Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple OS components in SBOM are not supported properly #6482

Closed
2 tasks done
omallo opened this issue Apr 10, 2024 Discussed in #6481 · 2 comments
Closed
2 tasks done

Multiple OS components in SBOM are not supported properly #6482

omallo opened this issue Apr 10, 2024 Discussed in #6481 · 2 comments

Comments

@omallo
Copy link

omallo commented Apr 10, 2024

Discussed in #6481

Originally posted by omallo April 10, 2024

Description

I'm using the Trivy Operator which generates an SBOM for the Kubernetes cluster. The SBOM contains multiple components of type "operating-system", one per node of the cluster.

Trivy is not able to scan the SBOM due to the multiple operating-system components.

Desired Behavior

The SBOM generated by the Trivy Operator seems correct to me and Trivy should not fail because of the multiple components of type operating-system. Having multiple such components, one per node, seems correct to me.

Actual Behavior

I get the following error:

$ trivy sbom /tmp/sbom-k8s-cluster.json
2024-04-10T17:55:52.400+0200    INFO    Vulnerability scanning is enabled
2024-04-10T17:55:52.401+0200    INFO    Detected SBOM format: cyclonedx-json
2024-04-10T17:55:52.402+0200    FATAL   sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: failed to decode components: multiple OS components are not supported

Reproduction Steps

1. Run the command `trivy sbom /tmp/sbom-k8s-cluster.json` with the attached SBOM.

Target

SBOM

Scanner

Vulnerability

Output Format

None

Mode

None

Debug Output

$ trivy sbom /tmp/sbom-k8s-cluster.json --debug
2024-04-10T18:00:53.568+0200    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-10T18:00:53.568+0200    DEBUG   Ignore statuses {"statuses": null}
2024-04-10T18:00:53.579+0200    DEBUG   cache dir:  /Users/omallo/Library/Caches/trivy
2024-04-10T18:00:53.579+0200    DEBUG   DB update was skipped because the local DB is the latest
2024-04-10T18:00:53.579+0200    DEBUG   DB Schema: 2, UpdatedAt: 2024-04-10 12:11:18.716332374 +0000 UTC, NextUpdate: 2024-04-10 18:11:18.716332083 +0000 UTC, DownloadedAt: 2024-04-10 15:45:56.880723 +0000 UTC
2024-04-10T18:00:53.580+0200    INFO    Vulnerability scanning is enabled
2024-04-10T18:00:53.580+0200    DEBUG   Vulnerability type:  [os library]
2024-04-10T18:00:53.580+0200    DEBUG   Enabling misconfiguration scanners: []
2024-04-10T18:00:53.580+0200    INFO    Detected SBOM format: cyclonedx-json
2024-04-10T18:00:53.580+0200    DEBUG   Unmarshalling CycloneDX JSON...
2024-04-10T18:00:53.581+0200    DEBUG   Skipping a component with an unsupported type   {"name": "node-core-components", "version": "", "type": ""}
2024-04-10T18:00:53.581+0200    DEBUG   Skipping a component with an unsupported type   {"name": "node-core-components", "version": "", "type": ""}
2024-04-10T18:00:53.584+0200    FATAL   sbom scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:441
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:269
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:710
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        github.com/aquasecurity/trivy/pkg/scanner/scan.go:148
  - SBOM decode error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom.Artifact.Inspect
        github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom/sbom.go:56
  - failed to decode:
    github.com/aquasecurity/trivy/pkg/sbom.Decode
        github.com/aquasecurity/trivy/pkg/sbom/sbom.go:231
  - failed to decode components:
    github.com/aquasecurity/trivy/pkg/sbom/io.(*Decoder).Decode
        github.com/aquasecurity/trivy/pkg/sbom/io/decode.go:54
  - multiple OS components are not supported:
    github.com/aquasecurity/trivy/pkg/sbom/io.(*Decoder).decodeComponents
        github.com/aquasecurity/trivy/pkg/sbom/io/decode.go:114

Operating System

Linux

Version

$ trivy --version
Version: 0.50.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-10 12:11:18.716332374 +0000 UTC
  NextUpdate: 2024-04-10 18:11:18.716332083 +0000 UTC
  DownloadedAt: 2024-04-10 15:45:56.880723 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-04-08 00:49:12.317761931 +0000 UTC
  NextUpdate: 2024-04-11 00:49:12.317761761 +0000 UTC
  DownloadedAt: 2024-04-08 22:56:58.568085 +0000 UTC

Checklist
@github-actions GitHub Actions
Copy link

Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Apr 10, 2024
@omallo
Copy link
Author

omallo commented Apr 10, 2024

The SBOM generated by the Trivy Operator which produces the error: sbom-k8s-cluster.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@omallo