Skip to content

Supported Environments#

Overview of Managed Targets#

This document lists the OS types, versions, and other targets whose vulnerabilities can be managed with FutureVuls. For network requirements and other prerequisites when using a scanner, please also refer to the 'Scanner Requirements' manual.

FutureVuls can manage the following types of targets:

  • Server Environments
    • On-premise
    • Cloud: AWS / GCP / Azure
    • Closed network (air-gapped) environments
  • Server OS
    • Linux
    • Windows
  • Application Language Libraries
  • Middleware (Apache httpd, etc.)
  • SBOM
  • Containers
  • Network devices, commercial products, and other items registered in NVD and JVN
  • WordPress core, plugins, and themes supported by wpscan.com

Local Scans#

Linux#

Supported for Linux Host Scans.

Distribution Supported Versions
Red Hat Enterprise Linux 7, 8, 9, 10
Amazon Linux 2, 2022, 2023 ※1
Debian 11, 12, 13 ※2
Ubuntu 18, 20, 22, 24, 26
Oracle Linux 8, 9, 10
Rocky Linux 8, 9, 10
AlmaLinux OS 8, 9, 10
Fedora Linux 43, 44
openSUSE tumbleweed
openSUSE Leap 16
SUSE Enterprise 15, 16

※1 Amazon Linux 2 and 2022 will reach EOL on June 30, 2026, and will no longer be supported.

※2 Debian 11 will reach EOL on June 30, 2026, and will no longer be supported.

  • Extended update support status is as follows:
    • EUS for Red Hat Enterprise Linux is currently not supported.
    • ESM for Ubuntu is supported.

Windows#

Supported for Windows Host Scans.

Distribution Supported Versions
Windows Server 2016, 2019, 2022, 2025
Windows 10, 11

Paste Scans#

Linux#

Supported for Linux Paste Scans.

Distribution Supported Versions
Red Hat Enterprise Linux 7, 8, 9, 10
Amazon Linux 2, 2022, 2023 ※1
Debian 11, 12, 13 ※2
Ubuntu 18, 20, 22, 24, 26
Oracle Linux 8, 9, 10
Rocky Linux 8, 9, 10
AlmaLinux OS 8, 9, 10
Fedora Linux 43, 44
openSUSE tumbleweed
openSUSE Leap 16
SUSE Enterprise 15, 16

※1 Amazon Linux 2 and 2022 will reach EOL on June 30, 2026, and will no longer be supported.

※2 Debian 11 will reach EOL on June 30, 2026, and will no longer be supported.

Windows#

Supported for Windows Paste Scans.

Distribution Supported Versions
Windows Server 2016, 2019, 2022, 2025
Windows 10, 11

Container Image Scans (Trivy)#

For targets supported by Docker Scans (Trivy), please refer to the Trivy documentation.

Additionally, for the standard method of installing Trivy in a local environment to perform a scan, the setup is only possible on the following OSes:

  • Red Hat Enterprise Linux
  • Amazon Linux
  • Debian
  • Ubuntu
  • Rocky Linux
  • AlmaLinux OS
  • Fedora Linux
  • openSUSE
  • openSUSE Leap
  • SUSE Enterprise
  • Oracle Linux
  • FreeBSD

Inspector Scans#

For targets supported by Inspector Scans and Vulnerability Scans of Container Images on ECR, which integrate with Amazon Inspector to import scan results into FutureVuls, please refer to the Amazon Inspector documentation.

Application Dependency Libraries#

Applications Not Present in the Data Source Are Not Detected

Applications not present in Trivy's data source will not be detected (e.g., Android OSS).

Importing Application SBOMs#

For instructions on using SBOM tools and their supported lockfiles, please refer to the documentation for each tool. For the advantages and disadvantages of each scanning method, please refer to 'Scan Method Options and Features > Scan Application Dependency Libraries'.

Lockfile Paste Scans / Scans Specifying a Lockfile with Vuls Scanner#

Supported for Lockfile Paste Scans and scans specifying a lockfile with Vuls Scanner. Both methods use the same parser internally (scanner.AnalyzeLibrary) and only analyze the contents of the lockfile. The behavior for distinguishing development dependencies is identical.

