Trivy to recognize system packages listed on multiple SBOMs #8314
juan131
started this conversation in
Development
Replies: 2 comments
-
|
I did some investigation and adding the debug log below... diff --git a/pkg/fanal/analyzer/sbom/sbom.go b/pkg/fanal/analyzer/sbom/sbom.go
index 20a069d5..3415e14d 100644
--- a/pkg/fanal/analyzer/sbom/sbom.go
+++ b/pkg/fanal/analyzer/sbom/sbom.go
@@ -60,6 +60,17 @@ func (a sbomAnalyzer) Analyze(ctx context.Context, input analyzer.AnalysisInput)
}
}
+ log.Debugf("There are %d OS packages in the %s SBOM", len(bom.Packages), input.FilePath)
+ for i, osPkg := range bom.Packages {
+ for j, pkg := range osPkg.Packages {
+ log.DebugContext(ctx, "OS package contains package",
+ log.String("pkg_name", pkg.Name),
+ log.String("pkg_version", pkg.Version),
+ log.String("pkg_path", pkg.FilePath))
+ bom.Packages[i].Packages[j].FilePath = input.FilePath
+ }
+ }
+
return &analyzer.AnalysisResult{
PackageInfos: bom.Packages,
Applications: bom.Applications,... we can see that Trivy is detecting every SBOM file: $ trivy --debug image docker.io/juanariza131/static:multispdx
(...)
DEBUG There are 1 OS packages in the opt/bitnami/debian/.spdx-ca-certificates.spdx SBOM
DEBUG OS package contains package file_path="opt/bitnami/debian/.spdx-ca-certificates.spdx" pkg_name="ca-certificates" pkg_version="20230311" pkg_path=""
DEBUG There are 1 OS packages in the opt/bitnami/debian/.spdx-tzdata.spdx SBOM
DEBUG OS package contains package file_path="opt/bitnami/debian/.spdx-tzdata.spdx" pkg_name="tzdata" pkg_version="2024b-0+deb12u1" pkg_path=""
DEBUG There are 1 OS packages in the opt/bitnami/debian/.spdx-netbase.spdx SBOM
DEBUG OS package contains package file_path="opt/bitnami/debian/.spdx-netbase.spdx" pkg_name="netbase" pkg_version="6.4" pkg_path=""
(...)But it seems that later on the duplicate filter or sth like that is discarding all but one of them. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
cc @knqyf263 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
At Bitnami we're working on new "minimal containers" (similar to distroless concept) that can be serve as base images for developer that wants minimal runtime dependencies. As we do for the rest of Bitnami images, we're including SBOM on the images that we generate at build time. Here you have a simplified version of how we build
bitnami/static(an image designed to be used as base image for statically compiled applications):install-trivy.shinstalls latest trivy version.prepare-rootfs.shcopies to/rootfsthe directories & files that will be part of the final image. Some examples are:/etc/debian_version,/etc/localtime,/etc/ssl/certs/ca-certificates.crt,/usr/share/zoneinfo, etc.generate-spdx.shgenerates the/opt/bitnami/debian/.spdx-debian.spdxfile below:{ "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "host", "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/host-3e5964b1-bba8-428c-9736-52d28efe2b84", "creationInfo": { "creators": [ "Organization: aquasecurity", "Tool: trivy-0.58.1" ], "created": "2025-01-30T10:58:46Z" }, "packages": [ { "name": "ca-certificates", "SPDXID": "SPDXRef-Package-c1d4029824045f75", "versionInfo": "20230311", "supplier": "Organization: Julien Cristau <[email protected]>", "downloadLocation": "NONE", "filesAnalyzed": false, "sourceInfo": "built package from: ca-certificates 20230311", "licenseConcluded": "GPL-2.0-or-later AND GPL-2.0-only AND MPL-2.0", "licenseDeclared": "GPL-2.0-or-later AND GPL-2.0-only AND MPL-2.0", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:deb/debian/ca-certificates@20230311?arch=all&distro=debian-12.9" } ], "primaryPackagePurpose": "LIBRARY" }, { "name": "netbase", "SPDXID": "SPDXRef-Package-36377cefe0d2b8a9", "versionInfo": "6.4", "supplier": "Organization: Marco d'Itri <[email protected]>", "downloadLocation": "NONE", "filesAnalyzed": false, "sourceInfo": "built package from: netbase 6.4", "licenseConcluded": "GPL-2.0-only", "licenseDeclared": "GPL-2.0-only", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:deb/debian/[email protected]?arch=all&distro=debian-12.9" } ], "primaryPackagePurpose": "LIBRARY" }, { "name": "tzdata", "SPDXID": "SPDXRef-Package-c55bc333f2f4b230", "versionInfo": "2024b-0+deb12u1", "supplier": "Organization: GNU Libc Maintainers <[email protected]>", "downloadLocation": "NONE", "filesAnalyzed": false, "checksums": [ { "algorithm": "SHA256", "checksumValue": "9426e641cdcea0b890fa270930e2577c71ce2085c445e058b08870b2adee554d" } ], "sourceInfo": "built package from: tzdata 2024b-0+deb12u1", "licenseConcluded": "public-domain", "licenseDeclared": "public-domain", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:deb/debian/tzdata@2024b-0%2Bdeb12u1?arch=all&distro=debian-12.9" } ], "primaryPackagePurpose": "LIBRARY" }, { "name": "debian", "SPDXID": "SPDXRef-OperatingSystem-23c1e7dfb45d904f", "versionInfo": "12.9", "downloadLocation": "NONE", "filesAnalyzed": false, "primaryPackagePurpose": "OPERATING-SYSTEM" } ], "relationships": [ { "spdxElementId": "SPDXRef-OperatingSystem-23c1e7dfb45d904f", "relatedSpdxElement": "SPDXRef-Package-c1d4029824045f75", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-OperatingSystem-23c1e7dfb45d904f", "relatedSpdxElement": "SPDXRef-Package-36377cefe0d2b8a9", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-OperatingSystem-23c1e7dfb45d904f", "relatedSpdxElement": "SPDXRef-Package-c55bc333f2f4b230", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-OperatingSystem-23c1e7dfb45d904f", "relationshipType": "DESCRIBES" } ] }I also published the image in my local DockerHub in case you want to try it:
docker.io/juanariza131/static:latest. You can run the command below to see that everything works as expected:Our issue comes when we generate N SPDX files (N>1) because we split the build process on several steps. I published another image (
docker.io/juanariza131/static:multispdx) that has 3 SPDX files under/opt/bitnami/debian:.spdx-ca-certificates.spdx:{ "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "host", "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/host-1022538e-83fe-4aa7-8718-a78839114c83", "creationInfo": { "creators": [ "Organization: aquasecurity", "Tool: trivy-0.58.1" ], "created": "2025-01-30T11:30:05Z" }, "packages": [ { "name": "ca-certificates", "SPDXID": "SPDXRef-Package-c1d4029824045f75", "versionInfo": "20230311", "supplier": "Organization: Julien Cristau <[email protected]>", "downloadLocation": "NONE", "filesAnalyzed": false, "sourceInfo": "built package from: ca-certificates 20230311", "licenseConcluded": "GPL-2.0-or-later AND GPL-2.0-only AND MPL-2.0", "licenseDeclared": "GPL-2.0-or-later AND GPL-2.0-only AND MPL-2.0", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:deb/debian/ca-certificates@20230311?arch=all&distro=debian-12.9" } ], "primaryPackagePurpose": "LIBRARY" }, { "name": "debian", "SPDXID": "SPDXRef-OperatingSystem-23c1e7dfb45d904f", "versionInfo": "12.9", "downloadLocation": "NONE", "filesAnalyzed": false, "primaryPackagePurpose": "OPERATING-SYSTEM" } ], "relationships": [ { "spdxElementId": "SPDXRef-OperatingSystem-23c1e7dfb45d904f", "relatedSpdxElement": "SPDXRef-Package-c1d4029824045f75", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-OperatingSystem-23c1e7dfb45d904f", "relationshipType": "DESCRIBES" } ] }.spdx-netbase.spdx:{ "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "host", "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/host-b414da56-5725-43ac-afe3-b72cc5346b6b", "creationInfo": { "creators": [ "Organization: aquasecurity", "Tool: trivy-0.58.1" ], "created": "2025-01-30T11:30:06Z" }, "packages": [ { "name": "netbase", "SPDXID": "SPDXRef-Package-36377cefe0d2b8a9", "versionInfo": "6.4", "supplier": "Organization: Marco d'Itri <[email protected]>", "downloadLocation": "NONE", "filesAnalyzed": false, "sourceInfo": "built package from: netbase 6.4", "licenseConcluded": "GPL-2.0-only", "licenseDeclared": "GPL-2.0-only", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:deb/debian/[email protected]?arch=all&distro=debian-12.9" } ], "primaryPackagePurpose": "LIBRARY" }, { "name": "debian", "SPDXID": "SPDXRef-OperatingSystem-23c1e7dfb45d904f", "versionInfo": "12.9", "downloadLocation": "NONE", "filesAnalyzed": false, "primaryPackagePurpose": "OPERATING-SYSTEM" } ], "relationships": [ { "spdxElementId": "SPDXRef-OperatingSystem-23c1e7dfb45d904f", "relatedSpdxElement": "SPDXRef-Package-36377cefe0d2b8a9", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-OperatingSystem-23c1e7dfb45d904f", "relationshipType": "DESCRIBES" } ] }.spdx-tzdata.spdx:{ "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "host", "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/host-d4948e50-9c96-41c6-9d35-21904d86f818", "creationInfo": { "creators": [ "Organization: aquasecurity", "Tool: trivy-0.58.1" ], "created": "2025-01-30T11:30:06Z" }, "packages": [ { "name": "tzdata", "SPDXID": "SPDXRef-Package-c55bc333f2f4b230", "versionInfo": "2024b-0+deb12u1", "supplier": "Organization: GNU Libc Maintainers <[email protected]>", "downloadLocation": "NONE", "filesAnalyzed": false, "checksums": [ { "algorithm": "SHA256", "checksumValue": "9426e641cdcea0b890fa270930e2577c71ce2085c445e058b08870b2adee554d" } ], "sourceInfo": "built package from: tzdata 2024b-0+deb12u1", "licenseConcluded": "public-domain", "licenseDeclared": "public-domain", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:deb/debian/tzdata@2024b-0%2Bdeb12u1?arch=all&distro=debian-12.9" } ], "primaryPackagePurpose": "LIBRARY" }, { "name": "debian", "SPDXID": "SPDXRef-OperatingSystem-23c1e7dfb45d904f", "versionInfo": "12.9", "downloadLocation": "NONE", "filesAnalyzed": false, "primaryPackagePurpose": "OPERATING-SYSTEM" } ], "relationships": [ { "spdxElementId": "SPDXRef-OperatingSystem-23c1e7dfb45d904f", "relatedSpdxElement": "SPDXRef-Package-c55bc333f2f4b230", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-OperatingSystem-23c1e7dfb45d904f", "relationshipType": "DESCRIBES" } ] }If we run the same command:
You'll find out that only the
tzdatapackage is listed (netbaseandca-certificatesare filtered out)Beta Was this translation helpful? Give feedback.
All reactions