(SBOM generate SBOM scan) metadata differs from image scan metadata #7169

mhbardsley · 2024-07-15T14:28:24Z

mhbardsley
Jul 15, 2024

Description

I have noticed that some images provide different target names in their scanner output, when the image is scanned compared to when Trivy is used to generate an SBOM and then that SBOM is scanned.

The vulnerability counts provided in these cases are the same, which is why I think this differs from #3649.

I haven't been able to identify exactly what the scope of the issue is, but it is at least the case for gobinary target types. This is not reproducible for every image that contains vulnerable Go binaries.

Also I didn't run trivy clean --all as suggested when filing this issue because it doesn't appear to be a supported subcommand anymore.

Desired Behavior

The path to Go binaries should be consistent for any given image, whether an image scan is performed or whether an SBOM is generated (by Trivy) for the image, and then that SBOM is scanned.

Actual Behavior

The image scan provides a full path to the vulnerable Go binary. Generating an SBOM (with Trivy) and then scanning that SBOM provides an empty path to the vulnerable Go binary, with the vulnerability information, and the full path to the vulnerable Go binary, with no associated vulnerability information.

Reproduction Steps

$ trivy image --scanners vuln --format json traefik:v3.0.4 2> /dev/null | jq ".Results[] | select(.Type == \"gobinary\") | (.Target, (.Vulnerabilities | length))"
"usr/local/bin/traefik"
3

$ trivy image --format cyclonedx --output test.cdx traefik:v3.0.4 2> /dev/null && trivy sbom --format json test.cdx 2> /dev/null | jq ".Results[] | select(.Type == \"gobinary\") | (.Target, (.Vulnerabilities | length))"
""
3
"usr/local/bin/traefik"
0

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

$ trivy image --scanners vuln --format json --debug traefik:v3.0.4 | jq ".Results[] | select(.Type == \"gobinary\") | (.Target, (.Vulnerabilities | length))"
2024-07-15T15:23:39 01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-07-15T15:23:39 01:00       DEBUG   Ignore statuses statuses=[]
2024-07-15T15:23:39 01:00       DEBUG   Cache dir       dir="/home/mbardsley/snap/trivy/276/.cache/trivy"
2024-07-15T15:23:39 01:00       DEBUG   DB update was skipped because the local DB is the latest
2024-07-15T15:23:39 01:00       DEBUG   DB info schema=2 updated_at=2024-07-15T12:12:33.568990716Z next_update=2024-07-15T18:12:33.568990335Z downloaded_at=2024-07-15T13:37:12.926706887Z
2024-07-15T15:23:39 01:00       INFO    Vulnerability scanning is enabled
2024-07-15T15:23:39 01:00       DEBUG   Vulnerability type      type=[os library]
2024-07-15T15:23:39 01:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-07-15T15:23:40 01:00       DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-07-15T15:23:40 01:00       DEBUG   [image] Detected image ID       image_id="sha256:7a4ed730cae1fd3aea7db703c77c5f27cc5550748e492cd963a386f409562568"
2024-07-15T15:23:40 01:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:94e5f06ff8e3d4441dc3cd8b090ff38dc911bfa8ebdb0dc28395bc98f82f983f sha256:6e2310d517910ccc3ceb9ca99c621ba63e05e0301dad7c508cac33d6b8ec5d73 sha256:d9055b10d766a8feec8df32ad9f3e243fe986edb22bd09e6417526901752d90e sha256:64d7de16d92ebe5b3575aca2e429662c45aafde5567d3709916ec789d1e58010]
2024-07-15T15:23:40 01:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:94e5f06ff8e3d4441dc3cd8b090ff38dc911bfa8ebdb0dc28395bc98f82f983f]
2024-07-15T15:23:40 01:00       INFO    Detected OS     family="alpine" version="3.20.1"
2024-07-15T15:23:40 01:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.20" repository="3.20" pkg_num=16
2024-07-15T15:23:40 01:00       INFO    Number of language-specific files       num=1
2024-07-15T15:23:40 01:00       INFO    [gobinary] Detecting vulnerabilities...
2024-07-15T15:23:40 01:00       DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="usr/local/bin/traefik"
2024-07-15T15:23:40 01:00       DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="github.com/traefik/traefik/v3"
"usr/local/bin/traefik"
3

