bug(cyclonedx): Trivy image scan reports and counts the same CVE for the same package multiple times

[DmitriyLewen]

Discussed in #5788

^{Originally posted by LesSyner December 15, 2023}

Description

Trivy sometimes reports the same CVE for te same package multiple times (in single scan) resulting in incorrect number of CVEs for image.

Desired Behavior

trivy should report the same CVE for the same package only once

Actual Behavior

trivy reports multiple CVEs when in fact it's single occurance. Here is an example:

{
  "id": "CVE-2023-44981",
  "source": {
    "name": "ghsa",
    "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
  },
  "ratings": [
    {
      "source": {
        "name": "bitnami"
      },
      "score": 9.1,
      "severity": "critical",
      "method": "CVSSv31",
      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
    },
    {
      "source": {
        "name": "ghsa"
      },
      "score": 9.1,
      "severity": "critical",
      "method": "CVSSv31",
      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
    },
    {
      "source": {
        "name": "nvd"
      },
      "score": 9.1,
      "severity": "critical",
      "method": "CVSSv31",
      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
    },
    {
      "source": {
        "name": "redhat"
      },
      "score": 9.1,
      "severity": "critical",
      "method": "CVSSv31",
      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
    }
  ],
  "cwes": [
    639
  ],
  "description": "Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like '[email protected]', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default.\n\nUsers are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.\n\nAlternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.\n\nSee the documentation for more details on correct cluster administration.\n",
  "recommendation": "Upgrade org.apache.zookeeper:zookeeper to version 3.7.2, 3.8.3, 3.9.1",
  "advisories": [
    {
      "url": "https://avd.aquasec.com/nvd/cve-2023-44981"
    },
    {
      "url": "http://www.openwall.com/lists/oss-security/2023/10/11/4"
    },
    {
      "url": "https://access.redhat.com/security/cve/CVE-2023-44981"
    },
    {
      "url": "https://github.com/apache/zookeeper"
    },
    {
      "url": "https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b"
    },
    {
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html"
    },
    {
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44981"
    },
    {
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44981"
    },
    {
      "url": "https://www.debian.org/security/2023/dsa-5544"
    }
  ],
  "published": "2023-10-11T12:15:00+00:00",
  "updated": "2023-11-01T07:15:00+00:00",
  "affects": [
    {
      "ref": "pkg:maven/org.apache.zookeeper/[email protected]?file_path=usr%2Fshare%2Fjava%2Fconfluent-control-center%2Fzookeeper-3.6.3.jar",
      "versions": [
        {
          "version": "3.6.3",
          "status": "affected"
        }
      ]
    },
    {
      "ref": "pkg:maven/org.apache.zookeeper/[email protected]?file_path=usr%2Fshare%2Fjava%2Fconfluent-control-center%2Fzookeeper-3.6.3.jar",
      "versions": [
        {
          "version": "3.6.3",
          "status": "affected"
        }
      ]
    },
    {
      "ref": "pkg:maven/org.apache.zookeeper/[email protected]?file_path=usr%2Fshare%2Fjava%2Fconfluent-control-center%2Fzookeeper-3.6.3.jar",
      "versions": [
        {
          "version": "3.6.3",
          "status": "affected"
        }
      ]
    },
    {
      "ref": "pkg:maven/org.apache.zookeeper/[email protected]?file_path=usr%2Fshare%2Fjava%2Fconfluent-control-center%2Fzookeeper-3.6.3.jar",
      "versions": [
        {
          "version": "3.6.3",
          "status": "affected"
        }
      ]
    },
    {
      "ref": "pkg:maven/org.apache.zookeeper/[email protected]?file_path=usr%2Fshare%2Fjava%2Fconfluent-control-center%2Fzookeeper-3.6.3.jar",
      "versions": [
        {
          "version": "3.6.3",
          "status": "affected"
        }
      ]
    }
  ]
},

Reproduction Steps

1. trivy image --ignore-unfixed confluentinc/cp-schema-registry:7.5.2 --scanners vuln --severity CRITICAL -f cyclonedx

