Supported Environments#
Overview of Managed Targets#
This document lists the OS types, versions, and other targets whose vulnerabilities can be managed with FutureVuls. For network requirements and other prerequisites when using a scanner, please also refer to the 'Scanner Requirements' manual.
FutureVuls can manage the following types of targets:
- Server Environments
- On-premise
- Cloud: AWS / GCP / Azure
- Closed network (air-gapped) environments
- Server OS
- Linux
- Windows
- Application Language Libraries
- Middleware (Apache httpd, etc.)
- SBOM
- Containers
- Network devices, commercial products, and other items registered in NVD and JVN
- WordPress core, plugins, and themes supported by wpscan.com
Local Scans#
Linux#
Supported for Linux Host Scans.
| Distribution | Supported Versions |
|---|---|
| Red Hat Enterprise Linux | 7, 8, 9, 10 |
| Amazon Linux | 2, 2022, 2023 ※1 |
| Debian | 11, 12, 13 ※2 |
| Ubuntu | 18, 20, 22, 24, 26 |
| Oracle Linux | 8, 9, 10 |
| Rocky Linux | 8, 9, 10 |
| AlmaLinux OS | 8, 9, 10 |
| Fedora Linux | 43, 44 |
| openSUSE | tumbleweed |
| openSUSE Leap | 16 |
| SUSE Enterprise | 15, 16 |
※1 Amazon Linux 2 and 2022 will reach EOL on June 30, 2026, and will no longer be supported.
※2 Debian 11 will reach EOL on June 30, 2026, and will no longer be supported.
- Extended update support status is as follows:
- EUS for Red Hat Enterprise Linux is currently not supported.
- ESM for Ubuntu is supported.
Windows#
Supported for Windows Host Scans.
| Distribution | Supported Versions |
|---|---|
| Windows Server | 2016, 2019, 2022, 2025 |
| Windows | 10, 11 |
Paste Scans#
Linux#
Supported for Linux Paste Scans.
| Distribution | Supported Versions |
|---|---|
| Red Hat Enterprise Linux | 7, 8, 9, 10 |
| Amazon Linux | 2, 2022, 2023 ※1 |
| Debian | 11, 12, 13 ※2 |
| Ubuntu | 18, 20, 22, 24, 26 |
| Oracle Linux | 8, 9, 10 |
| Rocky Linux | 8, 9, 10 |
| AlmaLinux OS | 8, 9, 10 |
| Fedora Linux | 43, 44 |
| openSUSE | tumbleweed |
| openSUSE Leap | 16 |
| SUSE Enterprise | 15, 16 |
※1 Amazon Linux 2 and 2022 will reach EOL on June 30, 2026, and will no longer be supported.
※2 Debian 11 will reach EOL on June 30, 2026, and will no longer be supported.
Windows#
Supported for Windows Paste Scans.
| Distribution | Supported Versions |
|---|---|
| Windows Server | 2016, 2019, 2022, 2025 |
| Windows | 10, 11 |
Container Image Scans (Trivy)#
For targets supported by Docker Scans (Trivy), please refer to the Trivy documentation.
Additionally, for the standard method of installing Trivy in a local environment to perform a scan, the setup is only possible on the following OSes:
- Red Hat Enterprise Linux
- Amazon Linux
- Debian
- Ubuntu
- Rocky Linux
- AlmaLinux OS
- Fedora Linux
- openSUSE
- openSUSE Leap
- SUSE Enterprise
- Oracle Linux
- FreeBSD
Inspector Scans#
For targets supported by Inspector Scans and Vulnerability Scans of Container Images on ECR, which integrate with Amazon Inspector to import scan results into FutureVuls, please refer to the Amazon Inspector documentation.
Application Dependency Libraries#
Applications Not Present in the Data Source Are Not Detected
Applications not present in Trivy's data source will not be detected (e.g., Android OSS).
Importing Application SBOMs#
For instructions on using SBOM tools and their supported lockfiles, please refer to the documentation for each tool. For the advantages and disadvantages of each scanning method, please refer to 'Scan Method Options and Features > Scan Application Dependency Libraries'.
- Lockfiles supported by Trivy
- Syft documentation
- SPDX from image scans does not include OS information and therefore cannot be imported.
- Vuls / FutureVuls SBOM
- Supported targets are the same as for 'Lockfile Paste Scans'.
- SBOM Tool
- Uses component-detection for software detection.
- Only SPDX v2.2 is supported.
- CycloneDX Generator (cdxgen) documentation
- Operating systems and programming languages supported by Amazon Inspector
Lockfile Paste Scans / Scans Specifying a Lockfile with Vuls Scanner#
Supported for Lockfile Paste Scans and scans specifying a lockfile with Vuls Scanner.
