--vuln-type not respected when using --format cyclonedx

[marcrohlfs]

Description

The vulnerability types option is not respected when generating a report in the CycloneDX format. I'd expect equal behavior regardless the selected output format. Interesting enough, the skip files is respected with CycloneDX format.

After putting all information together I noticed the information ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs' in the debug output. This explains it. However, I still consider it rather a bug than a feature enhancement request, because the behavior of --skip-files and --skip-dirs is inconsistent to the behavior when reducing the scope with --vuln-type - and IMHO there're good reasons to omit especially OS parts in an SBOM.

Desired Behavior

With --vuln-type library --format cyclonedx, the resulting SBOM should not contain OS packages.

Actual Behavior

With --vuln-type library --format cyclonedx, the resulting SBOM contains OS packages.

Reproduction Steps

Execute the following commands:


trivy image --format json \
            solr:8.11.2 > solr_all.json
trivy image --format json \
            --vuln-type library \
            solr:8.11.2 > solr_no-os.json
trivy image --format json \
            --vuln-type library \
            --skip-dirs 'opt/solr-8.11.2/contrib' \
            solr:8.11.2 > solr_no-os_no-contrib.json

trivy image --format cyclonedx \
            solr:8.11.2 > solr_all.cdx
trivy image --format cyclonedx \
            --vuln-type library \
            solr:8.11.2 > solr_no-os.cdx
trivy image --format cyclonedx \
            --vuln-type library \
            --skip-dirs 'opt/solr-8.11.2/contrib' \
            solr:8.11.2 > solr_no-os_no-contrib.cdx


The result files contain the following information:
* `solr_all.json`: the reported CVEs for all OS and library packages
* `solr_no-os.json`: the reported CVEs for library packages
* `solr_no-os_no-contrib.json`: the reported CVEs for non-contrib library packages
* `solr_all.cdx`: all OS and library packages
* `solr_no-os.cdx`: all OS and library packages (OS packages should be missing)
* `solr_no-os_no-contrib.cdx`: all OS and non-contrib library packages (OS packages should be missing)

Target

Container Image

Scanner

None

Output Format

None

Mode

Standalone

Debug Output

# I'm actually useing Docker to call Trivy
docker run --rm --pull always \
    --volume /var/run/docker.sock:/var/run/docker.sock \
    --volume ${HOME}/.cache:/root/.cache \
    aquasec/trivy:latest image --debug \
        --format cyclonedx \
        --vuln-type library \
        --skip-dirs 'opt/solr-8.11.2/contrib' \
        solr:8.11.2 > ~/Downloads/solr_no-os_no-contrib.cdx
latest: Pulling from aquasec/trivy
Digest: sha256:91494b87ddc64f62860d52997532643956c24eeee0d0dda317d563c28c8581bc
Status: Image is up to date for aquasec/trivy:latest
2024-02-28T14:46:29.501Z	DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2024-02-28T14:46:29.501Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-02-28T14:46:29.501Z	DEBUG	Ignore statuses	{"statuses": null}
2024-02-28T14:46:29.502Z	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2024-02-28T14:46:29.525Z	DEBUG	cache dir:  /root/.cache/trivy
2024-02-28T14:46:29.525Z	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-28T14:46:34.605Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-02-28T14:46:36.885Z	DEBUG	Image ID: sha256:a1ad3bf411d11c487bfb2be3dc2fdf34902a9ed3c6f06c7d09a8b66151e6d7e2
2024-02-28T14:46:36.885Z	DEBUG	Diff IDs: [sha256:28da0445c4497f3ecb56288bd74d91ed1ff6f86578d1d0f6f9cb2781915163b1 sha256:280a35f8a8e51d852025d3abcbe2f4c114cdac749182d5fef3fa1a4090c9651c sha256:b03e66cb04daa54c8c9417728b78d19e535d677074e144583b418ab55986f887 sha256:5a552a1e1b0bb876b3cc62630170f4bebef8e869f0da26c4292275cea3ccd850 sha256:278b866edee309e22d1334df12d2d5665adf6293a896760af43eae218316d012 sha256:7cec6af2699592dbcbefc8ff74c19f07a453db55199f2cccd5e0b09c6544e6c3 sha256:33d72560c37bb26cb0765c07923dc2719dcc5893ef7ec5d449499bf86e7578bb sha256:368c960c196d99f6858c3bd45a648498e6adf16fbbcdf5f5128b0db0903432a8 sha256:1bac6302a39a1cc5dc212724616a120f18b552e5ec909608e9a91a79e9b73fe2 sha256:b43be59c69b1ff2a562e7d7c862147c8baaad5575ad84a1cbec6d2348681a2f8 sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef]
2024-02-28T14:46:36.885Z	DEBUG	Base Layers: [sha256:28da0445c4497f3ecb56288bd74d91ed1ff6f86578d1d0f6f9cb2781915163b1]

Operating System

masOS Sonoma 14.3

Version

docker run --rm --pull always \
    --volume /var/run/docker.sock:/var/run/docker.sock \
    --volume ${HOME}/.cache:/root/.cache \
    aquasec/trivy:latest --version
latest: Pulling from aquasec/trivy
Digest: sha256:91494b87ddc64f62860d52997532643956c24eeee0d0dda317d563c28c8581bc
Status: Image is up to date for aquasec/trivy:latest
Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-28 12:12:32.936085885 +0000 UTC
  NextUpdate: 2024-02-28 18:12:32.936085544 +0000 UTC
  DownloadedAt: 2024-02-28 13:47:51.520458 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-02-28 00:44:04.306870032 +0000 UTC
  NextUpdate: 2024-03-02 00:44:04.306869842 +0000 UTC
  DownloadedAt: 2024-02-28 14:04:08.920175 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @marcrohlfs
Thanks for your report!

--vuln-type only works for Vulnerabilities and has no effect on Packages.
This is why this flag doesn't work on all formats that use "Packets".
But you are right. Perhaps we need think about expanding scope of this flag (possibly renaming it to avoid confusion).
@knqyf263 wdyt?

[knqyf263]

It's a good point. The flag was added in v0.0.1 even before SBOM. It makes sense to add support for packages.

[DmitriyLewen]

Created #6269 for this task.