Target

Container Image

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

2023-12-15T10:36:47.504+0100	DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-12-15T10:36:47.505+0100	DEBUG	Severities: ["CRITICAL"]
2023-12-15T10:36:47.506+0100	DEBUG	Ignore statuses	{"statuses": ["unknown","not_affected","affected","under_investigation","will_not_fix","fix_deferred","end_of_life"]}
2023-12-15T10:36:47.523+0100	DEBUG	cache dir:  /Users/test/Library/Caches/trivy
2023-12-15T10:36:47.523+0100	DEBUG	DB update was skipped because the local DB is the latest
2023-12-15T10:36:47.523+0100	DEBUG	DB Schema: 2, UpdatedAt: 2023-12-15 06:10:50.163004975 +0000 UTC, NextUpdate: 2023-12-15 12:10:50.163004594 +0000 UTC, DownloadedAt: 2023-12-15 09:18:37.448303 +0000 UTC
2023-12-15T10:36:47.524+0100	INFO	Vulnerability scanning is enabled
2023-12-15T10:36:47.524+0100	DEBUG	Vulnerability type:  [os library]
2023-12-15T10:36:47.524+0100	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2023-12-15T10:36:49.274+0100	DEBUG	The nuget packages directory couldn't be found. License search disabled
2023-12-15T10:36:49.454+0100	DEBUG	Image ID: sha256:9c75bce947731d3ed3fba8e9f3d4646b2d15c3036f6d9062c5c4dd275a5045cc
2023-12-15T10:36:49.454+0100	DEBUG	Diff IDs: [sha256:1053d00b8e292c8a36bef630a0f4977b29da4e2fd60ac9425e0fcd1f7c1108d5 sha256:2784298e924345d0daf7eed5793662efbeb830bd3f83bc1bdf58dacf7a266477 sha256:e6074c53f57ac4a6c1163951950677943cf3608a3e79b400961eac20e44631d3 sha256:cf101d0177010a1169bd2c88481fa1086ee4eaf8f2433ccb431c657c3aa645e9 sha256:04394050f85b15adb4e989d29cbeaa2823aeec2928e1f17619a7fe83880ffcb7 sha256:f2f1f826c954809927a3684e569272533a951c885163b65efa2d021fb0d60759 sha256:9ab333f76a764635010e0f6872a40a21ce4f678a189689f2d6ec197d0880482f sha256:905c75c815e0a8cda612ef911e8a58eb3b34ed202f743cf847ced2850cd9bee7 sha256:d43f08d70ed9b8566f13578e2ab55a2697b7292dd1fccf107b28b007e877ca5a sha256:2b5c9ac251e65f3863a1c284b0b33bfc09deaf038f7d2a52997149b17daaf16e sha256:55d28c8a35a4f7d553aed857bba92f60f53bd38271d486166e6eb57e068e1871]
2023-12-15T10:36:49.454+0100	DEBUG	Base Layers: []
2023-12-15T10:36:49.575+0100	INFO	Detected OS: redhat
2023-12-15T10:36:49.575+0100	INFO	Detecting RHEL/CentOS vulnerabilities...
2023-12-15T10:36:49.575+0100	DEBUG	Red Hat: os version: 8
2023-12-15T10:36:49.575+0100	DEBUG	Red Hat: the number of packages: 188
2023-12-15T10:36:49.632+0100	INFO	Number of language-specific files: 2
2023-12-15T10:36:49.632+0100	INFO	Detecting python-pkg vulnerabilities...
2023-12-15T10:36:49.632+0100	DEBUG	Detecting library vulnerabilities, type: python-pkg, path: 
2023-12-15T10:36:49.635+0100	INFO	Detecting jar vulnerabilities...
2023-12-15T10:36:49.635+0100	DEBUG	Detecting library vulnerabilities, type: jar, path: 
2023-12-15T10:36:49.691+0100	DEBUG	Found an ignore file: .trivyignore