Both methods use the same parser internally (scanner.AnalyzeLibrary) and only analyze the contents of the lockfile. The behavior for distinguishing development dependencies is identical.
| Lang | Lockfile | Paste | Vuls Scanner | Dev Distinction | Dev Detection Criteria |
|---|---|---|---|---|---|
| Node.js | package-lock.json | ✓ | ✓ | Yes | "dev": true field |
| Node.js | pnpm-lock.yaml | ✓ | ✓ | Yes | devDependencies section |
| Node.js | bun.lock | ✓ | ✓ | Yes | devDependencies section |
| Node.js | yarn.lock | ✓ | ✓ | No | - |
| Python | poetry.lock | ✓ | ✓ | Yes | category = "dev" or groups does not include "main" |
| Python | uv.lock | ✓ | ✓ | Yes | dev-dependencies section |
| Python | Pipfile.lock | ✓ | ✓ | No | Dependencies in the "develop" section are completely excluded |
| Python | requirements.txt | ✓ | ✓ | No | - |
| PHP | composer.lock | ✓ | ✓ | Yes | "packages-dev" section |
| Java | gradle.lockfile | ✓ | ✓ | Yes | all classpaths start with test |
| Java | pom.xml | ✓ | ✓ | No | Dependencies with <scope>test</scope> are completely excluded |
| Java | JAR, WAR, EAR, PAR | - | ✓ | No | - |
| .NET | packages.lock.json | ✓ | ✓ | No | - |
| Go | go.mod | ✓ | ✓ | No | - |
| Go | go.sum | - | ✓ | No | - |
| Go | Go binary | - | ✓ | No | - |
| Rust | Cargo.lock | ✓ | ✓ | No | - |
| Rust | Rust binary | - | ✓ | No | Dependencies other than runtime are completely excluded |
| Ruby | Gemfile.lock | ✓ | ✓ | No | - |
| Ruby | .gemspec | - | ✓ | No | - |
| C / C++ | conan.lock | ✓ | ✓ | No | - |
| Elixir | mix.lock | ✓ | ✓ | No | - |
| Dart | pubspec.lock | ✓ | ✓ | No | - |
| Swift | Package.resolved | ✓ | ✓ | No | - |
| Swift | Podfile.lock (CocoaPods) | ✓ | ✓ | No | - |
Meaning of the 'Dev Distinction' Column
- Yes: The lockfile format allows for distinguishing between development and production dependencies. By default, devDependencies are excluded from the scan results. If the 'Include devDependencies' option is enabled when adding the lockfile, they will be included in the scan results with a [DevDependency] badge.
- No: The lockfile format does not allow for distinguishing between development and production dependencies, so all dependencies are included in the scan results.
Differences based on pnpm-lock.yaml version
For pnpm-lock.yaml, Dev detection behavior differs depending on the lockfileVersion.
- v9 or later: Dev dependencies are identified from the
devDependenciesin theimporterssection and can be included in scan results with a [DevDependency] badge (Trivy documentation: "Trivy supports Dev field for pnpm-lock.yaml v9 or later"). - v5 to v8: Dev dependencies are completely excluded by Trivy's parser. They are always removed from the scan results, regardless of the 'Include devDependencies' option.
Special Case for Pipfile.lock
Dependencies included in the "develop" section of Pipfile.lock are completely excluded by Trivy's parser. The parser only reads the "default" section, so packages in the "develop" section are always removed from scan results, regardless of the 'Include devDependencies' option (as of Trivy v0.69.1).
Special Case for pom.xml
Dependencies specified with <scope>test</scope> in Maven are completely excluded by Trivy. Trivy only scans import, compile, runtime, and empty scopes; the test scope is always removed from scan results (Trivy documentation).
Scans Specifying a Filesystem Path with Trivy#
For supported targets in scans specifying a filesystem path with Trivy, please refer to the 'Filesystem' column in the Trivy documentation.
Since Trivy can access the filesystem, it reads surrounding files in addition to the lockfile itself, improving the accuracy of development dependency detection. The following lockfiles enable development dependency distinction that is not possible with Paste Scans or Vuls Scanner.
| Lang | Lockfile | Surrounding Files | Dev Detection Criteria |
|---|---|---|---|
| Node.js | yarn.lock | package.json |
devDependencies section |
| Python | poetry.lock | pyproject.toml |
[tool.poetry.group.dev.dependencies] section |
| PHP | composer.lock | composer.json |
require-dev section |
| Rust | Cargo.lock | Cargo.toml |
Dependencies in [dev-dependencies] are completely excluded |
Development dependency detection for lockfiles other than those listed above is the same as for Paste Scans / Vuls Scanner. For details, please refer to the 'Dev' column on the respective language pages in the Trivy documentation (e.g., Node.js, Python, Java).
Additionally, for the standard method of installing Trivy in a local environment to perform a scan, the setup is only possible on the following OSes:
- Red Hat Enterprise Linux
- Amazon Linux
- Debian
- Ubuntu
- Rocky Linux
- AlmaLinux OS
- Fedora Linux
- openSUSE
- openSUSE Leap
- SUSE Enterprise
- Oracle Linux
- FreeBSD
CPE Scans#
Registering CPEs on the FutureVuls UI enables detection of products registered in NVD and JVN.
WordPress Scans#
WordPress Scans target WordPress core, plugins, and themes supported by wpscan.com.
SSM Integration#
The 'SSM Integration Scan' is a feature that allows you to select EC2 instances on FutureVuls and scan them on-demand.
The 'SSM Integration Package Update' is a feature that allows you to select a task on FutureVuls and update packages on the associated EC2 instances.
| Distribution | SSM Integration Scan | SSM Integration Package Update |
|---|---|---|
| Red Hat Enterprise Linux | ✓ | ✓ |
| Amazon Linux | ✓ | ✓ |
| Debian | ✓ | ✓ |
| Ubuntu | ✓ | ✓ |
| Oracle Linux | ✓ | - |
| Rocky Linux | ✓ | - |
| AlmaLinux8 | ✓ | - |
| SUSE Enterprise | ✓ | - |