Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sbom): exclude duplicate vulnerabilities #7023

Closed
wants to merge 2 commits into from
Closed

fix(sbom): exclude duplicate vulnerabilities #7023

wants to merge 2 commits into from

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Jun 26, 2024
edited
Loading

Description

We aggregated pip/gem/npm/jar/conda packages.
Therefore, there are cases when Result contains the same vulnerabilities for the same packages but with different file paths.
We show duplicates in vulnerabilities[].affects[] for these cases.
But vulnerabilities[].affects[] should be uniq.
To avoid this we don't need to include vulns with same CVE for same pkgID.

Example:

➜  tree

.
├── bar
│   └── jackson-databind-2.13.4.jar
├── foo
│   ├── bar
│   └── jackson-databind-2.13.4.jar

Before:

➜  trivy -q rootfs -f cyclonedx --scanners vuln . | jq '.vulnerabilities[0].affects'
[
  {
    "ref": "7d55fb4f-cd6d-426a-9103-9e3b0e784f16",
    "versions": [
      {
        "version": "2.13.4",
        "status": "affected"
      }
    ]
  },
  {
    "ref": "7d55fb4f-cd6d-426a-9103-9e3b0e784f16",
    "versions": [
      {
        "version": "2.13.4",
        "status": "affected"
      }
    ]
  },
  {
    "ref": "b8a8670f-c668-46cb-b8a4-2160040f77dd",
    "versions": [
      {
        "version": "2.13.4",
        "status": "affected"
      }
    ]
  },
  {
    "ref": "b8a8670f-c668-46cb-b8a4-2160040f77dd",
    "versions": [
      {
        "version": "2.13.4",
        "status": "affected"
      }
    ]
  }
]

after:

➜  ./trivy -q rootfs -f cyclonedx --scanners vuln . | jq '.vulnerabilities[0].affects'
[
  {
    "ref": "5ced2014-adb3-4bae-a81d-64a767c5de81",
    "versions": [
      {
        "version": "2.13.4",
        "status": "affected"
      }
    ]
  },
  {
    "ref": "6ca42da4-583f-42a3-b689-18a5b54dcfc3",
    "versions": [
      {
        "version": "2.13.4",
        "status": "affected"
      }
    ]
  }
]

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this Jun 26, 2024
@DmitriyLewen DmitriyLewen mentioned this pull request Jun 26, 2024
Closed
2 tasks
@DmitriyLewen DmitriyLewen marked this pull request as ready for review June 26, 2024 11:05
@DmitriyLewen DmitriyLewen requested a review from knqyf263 as a code owner June 26, 2024 11:05
nikpivkin
nikpivkin reviewed Jun 26, 2024
View reviewed changes
pkg/sbom/io/encode.go Outdated Show resolved Hide resolved
@knqyf263
Copy link
Collaborator

knqyf263 commented Jun 27, 2024
edited
Loading

@DmitriyLewen I had an idea to use UID but I was lazy and didn't implement it 😄 I've finally created #7042, can you please see if this can fix the bug?

@DmitriyLewen
Copy link
Contributor Author

can you please see if this can fix the bug?

I can confirm that your PR is fixing this bug 👍

@DmitriyLewen
Copy link
Contributor Author

Closed in favor of #7042

@DmitriyLewen DmitriyLewen deleted the fix-bom/duplicates-vulns-for-same-pkgs-different-paths branch June 28, 2024 03:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nikpivkin nikpivkin nikpivkin left review comments

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug(cyclonedx): Trivy image scan reports and counts the same CVE for the same package multiple times
3 participants
@DmitriyLewen @knqyf263 @nikpivkin