Operating System

macOS Sonoma 14.2

Version

Version: 0.48.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-12-15 06:10:50.163004975 +0000 UTC
  NextUpdate: 2023-12-15 12:10:50.163004594 +0000 UTC
  DownloadedAt: 2023-12-15 09:18:37.448303 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-12-15 00:45:03.307690097 +0000 UTC
  NextUpdate: 2023-12-18 00:45:03.307689947 +0000 UTC
  DownloadedAt: 2023-12-15 09:19:43.769488 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Also there is problem with same jars in different folders.
We create only 1 component:
json report:

      "Packages": [
        {
          "Name": "com.fasterxml.jackson.core:jackson-databind",
          "Version": "2.13.4",
          "Layer": {},
          "FilePath": "1/jackson-databind-2.13.4.jar"
        },
        {
          "Name": "com.fasterxml.jackson.core:jackson-databind",
          "Version": "2.13.4",
          "Layer": {},
          "FilePath": "2/jackson-databind-2.13.4.jar"
        }
      ],

cyclonedx report:

  "components": [
    {
      "bom-ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]?file_path=2%2Fjackson-databind-2.13.4.jar",
      "type": "library",
      "group": "com.fasterxml.jackson.core",
      "name": "jackson-databind",
      "version": "2.13.4",
      "purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:FilePath",
          "value": "2/jackson-databind-2.13.4.jar"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "jar"
        }
      ]
    }
  ],

[LesSyner]

Things look a bit different after further investigation:

1. trivy with standard table output ( trivy image --ignore-unfixed confluentinc/cp-schema-registry:7.5.2 --scanners vuln --severity CRITICAL ) reports the same CVE (CVE-2023-44981) and with count 5 but now for 2 jars: org.apache.zookeeper:zookeeper (acl-7.5.2.jar) and org.apache.zookeeper:zookeeper (zookeeper-3.6.3.jar).
2. I've extracted both jars from the image, unpacked them fully and checked that table report shows properly that there is zookeeper-3.6.3 also inside acl. So your remark @DmitriyLewen about ticket fix(cyclonedx): fix work when there are same pkgs from different dirs #5798 may be good direction. It's already somehow shown in tabe format but not in cyclonedx format.
3. I've ran "trivy fs" with dir containing both jars unpacked, each in separate subdir, and it shows different results:

• acl/META-INF/maven/org.apache.zookeeper/zookeeper with 1 critical CVE coming from org.apache.zookeeper:zookeeper 3.6.3 (the same CVE ID as reported in cyclonedx format)
• zookeeper/META-INF/maven/org.apache.zookeeper/zookeeper with 1 critical CVE coming from org.apache.zookeeper:zookeeper 3.6.3 (the same CVE ID as reported in cyclonedx format)
• acl/META-INF/maven/com.hubspot.jackson/jackson-datatype-protobuf with 12 critical CVEs coming from com.fasterxml.jackson.core:jackson-databind 2.9.9.

Now I'm confused - cyclonedx format reporting issues, table format partially ok (showing 2 separate files with this CVE), both formats don't show additional 12 critical CVEs (total 62 CVEs, both numbers with --ignore-unfixed switch).

[DmitriyLewen]

Hello @LesSyner
Thanks for your investigation.

both formats don't show additional 12 critical CVEs

I am focusing on fixing CycloneDX logic. After that i will check this case.

