary

┌────────────┬───────┬─────────────────┐
│   Target   │ Type  │ Vulnerabilities │
├────────────┼───────┼─────────────────┤
│ conan.lock │ conan │        1        │
└────────────┴───────┴─────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


conan.lock (conan)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────┬──────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │    Fixed Version     │                        Title                         │
├─────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────┼──────────────────────────────────────────────────────┤
│ openssl │ CVE-2023-6129 │ MEDIUM   │ fixed  │ 3.2.0             │ 3.0.13, 3.1.5, 3.2.1 │ openssl: POLY1305 MAC implementation corrupts vector │
│         │               │          │        │                   │                      │ registers on PowerPC                                 │
│         │               │          │        │                   │                      │ https://avd.aquasec.com/nvd/cve-2023-6129            │
└─────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────┴──────────────────────────────────────────────────────┘

Additionally, I had to use the --add-cpes-if-none option with Grype in order to obtain results.

cat cyclonedx.json  | grype --add-cpes-if-none
NAME     INSTALLED  FIXED IN                                         TYPE   VULNERABILITY   SEVERITY  EPSS           RISK
boost    1.71.0     1.78.0                                           conan  CVE-2016-9840   High      13.0% (94th)   9.9
openssl  3.2.0      1.0.2zk, 1.1.1za, 3.0.15, 3.1.7, 3.2.3, ...      conan  CVE-2024-5535   Critical  5.2% (89th)    4.7
openssl  3.2.0      3.0.15, 3.1.7, 3.2.3, 3.3.2                      conan  CVE-2024-6119   High      5.7% (90th)    4.3
openssl  3.2.0      1.1.1y, 3.0.14, 3.1.6, 3.2.2                     conan  CVE-2024-2511   Medium    4.5% (89th)    2.4
openssl  3.2.0      3.0.13, 3.1.5, 3.2.1                             conan  CVE-2023-6129   Medium    2.5% (85th)    1.4
openssl  3.2.0      3.2.4, 3.3.3, 3.4.1                              conan  CVE-2024-12797  Medium    0.8% (73rd)    0.4
openssl  3.2.0      1.0.2zl, 1.1.1zb, 3.0.16, 3.1.8, 3.2.4, ...      conan  CVE-2024-9143   Medium    0.6% (70th)    0.3
openssl  3.2.0      3.0.13, 3.1.5, 3.2.1                             conan  CVE-2023-6237   Medium    0.5% (67th)    0.3
ffmpeg   6.1.1      7.1.2                                            conan  CVE-2025-1594   High      0.3% (57th)    0.3
ffmpeg   6.1.1      7.1.2                                            conan  CVE-2025-9951   High      0.3% (56th)    0.2
ffmpeg   6.1.1      6.1.2                                            conan  CVE-2024-31578  High      0.3% (55th)    0.2
ffmpeg   6.1.1                                                       conan  CVE-2024-35366  Critical  0.2% (44th)    0.2
openssl  3.2.0      1.1.1y, 3.0.14, 3.1.6, 3.2.2, 3.3.1              conan  CVE-2024-4741   High      0.3% (49th)    0.2
ffmpeg   6.1.1                                                       conan  CVE-2024-35365  High      0.2% (45th)    0.2
ffmpeg   6.1.1                                                       conan  CVE-2024-35367  Critical  0.1% (34th)    0.1
openssl  3.2.0      1.0.2zj, 1.1.1x, 3.0.13, 3.1.5                   conan  CVE-2024-0727   Medium    0.2% (46th)    0.1
ffmpeg   6.1.1      4.3.8, 4.4.5, 5.1.6, 6.1.2, 7.0.2                conan  CVE-2024-7055   High      0.1% (32nd)    < 0.1
ffmpeg   6.1.1      4.3.9, 4.4.6, 5.1.7, 6.1.3, 7.0.3, 7.1.1         conan  CVE-2023-6602   Medium    0.1% (35th)    < 0.1
