0.50.0 (cyclonedx 1.4 json sbom) regression

[obormot]

Description

A CycloneDX 1.4 spec JSON SBOM file generated outside of Trivy, worked well with 0.49.1 and prior, and is now broken staring with 0.50.0 (zero vulnerabilities returned). Debug output shows sbom parsing errors Skipping a component with an unsupported type {"name": "/usr/share/python/xyz", "version": "", "type": ""} while the type is actually set to library.

Desired Behavior

Behavior should be consistent with trivy 0.49.1 shown below.

trivy -v
Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-05 18:11:04.749039122 +0000 UTC
  NextUpdate: 2024-04-06 00:11:04.749038371 +0000 UTC
  DownloadedAt: 2024-04-05 19:13:22.879828992 +0000 UTC

$ trivy sbom python-sbom-poc.json -d
2024-04-05T19:18:00.031Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-05T19:18:00.032Z	DEBUG	Ignore statuses	{"statuses": null}
2024-04-05T19:18:00.055Z	DEBUG	cache dir:  /home/admin/.cache/trivy
2024-04-05T19:18:00.057Z	DEBUG	DB update was skipped because the local DB is the latest
2024-04-05T19:18:00.057Z	DEBUG	DB Schema: 2, UpdatedAt: 2024-04-05 18:11:04.749039122 +0000 UTC, NextUpdate: 2024-04-06 00:11:04.749038371 +0000 UTC, DownloadedAt: 2024-04-05 19:13:22.879828992 +0000 UTC
2024-04-05T19:18:00.058Z	INFO	Vulnerability scanning is enabled
2024-04-05T19:18:00.058Z	DEBUG	Vulnerability type:  [os library]
2024-04-05T19:18:00.058Z	DEBUG	Enabling misconfiguration scanners: []
2024-04-05T19:18:00.059Z	INFO	Detected SBOM format: cyclonedx-json
2024-04-05T19:18:00.059Z	DEBUG	Unmarshaling CycloneDX JSON...
2024-04-05T19:18:00.063Z	WARN	Third-party SBOM may lead to inaccurate vulnerability detection
2024-04-05T19:18:00.063Z	WARN	Recommend using Trivy to generate SBOMs
2024-04-05T19:18:00.063Z	WARN	Ignore the OS package as no OS information is found.
2024-04-05T19:18:00.095Z	DEBUG	OS is not detected.
2024-04-05T19:18:00.095Z	DEBUG	Detected OS: unknown
2024-04-05T19:18:00.095Z	INFO	Number of language-specific files: 1
2024-04-05T19:18:00.095Z	INFO	Detecting python-pkg vulnerabilities...
2024-04-05T19:18:00.095Z	DEBUG	Detecting library vulnerabilities, type: python-pkg, path:

Python (python-pkg)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                         │
├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────┤
│ setuptools │ CVE-2022-40897 │ HIGH     │ fixed  │ 58.4.0            │ 65.5.1        │ pypa-setuptools: Regular Expression Denial of Service │
│            │                │          │        │                   │               │ (ReDoS) in package_index.py                           │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-40897            │
└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────┘

Actual Behavior

Parsing errors resulting in zero vulnerabilities reported against a SBOM.

Reproduction Steps

python-sbom-poc.json:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:5513ff22-229d-4009-a3d6-d91b93cb58b6",
  "version": 1,
  "metadata": {
    "timestamp": "2023-12-15T16:50:45.593021000Z",
    "component": {
      "bom-ref": "214539e6-ab03-4893-907d-10283bf2da55",
      "type": "application",
      "name": "Python packages"
    }
  },
  "components": [
    {
      "name": "setuptools",
      "type": "library",
      "version": "58.4.0",
      "purl": "pkg:pypi/setuptools@58.4.0",
      "bom-ref": "setuptools@/usr/share/python/xyz",
      "group": "/usr/share/python/xyz",
      "externalReferences": [
        {
          "url": "https://github.com/pypa/setuptools",
          "type": "website"
        }
      ] 
    },
    {
      "bom-ref": "ef6ac325-3958-4984-8158-c1f861cd88a4",
      "type": "application",
      "name": "/usr/share/python/xyz"
    }
  ],
  "dependencies": [
    {
      "ref": "ef6ac325-3958-4984-8158-c1f861cd88a4",
      "dependsOn": [
        "setuptools@/usr/share/python/xyz"
      ]
    },
   {
      "ref": "214539e6-ab03-4893-907d-10283bf2da55",
      "dependsOn": [
        "ef6ac325-3958-4984-8158-c1f861cd88a4"
      ]
    }
  ]
}