[DmitriyLewen]

I checked acl-7.5.2.jar:
When you scan in fs more - Trivy checks pom.xml files
But when you scan in image (or rootfs) mode Trivy checks jar files (Trivy checks pom.properties, MANIFEST.MF and nested jars inside found jar) - https://aquasecurity.github.io/trivy/v0.48/docs/coverage/language/java/#jarwarparear

More about fs/image mode - https://aquasecurity.github.io/trivy/v0.48/docs/coverage/language/#supported-languages

For your case:

• fs mode - Trivy finds ./acl/META-INF/maven/com.hubspot.jackson/jackson-datatype-protobuf/pom.xml file:

<groupId>com.hubspot.jackson</groupId>
  <artifactId>jackson-datatype-protobuf</artifactId>
  <version>0.9.11-jackson2.9</version>
  <description>Jackson Module that adds support for reading/writing protobufs</description>

  <properties>
    <basepom.check.skip-dependency-versions-check>true</basepom.check.skip-dependency-versions-check>

    <dep.jackson.version>2.9.9</dep.jackson.version>
    <dep.jackson-databind.version>2.9.9</dep.jackson-databind.version>
    <dep.protobuf-java.version>3.8.0</dep.protobuf-java.version>
  </properties>

  <dependencies>
 ...
    <dependency>
      <groupId>com.fasterxml.jackson.core</groupId>
      <artifactId>jackson-databind</artifactId>
    </dependency>
    <dependency>

And detects jackson-databind 2.9.9, just like mvn does:

[INFO] com.hubspot.jackson:jackson-datatype-protobuf:jar:0.9.11-jackson2.9
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9:compile

• image mode: Trivy finds ./acl/META-INF/maven/com.hubspot.jackson/jackson-datatype-protobuf/pom.properties file:

#Created by Apache Maven 3.6.1
version=0.9.11-jackson2.9
groupId=com.hubspot.jackson
artifactId=jackson-datatype-protobuf

This file doesn't have info about jackson-databind.
But acl-7.5.2.jar have ./acl/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.properties file:

version=2.14.2
groupId=com.fasterxml.jackson.core
artifactId=jackson-databind

That is why Trivy finds vulnerabilities only for com.fasterxml.jackson.core:[email protected].

[LesSyner]

I digged deeper since so far there was no justification for 5 critical CVEs. And I've found them in report in json format. So in fact summary in all formats is ok (regarding 5 instances of CVE-2023-44981), only proper details are missing in table and cyclonedx format.

      "VulnerabilityID": "CVE-2023-44981",
      "PkgName": "org.apache.zookeeper:zookeeper",
      "PkgPath": "usr/share/java/acl/acl-7.5.2.jar",
      "InstalledVersion": "3.6.3",

      "VulnerabilityID": "CVE-2023-44981",
      "PkgName": "org.apache.zookeeper:zookeeper",
      "PkgPath": "usr/share/java/confluent-control-center/zookeeper-3.6.3.jar",
      "InstalledVersion": "3.6.3",

      "VulnerabilityID": "CVE-2023-44981",
      "PkgName": "org.apache.zookeeper:zookeeper",
      "PkgPath": "usr/share/java/confluent-security/connect/zookeeper-3.6.3.jar",
      "InstalledVersion": "3.6.3",

      "VulnerabilityID": "CVE-2023-44981",
      "PkgName": "org.apache.zookeeper:zookeeper",
      "PkgPath": "usr/share/java/cp-base-new/zookeeper-3.6.3.jar",
      "InstalledVersion": "3.6.3",

      "VulnerabilityID": "CVE-2023-44981",
      "PkgName": "org.apache.zookeeper:zookeeper",
      "PkgPath": "usr/share/java/schema-registry/zookeeper-3.6.3.jar",
      "InstalledVersion": "3.6.3",

[DmitriyLewen]

this problem is related with Applications aggregation.
there is #4249 about table format.

[topiga]

I have the same problem. I made a very simple script that you can use to temporarily fix this issue. Here is the up-to-date gist : https://gist.github.com/topiga/4d459e6a922c2f08fec5a211975316fb
Here is the code as of today, 25th April 2024

import json
import argparse

def remove_duplicates(json_data):
    for vulnerability in json_data['vulnerabilities']:
        affects = vulnerability['affects']
        unique_affects = []
        seen_refs = set()

        for affect in affects:
            ref = affect['ref']
            if ref not in seen_refs:
                seen_refs.add(ref)
                unique_affects.append(affect)

