Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unmatched Vulnerabilities.affects.ref when scanning CycloneDX sbom with duplicate Purls #7337

Open
2 tasks done
nikpivkin opened this issue Aug 13, 2024 Discussed in #7334 · 2 comments · May be fixed by #7340
Open
2 tasks done

Unmatched Vulnerabilities.affects.ref when scanning CycloneDX sbom with duplicate Purls #7337

nikpivkin opened this issue Aug 13, 2024 Discussed in #7334 · 2 comments · May be fixed by #7340
Assignees
@afdesk
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/sbom Issues relating to SBOM
Milestone
v0.56.0

Comments

@nikpivkin
Copy link
Contributor

Discussed in #7334

Originally posted by scott-boost August 13, 2024

Description

When scanning a cyclone dx sbom with 2 components that have the exact same purls (but different bom-refs), the resulting vulnerability.affects.ref has a seemingly random ref

NOTE: that this bug does not occur if the format is json instead

Desired Behavior

vulnerability.affects.ref points to a Component.bom-ref in the same sbom

Actual Behavior

vulnerability.affects.ref DOES NOT point to a Component.bom-ref in the same sbom

Reproduction Steps

1. wget https://pastebin.com/raw/iD0PiatU
2. trivy sbom --format cyclonedx --scanners vuln iD0PiatU

Target

SBOM

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

2024-08-12T14:16:23-04:00	DEBUG	Cache dir	dir="/Users/scottluu/Library/Caches/trivy"
2024-08-12T14:16:23-04:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-12T14:16:23-04:00	DEBUG	Ignore statuses	statuses=[]
2024-08-12T14:16:23-04:00	DEBUG	DB update was skipped because the local DB is the latest
2024-08-12T14:16:23-04:00	DEBUG	DB info	schema=2 updated_at=2024-08-12T18:12:51.291637899Z next_update=2024-08-13T00:12:51.291637608Z downloaded_at=2024-08-12T18:15:47.484472Z
2024-08-12T14:16:23-04:00	INFO	Vulnerability scanning is enabled
2024-08-12T14:16:23-04:00	DEBUG	Vulnerability type	type=[os library]
2024-08-12T14:16:23-04:00	DEBUG	Enabling misconfiguration scanners	scanners=[]
2024-08-12T14:16:23-04:00	DEBUG	Initializing scan cache...	type="memory"
2024-08-12T14:16:23-04:00	INFO	Detected SBOM format	format="cyclonedx-json"
2024-08-12T14:16:23-04:00	DEBUG	Unmarshalling CycloneDX JSON...
2024-08-12T14:16:23-04:00	DEBUG	Skipping a component with an unsupported type	name="." version="" type=""
2024-08-12T14:16:23-04:00	DEBUG	OS is not detected.
2024-08-12T14:16:23-04:00	DEBUG	Detected OS: unknown
2024-08-12T14:16:23-04:00	INFO	Number of language-specific files	num=1
2024-08-12T14:16:23-04:00	INFO	[poetry] Detecting vulnerabilities...
2024-08-12T14:16:23-04:00	DEBUG	[poetry] Scanning packages for vulnerabilities	file_path="poetry.lock"

Operating System

macOS Sonoma 14.6.1

Version

Version: 0.54.0

Checklist
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/sbom Issues relating to SBOM labels Aug 13, 2024
@nikpivkin
Copy link
Contributor Author

@knqyf263 When converting a package to a component, should the bom-ref also be exported, since it is not empty when cyclonedx is scanned? https://github.com/aquasecurity/trivy/blob/main/pkg/sbom/io/encode.go#L379-L381

@knqyf263
Copy link
Collaborator

@knqyf263 When converting a package to a component, should the bom-ref also be exported, since it is not empty when cyclonedx is scanned? https://github.com/aquasecurity/trivy/blob/main/pkg/sbom/io/encode.go#L379-L381

Looks like yes

@knqyf263 knqyf263 added this to the v0.55.0 milestone Aug 14, 2024
@afdesk afdesk linked a pull request Aug 14, 2024 that will close this issue
Open
6 tasks
@DmitriyLewen DmitriyLewen mentioned this issue Aug 20, 2024
Closed
2 tasks
@knqyf263 knqyf263 modified the milestones: v0.55.0, v0.56.0 Sep 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@afdesk afdesk

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/sbom Issues relating to SBOM
Projects
Trivy Roadmap
Status: No status
Milestone
v0.56.0
Development

Successfully merging a pull request may close this issue.

fix(sbom): export bom-ref when converting a package to a component afdesk/trivy
3 participants
@knqyf263 @afdesk @nikpivkin