(SBOM generate + SBOM scan) metadata differs from image scan metadata

[mhbardsley]

Description

I have noticed that some images provide different target names in their scanner output, when the image is scanned compared to when Trivy is used to generate an SBOM and then that SBOM is scanned.

The vulnerability counts provided in these cases are the same, which is why I think this differs from #3649.

I haven't been able to identify exactly what the scope of the issue is, but it is at least the case for gobinary target types. This is not reproducible for every image that contains vulnerable Go binaries.

Also I didn't run trivy clean --all as suggested when filing this issue because it doesn't appear to be a supported subcommand anymore.

Desired Behavior

The path to Go binaries should be consistent for any given image, whether an image scan is performed or whether an SBOM is generated (by Trivy) for the image, and then that SBOM is scanned.

Actual Behavior

The image scan provides a full path to the vulnerable Go binary. Generating an SBOM (with Trivy) and then scanning that SBOM provides an empty path to the vulnerable Go binary, with the vulnerability information, and the full path to the vulnerable Go binary, with no associated vulnerability information.

Reproduction Steps

$ trivy image --scanners vuln --format json traefik:v3.0.4 2> /dev/null | jq ".Results[] | select(.Type == \"gobinary\") | (.Target, (.Vulnerabilities | length))"
"usr/local/bin/traefik"
3

$ trivy image --format cyclonedx --output test.cdx traefik:v3.0.4 2> /dev/null && trivy sbom --format json test.cdx 2> /dev/null | jq ".Results[] | select(.Type == \"gobinary\") | (.Target, (.Vulnerabilities | length))"
""
3
"usr/local/bin/traefik"
0

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

$ trivy image --scanners vuln --format json --debug traefik:v3.0.4 | jq ".Results[] | select(.Type == \"gobinary\") | (.Target, (.Vulnerabilities | length))"
2024-07-15T15:23:39+01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-07-15T15:23:39+01:00       DEBUG   Ignore statuses statuses=[]
2024-07-15T15:23:39+01:00       DEBUG   Cache dir       dir="/home/mbardsley/snap/trivy/276/.cache/trivy"
2024-07-15T15:23:39+01:00       DEBUG   DB update was skipped because the local DB is the latest
2024-07-15T15:23:39+01:00       DEBUG   DB info schema=2 updated_at=2024-07-15T12:12:33.568990716Z next_update=2024-07-15T18:12:33.568990335Z downloaded_at=2024-07-15T13:37:12.926706887Z
2024-07-15T15:23:39+01:00       INFO    Vulnerability scanning is enabled
2024-07-15T15:23:39+01:00       DEBUG   Vulnerability type      type=[os library]
2024-07-15T15:23:39+01:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-07-15T15:23:40+01:00       DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-07-15T15:23:40+01:00       DEBUG   [image] Detected image ID       image_id="sha256:7a4ed730cae1fd3aea7db703c77c5f27cc5550748e492cd963a386f409562568"
2024-07-15T15:23:40+01:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:94e5f06ff8e3d4441dc3cd8b090ff38dc911bfa8ebdb0dc28395bc98f82f983f sha256:6e2310d517910ccc3ceb9ca99c621ba63e05e0301dad7c508cac33d6b8ec5d73 sha256:d9055b10d766a8feec8df32ad9f3e243fe986edb22bd09e6417526901752d90e sha256:64d7de16d92ebe5b3575aca2e429662c45aafde5567d3709916ec789d1e58010]
2024-07-15T15:23:40+01:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:94e5f06ff8e3d4441dc3cd8b090ff38dc911bfa8ebdb0dc28395bc98f82f983f]
2024-07-15T15:23:40+01:00       INFO    Detected OS     family="alpine" version="3.20.1"
2024-07-15T15:23:40+01:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.20" repository="3.20" pkg_num=16
2024-07-15T15:23:40+01:00       INFO    Number of language-specific files       num=1
2024-07-15T15:23:40+01:00       INFO    [gobinary] Detecting vulnerabilities...
2024-07-15T15:23:40+01:00       DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="usr/local/bin/traefik"
2024-07-15T15:23:40+01:00       DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="github.com/traefik/traefik/v3"
"usr/local/bin/traefik"
3