Target

SBOM

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

$ trivy sbom python-sbom-poc.json -d
2024-04-05T19:18:32.549Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-05T19:18:32.549Z	DEBUG	Ignore statuses	{"statuses": null}
2024-04-05T19:18:32.578Z	DEBUG	cache dir:  /home/admin/.cache/trivy
2024-04-05T19:18:32.579Z	DEBUG	DB update was skipped because the local DB is the latest
2024-04-05T19:18:32.579Z	DEBUG	DB Schema: 2, UpdatedAt: 2024-04-05 18:11:04.749039122 +0000 UTC, NextUpdate: 2024-04-06 00:11:04.749038371 +0000 UTC, DownloadedAt: 2024-04-05 19:13:22.879828992 +0000 UTC
2024-04-05T19:18:32.580Z	INFO	Vulnerability scanning is enabled
2024-04-05T19:18:32.581Z	DEBUG	Vulnerability type:  [os library]
2024-04-05T19:18:32.581Z	DEBUG	Enabling misconfiguration scanners: []
2024-04-05T19:18:32.583Z	INFO	Detected SBOM format: cyclonedx-json
2024-04-05T19:18:32.584Z	DEBUG	Unmarshalling CycloneDX JSON...
2024-04-05T19:18:32.585Z	WARN	Third-party SBOM may lead to inaccurate vulnerability detection
2024-04-05T19:18:32.585Z	WARN	Recommend using Trivy to generate SBOMs
2024-04-05T19:18:32.585Z	DEBUG	Skipping a component with an unsupported type	{"name": "/usr/share/python/xyz", "version": "", "type": ""}
2024-04-05T19:18:32.585Z	DEBUG	Skipping a component with an unsupported type	{"name": "Python packages", "version": "", "type": ""}
2024-04-05T19:18:32.636Z	DEBUG	OS is not detected.
2024-04-05T19:18:32.637Z	DEBUG	Detected OS: unknown
2024-04-05T19:18:32.637Z	INFO	Number of language-specific files: 1
2024-04-05T19:18:32.637Z	INFO	Detecting python-pkg vulnerabilities...
2024-04-05T19:18:32.637Z	DEBUG	Detecting library vulnerabilities, type: python-pkg, path:

Operating System

Ubuntu focal

Version

$ trivy -v
Version: 0.50.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-05 18:11:04.749039122 +0000 UTC
  NextUpdate: 2024-04-06 00:11:04.749038371 +0000 UTC
  DownloadedAt: 2024-04-05 19:13:22.879828992 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[knqyf263]

@DmitriyLewen Could you take a look when you have time?

[DmitriyLewen]

Hello @obormot
Thanks for your report!

 "group": "/usr/share/python/xyz",

This is a bit of an odd use of group field.
Maven plugin uses group for GroupID.
Npm uses group for scopes.

But i didn't see that group containing filepath.
Do you have some info about this?

Regards, Dmitriy

[obormot]

We use the group field to point at Python virtualenvs (same package may appear in multiple venvs). I don't think this affects the issue in question.

[DmitriyLewen]

CycloneDX docs say: The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name. Whitespace and special characters should be avoided. Examples include: apache, org.apache.commons, and apache.org.

Usually group is part of package name.
take a look example of npm - https://github.com/CycloneDX/cyclonedx-node-npm/blob/1b0f30c1523befcdac3cd8bf9ae041c1f2a3cb2c/demo/juice-shop/example-results/bare/bom.1.5.json#L102-L117

I'm not sure if your logic is using group field correctly.

I don't think this affects the issue in question.

We merge group to package name:

trivy/pkg/sbom/io/decode.go

Lines 250 to 255 in 13e72ec

	if c.Group != "" {
	if p.Type == packageurl.TypeMaven || p.Type == packageurl.TypeGradle {
	return c.Group + ":" + c.Name
	}
	return c.Group + "/" + c.Name
	}

In your case:

➜  6461 trivy -q sbom ./test.cdx.json -f json --list-all-pkgs | grep '"Name"'
          "Name": "/usr/share/python/xyz/setuptools",

I also checked CycloneDX Python repo and didn't find group field usage.

[obormot]

Experimented with this a bit. Basically having any group name (with forward slash characters or without) breaks things in Trivy 0.50.0.
Taking the sample file above and removing the group field entirely gets the vulnerability reported correctly (despite having warnings and skipping components in the debug output).
In other words, if I remove this line "group": "/usr/share/python/xyz",, Trivy 0.50.0 works well. If I replace it with "group": "foo", - doesn't work. Trivy 0.49.1 works well in all cases.
My understanding of the group field is to group dependencies, which python virtualenvs are a good case for. When uploading such SBOM to DependencyTrack for example, it will display a nice dependency graph with python packages expandable under their respective virtualenvs.

[DmitriyLewen]

My understanding of the group field is to group dependencies, which python virtualenvs are a good case for

The grouping name or identifier. This will often be a shortened, single name of the company or project that produced the component, or the source package or domain name.

I think CycloneDX doesn't mean dependencies grouping.
component can be not only dependency - https://cyclonedx.org/docs/1.5/json/#components_items_type
Therefore, your logic will not work very well with other types.

I think in this case they mean the equivalent of GroupID for maven.

---

In any case, let's wait for users feedback. If many people use similar logic - we will exclude Python from decoding the group field.