$ trivy image --format cyclonedx --output test.cdx --debug traefik:v3.0.4 && trivy sbom --format json --debug test.cdx | jq ".Results[] | select(.Type == \"gobinary\") | (.Target, (.Vulnerabilities | length))"
2024-07-15T15:24:45 01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-07-15T15:24:45 01:00       DEBUG   Ignore statuses statuses=[]
2024-07-15T15:24:45 01:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2024-07-15T15:24:45 01:00       DEBUG   Cache dir       dir="/home/mbardsley/snap/trivy/276/.cache/trivy"
2024-07-15T15:24:45 01:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-07-15T15:24:46 01:00       DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-07-15T15:24:46 01:00       DEBUG   [image] Detected image ID       image_id="sha256:7a4ed730cae1fd3aea7db703c77c5f27cc5550748e492cd963a386f409562568"
2024-07-15T15:24:46 01:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:94e5f06ff8e3d4441dc3cd8b090ff38dc911bfa8ebdb0dc28395bc98f82f983f sha256:6e2310d517910ccc3ceb9ca99c621ba63e05e0301dad7c508cac33d6b8ec5d73 sha256:d9055b10d766a8feec8df32ad9f3e243fe986edb22bd09e6417526901752d90e sha256:64d7de16d92ebe5b3575aca2e429662c45aafde5567d3709916ec789d1e58010]
2024-07-15T15:24:46 01:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:94e5f06ff8e3d4441dc3cd8b090ff38dc911bfa8ebdb0dc28395bc98f82f983f]
2024-07-15T15:24:46 01:00       INFO    Detected OS     family="alpine" version="3.20.1"
2024-07-15T15:24:46 01:00       INFO    Number of language-specific files       num=1
2024-07-15T15:24:46 01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-07-15T15:24:46 01:00       DEBUG   Ignore statuses statuses=[]
2024-07-15T15:24:46 01:00       DEBUG   Cache dir       dir="/home/mbardsley/snap/trivy/276/.cache/trivy"
2024-07-15T15:24:46 01:00       DEBUG   DB update was skipped because the local DB is the latest
2024-07-15T15:24:46 01:00       DEBUG   DB info schema=2 updated_at=2024-07-15T12:12:33.568990716Z next_update=2024-07-15T18:12:33.568990335Z downloaded_at=2024-07-15T13:37:12.926706887Z
2024-07-15T15:24:46 01:00       INFO    Vulnerability scanning is enabled
2024-07-15T15:24:46 01:00       DEBUG   Vulnerability type      type=[os library]
2024-07-15T15:24:46 01:00       DEBUG   Enabling misconfiguration scanners      scanners=[]
2024-07-15T15:24:46 01:00       INFO    Detected SBOM format    format="cyclonedx-json"
2024-07-15T15:24:46 01:00       DEBUG   Unmarshalling CycloneDX JSON...
2024-07-15T15:24:46 01:00       DEBUG   Skipping a component with an unsupported type   name="traefik:v3.0.4" version="" type="oci"
2024-07-15T15:24:46 01:00       INFO    Detected OS     family="alpine" version="3.20.1"
2024-07-15T15:24:46 01:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.20" repository="" pkg_num=16
2024-07-15T15:24:46 01:00       INFO    Number of language-specific files       num=2
2024-07-15T15:24:46 01:00       INFO    [gobinary] Detecting vulnerabilities...
2024-07-15T15:24:46 01:00       DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path=""
2024-07-15T15:24:46 01:00       DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="usr/local/bin/traefik"
2024-07-15T15:24:46 01:00       DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="github.com/traefik/traefik/v3"
""
3
"usr/local/bin/traefik"
0

Operating System

Ubuntu 22.04.4 LTS

Version

$ trivy --version
Version: 0.52.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-07-15 12:12:33.568990716  0000 UTC
  NextUpdate: 2024-07-15 18:12:33.568990335  0000 UTC
  DownloadedAt: 2024-07-15 13:37:12.926706887  0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-01-02 00:43:14.511892663  0000 UTC
  NextUpdate: 2024-01-05 00:43:14.511892483  0000 UTC
  DownloadedAt: 2024-01-02 12:23:03.670503561  0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(SBOM generate SBOM scan) metadata differs from image scan metadata #7169

{{title}}

Replies: 0 comments

Select a reply

(SBOM generate SBOM scan) metadata differs from image scan metadata #7169

mhbardsley Jul 15, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 0 comments

mhbardsley
Jul 15, 2024