[Trivy] Support for properties

[fnxpt]

Current Behavior

Currently when scanning with trivy analyser we are not able to pass properties from sbom since they are not stored

Proposed Behavior

As soon as #2560 is fixed we can use these properties in #3251

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested

[nscuro]

@fnxpt Did you do some testing by chance as per what properties specifically need to be provided?

I added an integration test here that documents the current state of things:

dependency-track/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskIntegrationTest.java

Lines 128 to 193 in 91afc7d

	/**
	* This test documents the case where Trivy is unable to correlate a package with vulnerabilities
	* in its database, unless additional properties are provided. When including libc6 in an SBOM,
	* Trivy adds metadata to the component, which among other things includes alternative package names.
	* <p>
	* Here's an excerpt of the properties included:
	* <pre>
	* "properties": [
	* {
	* "name": "aquasecurity:trivy:LayerDiffID",
	* "value": "sha256:256d88da41857db513b95b50ba9a9b28491b58c954e25477d5dad8abb465430b"
	* },
	* {
	* "name": "aquasecurity:trivy:LayerDigest",
	* "value": "sha256:43f89b94cd7df92a2f7e565b8fb1b7f502eff2cd225508cbd7ea2d36a9a3a601"
	* },
	* {
	* "name": "aquasecurity:trivy:PkgID",
	* "value": "[email protected]"
	* },
	* {
	* "name": "aquasecurity:trivy:PkgType",
	* "value": "ubuntu"
	* },
	* {
	* "name": "aquasecurity:trivy:SrcName",
	* "value": "glibc"
	* },
	* {
	* "name": "aquasecurity:trivy:SrcRelease",
	* "value": "0ubuntu3.4"
	* },
	* {
	* "name": "aquasecurity:trivy:SrcVersion",
	* "value": "2.35"
	* }
	* ]
	* </pre>
	* <p>
	* To reproduce, run:
	* <pre>
	* docker run -it --rm aquasec/trivy image --format cyclonedx registry.hub.knime.com/knime/knime-full:r-5.1.2-433
	* </pre>
	*
	* @see <a href="https://github.com/DependencyTrack/dependency-track/issues/2560">Add support for CycloneDX component properties</a>
	* @see <a href="https://github.com/DependencyTrack/dependency-track/issues/3369">Support component properties with Trivy</a>
	*/
	@Test
	public void testWithUnrecognizedPackageName() {
	final var project = new Project();
	project.setName("acme-app");
	qm.persist(project);
	final var componentA = new Component();
	componentA.setProject(project);
	componentA.setName("libc6");
	componentA.setVersion("2.35-0ubuntu3.4");
	componentA.setClassifier(Classifier.LIBRARY);
	componentA.setPurl("pkg:deb/ubuntu/[email protected]?arch=amd64&distro=ubuntu-22.04");
	qm.persist(componentA);
	final var analysisEvent = new TrivyAnalysisEvent(List.of(componentA));
	new TrivyAnalysisTask().inform(analysisEvent);
	assertThat(qm.getAllVulnerabilities(componentA)).isEmpty();
	}

I played around with sending the listed properties to Trivy, but even when I send them all, I don't get any vulnerabilities.

[fnxpt]

Im not passing the properties yet... the test I did was simple sending it manually to trivy

[nscuro]

Yes I meant manual testing.

When I tested yesterday I modified the code accordingly.

[fnxpt]

I need to double check it... not sure if I will be able to do it today, but for sure tomorrow

[nscuro]

Thanks, but no need to sweat it.

I was hoping to close this gap before the 4.11 release. Adding support for component properties isn't that much work. There is a pending PR from a contributor that brings us 80% there. So if we can proof that forwarding properties works as expected, I can add this capability.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.