CycloneDX SBOM files generated by trivy contains duplicated entries with different version for the same jersey artifact

[DmitriyLewen]

Discussed in #7013

^{Originally posted by schmiel June 25, 2024}

Description

Running the trivy against pulsar image produces following output

    ...
    {
      "bom-ref": "pkg:maven/org.glassfish.jersey.containers/[email protected]",
      "type": "library",
      "group": "org.glassfish.jersey.containers",
      "name": "jersey-container-servlet-core",
      "version": "2.41",
      "purl": "pkg:maven/org.glassfish.jersey.containers/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:FilePath",
          "value": "pulsar/lib/org.glassfish.jersey.containers-jersey-container-servlet-core-2.41.jar"
        },
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:f56c34161ed13ae336a78c5ac6902265890265db8431c0534aa2715f4d679129"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:de88e9845ffb8d679749bcc839a302b86b2ff2f6394f9731653cc5b21efa6bd7"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "jar"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/org.glassfish.jersey.containers/[email protected]",
      "type": "library",
      "group": "org.glassfish.jersey.containers",
      "name": "jersey-container-servlet-core",
      "version": "2.41.0",
      "purl": "pkg:maven/org.glassfish.jersey.containers/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:FilePath",
          "value": "pulsar/lib/org.glassfish.jersey.containers-jersey-container-servlet-core-2.41.jar"
        },
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:f56c34161ed13ae336a78c5ac6902265890265db8431c0534aa2715f4d679129"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:de88e9845ffb8d679749bcc839a302b86b2ff2f6394f9731653cc5b21efa6bd7"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "jar"
        }
      ]
    },
    ...

For the same file with exactly the same sha two entries are generated.

Desired Behavior

Only the entry with version 2.41 is generated.

Actual Behavior

Two entries for the same artifact are generated, correct one with version 2.41 and the wrong one with version 2.41.0

Reproduction Steps

1.Run trivy against pulsar docker image: `trivy image apachepulsar/pulsar:3.3.0 --format cyclonedx`
2. Check the result - duplicated entries are visible for a few jersey artifacts, namely: jersey-container-servlet-core, jersey-container-servlet, jersey-media-json-jackson and jersey-media-multipart

Target

Container Image

Scanner

None

Output Format

CycloneDX

Mode

Standalone

Debug Output

trivy image apachepulsar/pulsar:3.3.0 --format cyclonedx --debug

Operating System

Ubuntu 20.04

Version

./trivy version                                                   
Version: 0.52.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-06-25 12:11:52.331411989 +0000 UTC
  NextUpdate: 2024-06-25 18:11:52.331411718 +0000 UTC
  DownloadedAt: 2024-06-25 14:13:57.518535772 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-06-25 01:09:07.930189823 +0000 UTC
  NextUpdate: 2024-06-28 01:09:07.930189662 +0000 UTC
  DownloadedAt: 2024-06-25 09:18:40.719903085 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting