Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unmatched Vulnerabilities.affects.ref when scanning CycloneDX sbom with duplicate Purls #7360

Closed
2 tasks done
DmitriyLewen opened this issue Aug 20, 2024 Discussed in #7334 · 1 comment
Closed
2 tasks done

Unmatched Vulnerabilities.affects.ref when scanning CycloneDX sbom with duplicate Purls #7360

DmitriyLewen opened this issue Aug 20, 2024 Discussed in #7334 · 1 comment
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/sbom Issues relating to SBOM scan/vulnerability Issues relating to vulnerability scanning

Comments

@DmitriyLewen
Copy link
Contributor

Discussed in #7334

Originally posted by scott-boost August 13, 2024

Description

When scanning a cyclone dx sbom with 2 components that have the exact same purls (but different bom-refs), the resulting vulnerability.affects.ref has a seemingly random ref

NOTE: that this bug does not occur if the format is json instead

Desired Behavior

vulnerability.affects.ref points to a Component.bom-ref in the same sbom

Actual Behavior

vulnerability.affects.ref DOES NOT point to a Component.bom-ref in the same sbom

Reproduction Steps

1. wget https://pastebin.com/raw/iD0PiatU
2. trivy sbom --format cyclonedx --scanners vuln iD0PiatU

Target

SBOM

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

2024-08-12T14:16:23-04:00	DEBUG	Cache dir	dir="/Users/scottluu/Library/Caches/trivy"
2024-08-12T14:16:23-04:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-12T14:16:23-04:00	DEBUG	Ignore statuses	statuses=[]
2024-08-12T14:16:23-04:00	DEBUG	DB update was skipped because the local DB is the latest
2024-08-12T14:16:23-04:00	DEBUG	DB info	schema=2 updated_at=2024-08-12T18:12:51.291637899Z next_update=2024-08-13T00:12:51.291637608Z downloaded_at=2024-08-12T18:15:47.484472Z
2024-08-12T14:16:23-04:00	INFO	Vulnerability scanning is enabled
2024-08-12T14:16:23-04:00	DEBUG	Vulnerability type	type=[os library]
2024-08-12T14:16:23-04:00	DEBUG	Enabling misconfiguration scanners	scanners=[]
2024-08-12T14:16:23-04:00	DEBUG	Initializing scan cache...	type="memory"
2024-08-12T14:16:23-04:00	INFO	Detected SBOM format	format="cyclonedx-json"
2024-08-12T14:16:23-04:00	DEBUG	Unmarshalling CycloneDX JSON...
2024-08-12T14:16:23-04:00	DEBUG	Skipping a component with an unsupported type	name="." version="" type=""
2024-08-12T14:16:23-04:00	DEBUG	OS is not detected.
2024-08-12T14:16:23-04:00	DEBUG	Detected OS: unknown
2024-08-12T14:16:23-04:00	INFO	Number of language-specific files	num=1
2024-08-12T14:16:23-04:00	INFO	[poetry] Detecting vulnerabilities...
2024-08-12T14:16:23-04:00	DEBUG	[poetry] Scanning packages for vulnerabilities	file_path="poetry.lock"

Operating System

macOS Sonoma 14.6.1

Version

Version: 0.54.0

Checklist
@DmitriyLewen DmitriyLewen added kind/bug Categorizes issue or PR as related to a bug. scan/vulnerability Issues relating to vulnerability scanning scan/sbom Issues relating to SBOM labels Aug 20, 2024
@DmitriyLewen DmitriyLewen self-assigned this Aug 20, 2024
@DmitriyLewen
Copy link
Contributor Author

duplicate of #7337

@DmitriyLewen DmitriyLewen closed this as not planned Won't fix, can't repro, duplicate, stale Aug 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/sbom Issues relating to SBOM scan/vulnerability Issues relating to vulnerability scanning
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DmitriyLewen