Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sbom): detect OS from purl if OS component not found #7100

Open
DmitriyLewen opened this issue Jul 5, 2024 Discussed in #7073 · 3 comments · May be fixed by #7101
Open

fix(sbom): detect OS from purl if OS component not found #7100

DmitriyLewen opened this issue Jul 5, 2024 Discussed in #7073 · 3 comments · May be fixed by #7101
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@DmitriyLewen
Copy link
Contributor

Description

Detect OS from purl if OS component not found.
See #7073 for more details.

Discussed in #7073
@DmitriyLewen DmitriyLewen added the kind/bug Categorizes issue or PR as related to a bug. label Jul 5, 2024
@DmitriyLewen DmitriyLewen self-assigned this Jul 5, 2024
@DmitriyLewen DmitriyLewen linked a pull request Jul 5, 2024 that will close this issue
Open
6 tasks
@josephlim75
Copy link

Any plan when this issue will be fixed and released ? I have the same problem when running trivy version 0.54.1 on wolfi image and get the WARN [sbom] Ignore the OS package as no OS is detected.

2024-08-31T03:46:39-04:00       INFO    [vuln] Vulnerability scanning is enabled
2024-08-31T03:46:39-04:00       INFO    [secret] Secret scanning is enabled
2024-08-31T03:46:39-04:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-31T03:46:39-04:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/apk-tools-2.14.4-r0.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/bash-5.2.32-r2.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/busybox-1.36.1-r10.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/docker-cli-27.2.0-r0.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/ca-certificates-bundle-20240705-r0.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/git-2.46.0-r2.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/glibc-locale-posix-2.40-r1.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/glibc-2.40-r1.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/ld-linux-2.40-r1.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libbrotlicommon1-1.1.0-r4.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libbrotlidec1-1.1.0-r4.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libcrypt1-2.40-r1.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libcrypto3-3.3.1-r5.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libcurl-openssl4-8.9.1-r3.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libidn2-2.3.7-r2.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libexpat1-2.6.2-r1.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libnghttp2-14-1.63.0-r0.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libpcre2-8-0-10.44-r1.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libpsl-0.21.5-r3.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libssl3-3.3.1-r5.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libunistring-1.2-r2.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libxcrypt-4.4.36-r7.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/ncurses-6.5_p20240629-r0.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/ncurses-terminfo-base-6.5_p20240629-r0.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/wget-1.24.5-r4.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/wolfi-baselayout-20230201-r15.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/zlib-1.3.1-r4.spdx.json"
2024-08-31T03:46:46-04:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="pip" version="24.2"
2024-08-31T03:46:46-04:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="autocommand" version="2.2.2"
2024-08-31T03:46:46-04:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="typeguard" version="4.3.0"
2024-08-31T03:46:46-04:00       INFO    Detected OS     family="wolfi" version="20230201"
2024-08-31T03:46:46-04:00       INFO    [wolfi] Detecting vulnerabilities...    pkg_num=27
2024-08-31T03:46:46-04:00       INFO    Number of language-specific files       num=1
2024-08-31T03:46:46-04:00       INFO    [python-pkg] Detecting vulnerabilities...

<image>-wolfi (wolfi 20230201)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@josephlim75
Copy link

Just reran trivy scan today, seems like the WARN message is no longer showing.

@DmitriyLewen
Copy link
Contributor Author

Hello @josephlim75

Just reran trivy scan today, seems like the WARN message is no longer showing.

I think you don't see warnings because Trivy takes the package list from the cache.

Any plan when this issue will be fixed and released ?

We have delay in work - #7303

But as I already wrote in #7101 (comment) - worlfi images duplicate packages - that's why Trivy doesn't pass packages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(sbom): detect OS from purl if OS component not found DmitriyLewen/trivy
2 participants
@josephlim75 @DmitriyLewen