trivy sbom supporting hierarchical sboms

[dpkano]

Question

I'm trying to merge multiple trivy generated SBOMs with cyclonedx clis by running:

cyclonedx-linux-x64 merge --input-files gomod.trivy.sbom.json container.trivy_image.sbom.json --input-format json --output-format json --output-version=v1_6 --output-file the-component.merged.json --hierarchical --name the-component-name --version 1.2 --group the-component-group

This command generates something like this:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:d4830479...",
  "version": 1,
  "metadata": {
    "tools": {
      "components": [
        {
          "type": "application",
          "group": "aquasecurity",
          "name": "trivy",
          "version": "0.51.1"
        }
      ]
    },
    "component": {
      "type": "application",
      "bom-ref": "[email protected]",
      "group": "the-component-group",
      "name": "the-component-name",
      "version": "1.2"
    }
  },
  "components": [
    {
      "type": "application",
      "bom-ref": "go.mod@:204b3d0c-...",
      "name": "go.mod",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ],
      "components": [
	  ... The go.mod components
	  ]
	},
    {
      "type": "container",
      "bom-ref": "[the container image ref]",
      "name": "[the container image name]",
      "properties": [
	    ...
		the container image layers
		...
      ],
      "components": [
	  ... The container image components
	  ]
	}
  ],
  ...

There's a component list within a component. With this configuration, trivy can't identify the components by running:

 $ trivy sbom the-component.merged.json
2024-10-14T11:20:00+01:00       INFO    [vuln] Vulnerability scanning is enabled
2024-10-14T11:20:00+01:00       INFO    Detected SBOM format    format="cyclonedx-json"
2024-10-14T11:20:00+01:00       INFO    Number of language-specific files       num=0

Is this a bug or a known limitation?

Target

SBOM

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Operating System

Linux / Ubuntu 22.04.5 LTS

Version

Version: 0.56.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-10-14 00:19:40.198722045 +0000 UTC
  NextUpdate: 2024-10-15 00:19:40.198721795 +0000 UTC
  DownloadedAt: 2024-10-14 10:16:17.637913275 +0000 UTC
Check Bundle:
  Digest: sha256:ae151c4eecf35c507d8f866121ddfbf46540b041bc7bca7cdd8d9f70ceb6f12c
  DownloadedAt: 2024-10-08 18:08:15.709839562 +0000 UTC

[DmitriyLewen]

Hello @dpkano

Trivy doesn't currently support nested components.

[dpkano]

Hi @DmitriyLewen, thank you for your reply.
Does trivy have any plans to support it?

[DmitriyLewen]

You are the first to ask about this.
There are currently no plans to add this option, and I am also not sure it will be easy to implement for the current Trivy structure.

[dpkano]

oh. that's fine. I was evaluating ways to organize my SBOMs and the nested way seemed a better way to merge SBOMs and keep each part isolated from each other. But the flat version seems to work for what I need too.