You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using the Trivy Operator which generates an SBOM for the Kubernetes cluster. The SBOM contains multiple components of type "operating-system", one per node of the cluster.
Trivy is not able to scan the SBOM due to the multiple operating-system components.
Desired Behavior
The SBOM generated by the Trivy Operator seems correct to me and Trivy should not fail because of the multiple components of type operating-system. Having multiple such components, one per node, seems correct to me.
Actual Behavior
I get the following error:
$ trivy sbom /tmp/sbom-k8s-cluster.json
2024-04-10T17:55:52.400+0200 INFO Vulnerability scanning is enabled
2024-04-10T17:55:52.401+0200 INFO Detected SBOM format: cyclonedx-json
2024-04-10T17:55:52.402+0200 FATAL sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: failed to decode components: multiple OS components are not supported
Reproduction Steps
1. Run the command`trivy sbom /tmp/sbom-k8s-cluster.json` with the attached SBOM.
Target
SBOM
Scanner
Vulnerability
Output Format
None
Mode
None
Debug Output
$ trivy sbom /tmp/sbom-k8s-cluster.json --debug
2024-04-10T18:00:53.568+0200 DEBUG Severities: ["UNKNOWN""LOW""MEDIUM""HIGH""CRITICAL"]
2024-04-10T18:00:53.568+0200 DEBUG Ignore statuses {"statuses": null}
2024-04-10T18:00:53.579+0200 DEBUG cache dir: /Users/omallo/Library/Caches/trivy
2024-04-10T18:00:53.579+0200 DEBUG DB update was skipped because the local DB is the latest
2024-04-10T18:00:53.579+0200 DEBUG DB Schema: 2, UpdatedAt: 2024-04-10 12:11:18.716332374 +0000 UTC, NextUpdate: 2024-04-10 18:11:18.716332083 +0000 UTC, DownloadedAt: 2024-04-10 15:45:56.880723 +0000 UTC
2024-04-10T18:00:53.580+0200 INFO Vulnerability scanning is enabled
2024-04-10T18:00:53.580+0200 DEBUG Vulnerability type: [os library]
2024-04-10T18:00:53.580+0200 DEBUG Enabling misconfiguration scanners: []
2024-04-10T18:00:53.580+0200 INFO Detected SBOM format: cyclonedx-json
2024-04-10T18:00:53.580+0200 DEBUG Unmarshalling CycloneDX JSON...
2024-04-10T18:00:53.581+0200 DEBUG Skipping a component with an unsupported type {"name": "node-core-components", "version": "", "type": ""}
2024-04-10T18:00:53.581+0200 DEBUG Skipping a component with an unsupported type {"name": "node-core-components", "version": "", "type": ""}
2024-04-10T18:00:53.584+0200 FATAL sbom scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:441
- scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:269
- scan failed:
github.com/aquasecurity/trivy/pkg/commands/artifact.scan
github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:710
- failed analysis:
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
github.com/aquasecurity/trivy/pkg/scanner/scan.go:148
- SBOM decode error:
github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom.Artifact.Inspect
github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom/sbom.go:56
- failed to decode:
github.com/aquasecurity/trivy/pkg/sbom.Decode
github.com/aquasecurity/trivy/pkg/sbom/sbom.go:231
- failed to decode components:
github.com/aquasecurity/trivy/pkg/sbom/io.(*Decoder).Decode
github.com/aquasecurity/trivy/pkg/sbom/io/decode.go:54
- multiple OS components are not supported:
github.com/aquasecurity/trivy/pkg/sbom/io.(*Decoder).decodeComponents
github.com/aquasecurity/trivy/pkg/sbom/io/decode.go:114
Operating System
Linux
Version
$ trivy --version
Version: 0.50.1
Vulnerability DB:
Version: 2
UpdatedAt: 2024-04-10 12:11:18.716332374 +0000 UTC
NextUpdate: 2024-04-10 18:11:18.716332083 +0000 UTC
DownloadedAt: 2024-04-10 15:45:56.880723 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2024-04-08 00:49:12.317761931 +0000 UTC
NextUpdate: 2024-04-11 00:49:12.317761761 +0000 UTC
DownloadedAt: 2024-04-08 22:56:58.568085 +0000 UTC
Discussed in #6481
Originally posted by omallo April 10, 2024
Description
I'm using the Trivy Operator which generates an SBOM for the Kubernetes cluster. The SBOM contains multiple components of type "operating-system", one per node of the cluster.
Trivy is not able to scan the SBOM due to the multiple operating-system components.
Desired Behavior
The SBOM generated by the Trivy Operator seems correct to me and Trivy should not fail because of the multiple components of type operating-system. Having multiple such components, one per node, seems correct to me.
Actual Behavior
I get the following error:
Reproduction Steps
Target
SBOM
Scanner
Vulnerability
Output Format
None
Mode
None
Debug Output
Operating System
Linux
Version
Checklist
trivy image --reset
The text was updated successfully, but these errors were encountered: