Not picking up async vulnerability

[emcfins]

Description

We are scanning SBOMs with trivy. When we run trivy against an sbom containing "bom-ref": "pkg:npm/[email protected]", it's not picking up the vulnerability https://avd.aquasec.com/nvd/2021/cve-2021-43138/

Desired Behavior

That trivy would report the cve-2021-43138 vulnerability

Actual Behavior

No vulnerability found:

{
  "SchemaVersion": 2,
  "CreatedAt": "2024-10-10T16:39:25.165081-04:00",
  "ArtifactName": "sbom.json",
  "ArtifactType": "cyclonedx",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "Node.js",
      "Class": "lang-pkgs",
      "Type": "node-pkg"
    }
  ]
}

Reproduction Steps

1. Create an SBOM continaing only npm package [email protected]

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:1439b3de-d893-4176-b0b8-8b8685f306c0",
  "version": 1,
  "metadata": {
    "timestamp": "2024-10-03T19:58:16.351Z",
    "tools": [
      {
        "vendor": "cyclonedx",
        "name": "cdxgen",
        "version": "10.2.6"
      }
    ],
    "authors": [
      {
        "name": "OWASP Foundation"
      }
    ],
    "component": {}
  },
  "components": [
    {
      "group": "",
      "name": "async",
      "version": "1.5.2",
      "description": "Higher-order functions and common patterns for asynchronous code",
      "scope": "optional",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "9d2560a1b938aefeb547d3d4483b58b7b98f541da8971351e51589700b07ebbebf79fd756d4670beeefe44662b61ab957433dc3b9d7dbfaf304615d0b71b15f7"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT",
            "url": "https://opensource.org/licenses/MIT"
          }
        }
      ],
      "purl": "pkg:npm/[email protected]",
      "externalReferences": [
        {
          "type": "vcs",
          "url": "https://caolan.github.io/async/"
        },
        {
          "type": "vcs",
          "url": "git+https://github.com/caolan/async.git"
        }
      ],
      "type": "library",
      "bom-ref": "pkg:npm/[email protected]",
      "properties": [
        {
          "name": "SrcFile",
          "value": "/codebuild/output/src1383479295/src/source/lambda/es-proxy-layer/package-lock.json"
        },
        {
          "name": "ResolvedUrl",
          "value": "https://registry.npmjs.org/async/-/async-1.5.2.tgz"
        }
      ]
    }
  ]
}

2. Run trivy
   trivy sbom -d -f json --output trivy.json sbom.json
3. View trivy.json output
   ...

### Target

SBOM

### Scanner

Vulnerability

### Output Format

JSON

### Mode

Standalone

### Debug Output

```bash
2024-10-10T16:39:25-04:00	DEBUG	Cache dir	dir="/Users/erinmc/Library/Caches/trivy"
2024-10-10T16:39:25-04:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-10-10T16:39:25-04:00	DEBUG	Ignore statuses	statuses=[]
2024-10-10T16:39:25-04:00	DEBUG	DB update was skipped because the local DB is the latest
2024-10-10T16:39:25-04:00	DEBUG	DB info	schema=2 updated_at=2024-10-10T18:15:53.971115871Z next_update=2024-10-11T18:15:53.97111559Z downloaded_at=2024-10-10T20:28:34.669996Z
2024-10-10T16:39:25-04:00	INFO	Vulnerability scanning is enabled
2024-10-10T16:39:25-04:00	DEBUG	Vulnerability type	type=[os library]
2024-10-10T16:39:25-04:00	DEBUG	Enabling misconfiguration scanners	scanners=[]
2024-10-10T16:39:25-04:00	DEBUG	Initializing scan cache...	type="memory"
2024-10-10T16:39:25-04:00	INFO	Detected SBOM format	format="cyclonedx-json"
2024-10-10T16:39:25-04:00	DEBUG	Unmarshalling CycloneDX JSON...
2024-10-10T16:39:25-04:00	WARN	Third-party SBOM may lead to inaccurate vulnerability detection
2024-10-10T16:39:25-04:00	WARN	Recommend using Trivy to generate SBOMs
2024-10-10T16:39:25-04:00	WARN	Unsupported hash algorithm	algorithm="SHA-512"
2024-10-10T16:39:25-04:00	DEBUG	OS is not detected.
2024-10-10T16:39:25-04:00	DEBUG	Detected OS: unknown
2024-10-10T16:39:25-04:00	INFO	Number of language-specific files	num=1
2024-10-10T16:39:25-04:00	INFO	[node-pkg] Detecting vulnerabilities...
2024-10-10T16:39:25-04:00	DEBUG	[node-pkg] Scanning packages for vulnerabilities	file_path=""

Operating System

macOS

Version

Version: 0.53.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-10-10 18:15:53.971115871 +0000 UTC
  NextUpdate: 2024-10-11 18:15:53.97111559 +0000 UTC
  DownloadedAt: 2024-10-10 20:28:34.669996 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

v1.5.2 is not affected. If you think the advisory is wrong, please ask GitHub to fix it.
GHSA-fwr7-v2mv-hh25

[abhirpat]

Posted https://github.com/orgs/community/discussions/141203