Incorrect .NET deps parsing #257

noqcks · 2023-09-20T20:59:25Z

I originally posted this on the trivy repo, but figured it should actually be posted here. Original post: aquasecurity/trivy#5208

Description

Trivy doesn't generate a correct .NET dependency tree in CycloneDX. Please see this gist for the reference .deps.json file im using https://gist.github.com/noqcks/49089249820126cbaabe59b70ba12ae4

See the desired and actual behaviour section

Desired Behavior

Dependencies are listed for this package

{
  "ref": "pkg:nuget/[email protected]",
  "dependsOn": [
    "pkg:nuget/[email protected]",
    "pkg:nuget/[email protected]",
    "pkg:nuget/[email protected]"
  ]
}

Actual Behavior

The dependencies are empty.

{
  "ref": "pkg:nuget/[email protected]",
  "dependsOn": []
},

Reproduction Steps

Copy the .deps.json file from here https://gist.github.com/noqcks/49089249820126cbaabe59b70ba12ae4

Run

trivy fs MyWebApp.deps.json --format cyclonedx



### Target

Filesystem

### Scanner

None

### Output Format

CycloneDX

### Mode

Standalone

### Debug Output

```bash
``
trivy fs MyWebApp.deps.json --format cyclonedx --debug
2023-09-18T09:13:42.744-0700	DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-09-18T09:13:42.745-0700	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-09-18T09:13:42.745-0700	DEBUG	Ignore statuses	{"statuses": null}
2023-09-18T09:13:42.746-0700	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2023-09-18T09:13:42.759-0700	DEBUG	cache dir:  /Users/noqcks/Library/Caches/trivy
2023-09-18T09:13:42.762-0700	DEBUG	Walk the file tree rooted at 'MyWebApp.deps.json' in parallel
2023-09-18T09:13:42.783-0700	DEBUG	OS is not detected.
{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:6e5fc8cb-f23a-4d7d-aae9-9d8b60335e40",
  "version": 1,
  "metadata": {
    "timestamp": "2023-09-18T16:13:42+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "0.45.0"
      }
    ],
    "component": {
      "bom-ref": "658f88d9-f9eb-4fdd-be0b-a1c4772fd1fe",
      "type": "application",
      "name": "MyWebApp.deps.json",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ]
    }
  },
  "components": [
    {
      "bom-ref": "073fa28b-e147-4c07-8bec-046dadbc456e",
      "type": "application",
      "name": "MyWebApp.deps.json",
      "properties": [
        {
          "name": "aquasecurity:trivy:Class",
          "value": "lang-pkgs"
        },
        {
          "name": "aquasecurity:trivy:Type",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.AspNetCore.Authentication.Abstractions",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.AspNetCore.Authentication.Core",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.AspNetCore.Connections.Abstractions",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.AspNetCore.Hosting.Abstractions",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.AspNetCore.Hosting.Server.Abstractions",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.AspNetCore.Http.Abstractions",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.AspNetCore.Http.Extensions",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.AspNetCore.Http.Features",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.AspNetCore.Http",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.AspNetCore.Server.IIS",
      "version": "2.2.6",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.AspNetCore.WebUtilities",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.Extensions.Configuration.Abstractions",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.Extensions.DependencyInjection.Abstractions",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.Extensions.FileProviders.Abstractions",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.Extensions.Hosting.Abstractions",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.Extensions.Logging.Abstractions",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.Extensions.ObjectPool",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.Extensions.Options",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.Extensions.Primitives",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.NETCore.Platforms",
      "version": "2.0.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "Microsoft.Net.Http.Headers",
      "version": "2.2.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "System.Buffers",
      "version": "4.5.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "System.ComponentModel.Annotations",
      "version": "4.5.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "System.IO.Pipelines",
      "version": "4.5.3",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "System.Memory",
      "version": "4.5.1",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "System.Runtime.CompilerServices.Unsafe",
      "version": "4.5.1",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "System.Security.Principal.Windows",
      "version": "4.5.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    },
    {
      "bom-ref": "pkg:nuget/[email protected]",
      "type": "library",
      "name": "System.Text.Encodings.Web",
      "version": "4.5.0",
      "purl": "pkg:nuget/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "dotnet-core"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "073fa28b-e147-4c07-8bec-046dadbc456e",
      "dependsOn": [
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]",
        "pkg:nuget/[email protected]"
      ]
    },
    {
      "ref": "658f88d9-f9eb-4fdd-be0b-a1c4772fd1fe",
      "dependsOn": [
        "073fa28b-e147-4c07-8bec-046dadbc456e"
      ]
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/[email protected]",
      "dependsOn": []
    }
  ],
  "vulnerabilities": []
}

Operating System

macOS

Version

Version: 0.45.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-09-18 12:17:08.645500979 +0000 UTC
  NextUpdate: 2023-09-18 18:17:08.645500079 +0000 UTC
  DownloadedAt: 2023-09-18 15:19:46.14853 +0000 UTC



### Checklist

- [X] Run `trivy image --reset`
- [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)

The text was updated successfully, but these errors were encountered:

noqcks linked a pull request Sep 20, 2023 that will close this issue

Add dotnet deps parsing #258

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Incorrect .NET deps parsing #257

Incorrect .NET deps parsing #257

noqcks commented Sep 20, 2023

Incorrect .NET deps parsing #257

Incorrect .NET deps parsing #257

Comments

noqcks commented Sep 20, 2023

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Operating System

Version