        vulnerability['affects'] = unique_affects

    return json_data

def main():
    parser = argparse.ArgumentParser(description='Fix CycloneDX file by removing duplicate items in the "affects" array.')
    parser.add_argument('--input', dest='input_file', required=True, help='Path to the input CycloneDX file')
    parser.add_argument('--output', dest='output_file', required=True, help='Path to the output fixed CycloneDX file')

    args = parser.parse_args()

    try:
        with open(args.input_file, 'r') as file:
            cyclonedx_data = json.load(file)
    except FileNotFoundError:
        print(f'Error: input file "{args.input_file}" not found')
        return
    except json.JSONDecodeError as e:
        print(f'Error: invalid JSON format in input file "{args.input_file}"')
        print(f'JSON error: {str(e)}')
        return

    updated_data = remove_duplicates(cyclonedx_data)

    try:
        with open(args.output_file, 'w') as file:
            json.dump(updated_data, file, indent=2)
    except IOError as e:
        print(f'Error: failed to write output file "{args.output_file}"')
        print(f'IO error: {str(e)}')
        return

    print(f'Fixed CycloneDX data written to "{args.output_file}"')

if __name__ == '__main__':
    main()

[DmitriyLewen]

Hello @topiga

Can you check this issue with latest Trivy?
I think #6240 should fix this problem.
e.g.:

Last login: Fri Apr 26 07:35:23 on ttys001
➜ tree ./dir 
./dir
├── dir1
│   └── jackson-databind-2.13.4.jar
└── dir2
    └── jackson-databind-2.13.4.jar

3 directories, 2 files
➜ trivy -q rootfs -f cyclonedx ./dir
{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:45d8a637-d34b-4700-949d-911410f35c5a",
  "version": 1,
  "metadata": {
    "timestamp": "2024-04-26T01:45:03+00:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "group": "aquasecurity",
          "name": "trivy",
          "version": "0.50.4"
        }
      ]
    },
    "component": {
      "bom-ref": "138052f2-ad09-4e00-824f-575c21306aaf",
      "type": "application",
      "name": "dir",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ]
    }
  },
  "components": [
    {
      "bom-ref": "08210638-25c1-4d60-b4e6-2c59ed622f01",
      "type": "library",
      "group": "com.fasterxml.jackson.core",
      "name": "jackson-databind",
      "version": "2.13.4",
      "purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:FilePath",
          "value": "dir2/jackson-databind-2.13.4.jar"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "jar"
        }
      ]
    },
    {
      "bom-ref": "5fb0bb40-d596-4e92-8597-5a1ccb4fa503",
      "type": "library",
      "group": "com.fasterxml.jackson.core",
      "name": "jackson-databind",
      "version": "2.13.4",
      "purl": "pkg:maven/com.fasterxml.jackson.core/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:FilePath",
          "value": "dir1/jackson-databind-2.13.4.jar"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "jar"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "08210638-25c1-4d60-b4e6-2c59ed622f01",
      "dependsOn": []
    },
    {
      "ref": "138052f2-ad09-4e00-824f-575c21306aaf",
      "dependsOn": [
        "08210638-25c1-4d60-b4e6-2c59ed622f01",
        "5fb0bb40-d596-4e92-8597-5a1ccb4fa503"
      ]
    },
    {
      "ref": "5fb0bb40-d596-4e92-8597-5a1ccb4fa503",
      "dependsOn": []
    }
  ],
  "vulnerabilities": []
}

[sithmein]

The problem still persists, also with the latest trivy version (0.52.2). In fact the CycloneDX file generated violates the schema (because of non-unique $.vulnerabilities[x].affects[*] which means that tools such as Dependency Track will reject the SBOM when being uploaded.
To reproduce run trivy image -f cyclonedx -o ap.cdx.json --scanners license,vuln registry.hub.knime.com/knime/knime-full:r-5.2.0-271 and look for CVE-2014-125087.

[DmitriyLewen]

Hello @sithmein
Thanks for information!

Created #7023 for your issue.

Regards, Dmitriy