Image Scans: SBOM generated by trivy does not contain license information for gobinary depedencies

[seth-priya]

Question

Ran an image scan on the mimir image using
trivy image grafana/mimir:latest -f cyclonedx > mimir.sbom.out

The SBOM /Cyclodex output has the "gobinary" dependencies of mimir listed (around 180 packages in all) listed but these don't have the license info, sample entry

    {
      "bom-ref": "pkg:golang/cloud.google.com/[email protected]",
      "type": "library",
      "name": "cloud.google.com/go",
      "version": "v0.110.0",
      "purl": "pkg:golang/cloud.google.com/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "gobinary"
        },
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:9925587b7dc65809a8538443feea4b6059008ee688203f4f30d9ead9b9872386"
        }
      ]
    },

https://github.com/CycloneDX/cyclonedx-gomod has the capability to provide license info for gobinary dependencies

Target

Container Image

Scanner

License

Output Format

CycloneDX

Mode

Standalone

Operating System

Linux x86_64

Version

[root@x006vm56 ~]# trivy --version
Version: 0.41.0

[knqyf263]

Go binaries don't include the license information. You can see the info by "go version -m".

[knqyf263]

should it be skipping the dependencies altogether and not even listing them then?

It is up to you. If you need licenses, you should scan go.mod.

[seth-priya]

ok, so I am doing a container scan, which means (go) binaries are scanned automatically but not the modules it depends on. If I want to scan those as well, then I need to scan the go.mod separately? or is there a way to combine this into a single command? I am mostly looking at generating the full BOM info for the container for le gal compliance with all the dependencies and license for each. Currently I am getting a whole bunch of packages that are listed in the SBOM (the dependencies of the mimir gobinary in my case where I am scanning a mimir container) that don't have associated license info.

[knqyf263]

Good point.

If I want to scan those as well, then I need to scan the go.mod separately?

Unfortunately, you need to scan the go.mod separately and combine those SBOMs on your end.

[seth-priya]

Just reviving this discussion as the missing license information for go packages listed in the cyclonedx output for containers (SBOM) continues to be a bit of a problem for us.

Just trying to add more clarity here
For the case of "mimir" that I mentioned in the initial discussion, this particular package does not have a corresponding "License" field in the cyclonedx output generated by trivy on the "mimir" container that contains the "mimir" binary and below is one of the binary dependencies

{
    "bom-ref": "pkg:golang/cloud.google.com/[email protected]",
    "type": "library",
    "name": "cloud.google.com/go",
    "version": "v0.105.0",
    "purl": "pkg:golang/cloud.google.com/[email protected]",
    "properties": [
      {
        "name": "aquasecurity:trivy:PkgType",
        "value": "gobinary"
      },
      {
        "name": "aquasecurity:trivy:LayerDiffID",
        "value": "sha256:87cdafda44d7eafe8709be296429c5d1d23f99df9fb5cb786f212ddaf4be8686"
      }
    ]
  },

However, if I run the "cyclonedx-gomod" tool https://github.com/CycloneDX/cyclonedx-gomod that has the capability of generating license information for gobinary files like $HOME/go/bin/cyclonedx-gomod bin -json -output mimir.bom.json $HOME/mimir/cmd/mimir/mimir on the "mimir" binary, it gives be the same "gobinary" entries in the cyclonedx output as trivy but with license info included, sample entry (same package as above)

{
  "bom-ref": "pkg:golang/cloud.google.com/[email protected]?type=module",
  "type": "library",
  "name": "cloud.google.com/go",
  "version": "v0.105.0",
  "scope": "required",
  "purl": "pkg:golang/cloud.google.com/[email protected]?type=module\u0026goos=linux\u0026goarch=ppc64le",
  "evidence": {
    **"licenses": [
      {
        "license": {
          "id": "Apache-2.0"
        }**
      }
    ]
  }
},

I am currently not sure how the implementation of trivy differs from cyclonex-gomod in this regards, but since cyclonedx-gomod runs directly on the binary, I am not really explicitly giving it the go.mod file, maybe it's doing some online look ups or something to get to it.

[gerrith3]

@knqyf263 I'm not sure I understand why you wouldn't want trivy to be "all inclusive" here? It is already one of the better scanners available but having to stitch together outputs from multiple scanners is not a very good end user model for any of us. Sure we can write tooling, but does everyone generating SBOM, License and CVE output have to write their own tools to stitch together some random set of tools to get a good output? Or can we work to combine the best (and fastest) scanning tools into a single tool which builds a broader level of trust and confidence for all of us based on reliability, ease of use, completeness, etc.? I think what @seth-priya is pointing out is one of two or three areas where trivy is a little weak and could be strengthened a bit to make it the easy, go-to tool for quick and thorough scans. Sure there may be commercial products that are better, or more complete, but having the basics in a solid tool seems like it is a win for everyone!

[LesSyner]

@gerrith3 @seth-priya we hit the same issue as you some time ago. So I just wanted to provide you solution, which solved it for us. Since trivy developers have no intention to fix it inside trivy we went the way to enrich SBOM generated by trivy. We found great tool for this - parlay ( https://snyk.io/blog/introducing-parlay/ ). You simply run it in the pipe after trivy and you have SBOM with all licenses - very nice, simple and efficient solution.