ffmpeg   6.1.1      4.3.9, 4.4.6, 5.1.7, 6.1.3, 7.0.3, 7.1.1         conan  CVE-2023-6605   High      < 0.1% (26th)  < 0.1
ffmpeg   6.1.1      3.4.14, 4.2.11, 4.3.9, 4.4.6, 5.1.7, 6.1.3, ...  conan  CVE-2025-0518   Medium    0.1% (31st)    < 0.1
openssl  3.2.0      3.0.14, 3.1.6, 3.2.2, 3.3.1                      conan  CVE-2024-4603   Medium    < 0.1% (26th)  < 0.1
ffmpeg   6.1.1      4.2.11, 4.3.9, 4.4.6, 5.1.7, 6.1.3, ...          conan  CVE-2025-22919  Medium    < 0.1% (23rd)  < 0.1
ffmpeg   6.1.1      5.1.5, 6.1.2                                     conan  CVE-2023-51795  High      < 0.1% (18th)  < 0.1
ffmpeg   6.1.1      4.3.9, 4.4.6, 5.1.7, 6.1.3, 7.0.3, 7.1.1         conan  CVE-2023-6604   Medium    < 0.1% (24th)  < 0.1
ffmpeg   6.1.1                                                       conan  CVE-2024-36616  Medium    < 0.1% (22nd)  < 0.1
openssl  3.2.0      1.0.2zl, 1.1.1zb, 3.0.16, 3.1.8, 3.2.4, ...      conan  CVE-2024-13176  Medium    < 0.1% (22nd)  < 0.1
ffmpeg   6.1.1      6.1.3                                            conan  CVE-2023-49501  High      < 0.1% (9th)   < 0.1
openssl  3.2.0      1.0.2zm, 1.1.1zd, 3.0.18, 3.2.6, 3.3.5, ...      conan  CVE-2025-9230   High      < 0.1% (9th)   < 0.1
ffmpeg   6.1.1                                                       conan  CVE-2024-35369  Medium    < 0.1% (12th)  < 0.1
ffmpeg   6.1.1      4.3.9, 4.4.6, 5.1.7, 6.1.3, 7.0.3, 7.1.1         conan  CVE-2023-6601   Medium    < 0.1% (11th)  < 0.1
ffmpeg   6.1.1                                                       conan  CVE-2024-36619  Medium    < 0.1% (10th)  < 0.1
ffmpeg   6.1.1                                                       conan  CVE-2024-36613  Medium    < 0.1% (8th)   < 0.1
ffmpeg   6.1.1                                                       conan  CVE-2024-36618  Medium    < 0.1% (8th)   < 0.1
openssl  3.2.0      3.2.6, 3.3.5, 3.4.3, 3.5.4                       conan  CVE-2025-9231   Medium    < 0.1% (5th)   < 0.1
ffmpeg   6.1.1      8.0                                              conan  CVE-2025-59729  Medium    < 0.1% (5th)   < 0.1
ffmpeg   6.1.1      8.0                                              conan  CVE-2025-59730  Medium    < 0.1% (4th)   < 0.1
ffmpeg   6.1.1      3.4.14, 4.2.9, 4.3.7, 4.4.5, 5.1.5, 6.1.2, ...   conan  CVE-2024-36617  Medium    < 0.1% (4th)   < 0.1
ffmpeg   6.1.1      8.0                                              conan  CVE-2025-10256  Medium    < 0.1% (0th)   < 0.1
zlib     1.3.1      1.3.2                                            conan  CVE-2026-27171  Medium    < 0.1% (0th)   < 0.1
ffmpeg   6.1.1      8.1                                              conan  CVE-2025-12343  Medium    < 0.1% (0th)   < 0.1

Thank you in advance for your support.

Best regards,

cyclonedx.json

Target

SBOM

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Operating System

WSL Ubuntu

Version

Version: 0.69.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2026-03-19 12:35:06.232779536 +0000 UTC
  NextUpdate: 2026-03-20 12:35:06.232779285 +0000 UTC
  DownloadedAt: 2026-03-26 13:25:21.319417711 +0000 UTC

[DmitriyLewen]

Hi @carusojfr ,
It seems the GitLab advisory database (we use it specifically for Conan advisories (https://trivy.dev/docs/latest/guide/scanner/vulnerability/#langpkg-data-sources) has some problems with updating/adding advisories - https://advisories.gitlab.com/pkg/conan/openssl/

You can write to them and find out the reasons for this.

Regards, Dmitriy