$ trivy image --format cyclonedx --output test.cdx --debug traefik:v3.0.4 && trivy sbom --format json --debug test.cdx | jq ".Results[] | select(.Type == \"gobinary\") | (.Target, (.Vulnerabilities | length))"
2024-07-15T15:24:45+01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-07-15T15:24:45+01:00       DEBUG   Ignore statuses statuses=[]
2024-07-15T15:24:45+01:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2024-07-15T15:24:45+01:00       DEBUG   Cache dir       dir="/home/mbardsley/snap/trivy/276/.cache/trivy"
2024-07-15T15:24:45+01:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-07-15T15:24:46+01:00       DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-07-15T15:24:46+01:00       DEBUG   [image] Detected image ID       image_id="sha256:7a4ed730cae1fd3aea7db703c77c5f27cc5550748e492cd963a386f409562568"
2024-07-15T15:24:46+01:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:94e5f06ff8e3d4441dc3cd8b090ff38dc911bfa8ebdb0dc28395bc98f82f983f sha256:6e2310d517910ccc3ceb9ca99c621ba63e05e0301dad7c508cac33d6b8ec5d73 sha256:d9055b10d766a8feec8df32ad9f3e243fe986edb22bd09e6417526901752d90e sha256:64d7de16d92ebe5b3575aca2e429662c45aafde5567d3709916ec789d1e58010]
2024-07-15T15:24:46+01:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:94e5f06ff8e3d4441dc3cd8b090ff38dc911bfa8ebdb0dc28395bc98f82f983f]
2024-07-15T15:24:46+01:00       INFO    Detected OS     family="alpine" version="3.20.1"
2024-07-15T15:24:46+01:00       INFO    Number of language-specific files       num=1
2024-07-15T15:24:46+01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-07-15T15:24:46+01:00       DEBUG   Ignore statuses statuses=[]
2024-07-15T15:24:46+01:00       DEBUG   Cache dir       dir="/home/mbardsley/snap/trivy/276/.cache/trivy"
2024-07-15T15:24:46+01:00       DEBUG   DB update was skipped because the local DB is the latest
2024-07-15T15:24:46+01:00       DEBUG   DB info schema=2 updated_at=2024-07-15T12:12:33.568990716Z next_update=2024-07-15T18:12:33.568990335Z downloaded_at=2024-07-15T13:37:12.926706887Z
2024-07-15T15:24:46+01:00       INFO    Vulnerability scanning is enabled
2024-07-15T15:24:46+01:00       DEBUG   Vulnerability type      type=[os library]
2024-07-15T15:24:46+01:00       DEBUG   Enabling misconfiguration scanners      scanners=[]
2024-07-15T15:24:46+01:00       INFO    Detected SBOM format    format="cyclonedx-json"
2024-07-15T15:24:46+01:00       DEBUG   Unmarshalling CycloneDX JSON...
2024-07-15T15:24:46+01:00       DEBUG   Skipping a component with an unsupported type   name="traefik:v3.0.4" version="" type="oci"
2024-07-15T15:24:46+01:00       INFO    Detected OS     family="alpine" version="3.20.1"
2024-07-15T15:24:46+01:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.20" repository="" pkg_num=16
2024-07-15T15:24:46+01:00       INFO    Number of language-specific files       num=2
2024-07-15T15:24:46+01:00       INFO    [gobinary] Detecting vulnerabilities...
2024-07-15T15:24:46+01:00       DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path=""
2024-07-15T15:24:46+01:00       DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="usr/local/bin/traefik"
2024-07-15T15:24:46+01:00       DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="github.com/traefik/traefik/v3"
""
3
"usr/local/bin/traefik"
0

Operating System

Ubuntu 22.04.4 LTS

Version

$ trivy --version
Version: 0.52.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-07-15 12:12:33.568990716 +0000 UTC
  NextUpdate: 2024-07-15 18:12:33.568990335 +0000 UTC
  DownloadedAt: 2024-07-15 13:37:12.926706887 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-01-02 00:43:14.511892663 +0000 UTC
  NextUpdate: 2024-01-05 00:43:14.511892483 +0000 UTC
  DownloadedAt: 2024-01-02 12:23:03.670503561 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[mspraggs]

I've spent a bit of time looking at this, I think I have an understanding of where the problem might be. Essentially I suspect that in the process of parsing and loading the SBOM, transitive dependencies are not being identified and attached to their parent component correctly (c.f. dependency resolution defined here). The result is that some of these transitive dependencies are not picked up and end getting added later as orphaned packages. I think the implementation could be fixed using Kahn’s algorithm, either when resolving dependencies in addLangPkgs or when resolving dependencies initially.

However, I'm not familiar enough with the intentions behind this code to know whether this approach is sensible or not. Happy to have a crack at fixing this if project owners agree this is the right way forward.

[mspraggs]

Also, surely this discussion should be promoted to an issue? Seems like a genuine bug to me.

[DmitriyLewen]

Hello @mspraggs
Thanks for your report!

We are working in #8104
It should help in your case.

[mspraggs]

Thanks, this is great to hear!

[mspraggs]

@DmitriyLewen not sure if the PR you link is complete or not, so forgive me if I'm jumping ahead, but it looks like it doesn't fix the problem stated here. The steps above gives me:

$ ./trivy image --scanners vuln --format json traefik:v3.0.4 2> /dev/null | jq ".Results[] | select(.Type == \"gobinary\") | (.Target, (.Vulnerabilities | length))"
"usr/local/bin/traefik"
11

and

$ ./trivy image --format cyclonedx --output test.cdx traefik:v3.0.4 2> /dev/null && ./trivy sbom --format json test.cdx 2> /dev/null | jq ".Results[] | select(.Type == \"gobinary\") | (.Target, (.Vulnerabilities | length))"
""
11
"usr/local/bin/traefik"
0

[DmitriyLewen]

Yes, I know about it and I'm already thinking about how to link the root package and dependencies.

[mspraggs]

Amazing, thanks!

[DmitriyLewen]

Created #8143 for this Task

[mspraggs]

Awesome, thanks!