Lang Lockfile Paste Vuls Scanner Dev Distinction Dev Detection Criteria
Node.js package-lock.json Yes "dev": true field
Node.js pnpm-lock.yaml Yes devDependencies section
Node.js bun.lock Yes devDependencies section
Node.js yarn.lock No -
Python poetry.lock Yes category = "dev" or groups does not include "main"
Python uv.lock Yes dev-dependencies section
Python Pipfile.lock No Dependencies in the "develop" section are completely excluded
Python requirements.txt No -
PHP composer.lock Yes "packages-dev" section
Java gradle.lockfile Yes all classpaths start with test
Java pom.xml No Dependencies with <scope>test</scope> are completely excluded
Java JAR, WAR, EAR, PAR - No -
.NET packages.lock.json No -
Go go.mod No -
Go go.sum - No -
Go Go binary - No -
Rust Cargo.lock No -
Rust Rust binary - No Dependencies other than runtime are completely excluded
Ruby Gemfile.lock No -
Ruby .gemspec - No -
C / C++ conan.lock No -
Elixir mix.lock No -
Dart pubspec.lock No -
Swift Package.resolved No -
Swift Podfile.lock (CocoaPods) No -

Meaning of the 'Dev Distinction' Column

  • Yes: The lockfile format allows for distinguishing between development and production dependencies. By default, devDependencies are excluded from the scan results. If the 'Include devDependencies' option is enabled when adding the lockfile, they will be included in the scan results with a [DevDependency] badge.
  • No: The lockfile format does not allow for distinguishing between development and production dependencies, so all dependencies are included in the scan results.

Differences based on pnpm-lock.yaml version

For pnpm-lock.yaml, Dev detection behavior differs depending on the lockfileVersion.

  • v9 or later: Dev dependencies are identified from the devDependencies in the importers section and can be included in scan results with a [DevDependency] badge (Trivy documentation: "Trivy supports Dev field for pnpm-lock.yaml v9 or later").
  • v5 to v8: Dev dependencies are completely excluded by Trivy's parser. They are always removed from the scan results, regardless of the 'Include devDependencies' option.

Special Case for Pipfile.lock

Dependencies included in the "develop" section of Pipfile.lock are completely excluded by Trivy's parser. The parser only reads the "default" section, so packages in the "develop" section are always removed from scan results, regardless of the 'Include devDependencies' option (as of Trivy v0.69.1).

Special Case for pom.xml

Dependencies specified with <scope>test</scope> in Maven are completely excluded by Trivy. Trivy only scans import, compile, runtime, and empty scopes; the test scope is always removed from scan results (Trivy documentation).

Scans Specifying a Filesystem Path with Trivy#

For supported targets in scans specifying a filesystem path with Trivy, please refer to the 'Filesystem' column in the Trivy documentation.

Since Trivy can access the filesystem, it reads surrounding files in addition to the lockfile itself, improving the accuracy of development dependency detection. The following lockfiles enable development dependency distinction that is not possible with Paste Scans or Vuls Scanner.

Lang Lockfile Surrounding Files Dev Detection Criteria
Node.js yarn.lock package.json devDependencies section
Python poetry.lock pyproject.toml [tool.poetry.group.dev.dependencies] section
PHP composer.lock composer.json require-dev section
Rust Cargo.lock Cargo.toml Dependencies in [dev-dependencies] are completely excluded

Development dependency detection for lockfiles other than those listed above is the same as for Paste Scans / Vuls Scanner. For details, please refer to the 'Dev' column on the respective language pages in the Trivy documentation (e.g., Node.js, Python, Java).

Additionally, for the standard method of installing Trivy in a local environment to perform a scan, the setup is only possible on the following OSes:

  • Red Hat Enterprise Linux
  • Amazon Linux
  • Debian
  • Ubuntu
  • Rocky Linux
  • AlmaLinux OS
  • Fedora Linux
  • openSUSE
  • openSUSE Leap
  • SUSE Enterprise
  • Oracle Linux
  • FreeBSD

CPE Scans#

Registering CPEs on the FutureVuls UI enables detection of products registered in NVD and JVN.

WordPress Scans#

WordPress Scans target WordPress core, plugins, and themes supported by wpscan.com.

SSM Integration#

The 'SSM Integration Scan' is a feature that allows you to select EC2 instances on FutureVuls and scan them on-demand.

The 'SSM Integration Package Update' is a feature that allows you to select a task on FutureVuls and update packages on the associated EC2 instances.

Distribution SSM Integration Scan SSM Integration Package Update
Red Hat Enterprise Linux
Amazon Linux
Debian
Ubuntu
Oracle Linux -
Rocky Linux -
AlmaLinux8 -
SUSE Enterprise -