Comments (12)
Ok I confirm its not working as expected, I will try to debug it later today
from dependency-track.
cc @fnxpt
@sec-p24 Can you please share the version of Trivy you're using? Also sharing the exact SBOM you're uploading could help in reproducing this.
from dependency-track.
My current production setup uses Trivy v0.49.1 to generate SBOM and Trivy v0.51.1 in server mode.
However I tested the same locally with both Trivy's v0.51.1 and the issue remains the same. I am attaching 2 SBOMs - one straight after it was generated with Trivy and the other one downloaded from Dependency Track UI (Download BOM -> Inventory).
After performing few additional tests I have noticed that when I access the Trivy server directly (through Trivy SBOM command, ommiting dtrack) then sometimes it parses the dtrack-proccessed SBOM file correctly, while other times it does not (like 50/50). When I upload the same file through Dependency Track, then it always fails it's assessment.
dt-processed-sbom.json
raw-trivy-sbom.json
from dependency-track.
When I try to run the sbom locally on trivy I get this.
![Screenshot 2024-05-16 at 16 22 50](https://private-user-images.githubusercontent.com/1815240/331247389-ea6be69c-e43c-43d1-b119-bcb1384ca476.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTY0OTA1OTYsIm5iZiI6MTcxNjQ5MDI5NiwicGF0aCI6Ii8xODE1MjQwLzMzMTI0NzM4OS1lYTZiZTY5Yy1lNDNjLTQzZDEtYjExOS1iY2IxMzg0Y2E0NzYucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDUyMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA1MjNUMTg1MTM2WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MDVmY2NmNTZiOGZlZmViMDQzYmNmMTZmZjE5MmFhNDk2NjNlOWE1OWYyMmI3OTM5YzE0YzZlYWY3YWE1ZDEyZCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.VXutyjQYHSxy0a3GaHsXbttAgM7F_7xHRJxMkj2_NEk)
from dependency-track.
Trivy client logs:
$ trivy sbom --server http://localhost:7070 raw-trivy-sbom.json
2024-05-16T16:25:12.145+0200 INFO Vulnerability scanning is enabled
2024-05-16T16:25:12.147+0200 INFO Detected SBOM format: cyclonedx-json
2024-05-16T16:25:12.203+0200 WARN This OS version is no longer supported by the distribution: alpine 3.12.0
2024-05-16T16:25:12.203+0200 WARN The vulnerability detection may be insufficient because security updates are not provided
Trivy server logs:
$ docker run -p 7070:7070 aquasec/trivy:0.51.1 server --listen 0.0.0.0:7070
2024-05-16T14:25:01Z INFO Need to update DB
2024-05-16T14:25:01Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-16T14:25:08Z INFO Listening 0.0.0.0:7070...
2024-05-16T14:25:12Z INFO Detected OS family="alpine" version="3.12.0"
2024-05-16T14:25:12Z INFO [alpine] Detecting vulnerabilities... os_version="3.12" repository="" pkg_num=31
2024-05-16T14:25:12Z INFO Number of language-specific files num=0
from dependency-track.
Generated a new sbom for that image using trivy and it worked
![Screenshot 2024-05-16 at 16 41 55](https://private-user-images.githubusercontent.com/1815240/331254913-71ba4c45-5481-4900-9b59-a7637d02bf9c.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTY0OTA1OTYsIm5iZiI6MTcxNjQ5MDI5NiwicGF0aCI6Ii8xODE1MjQwLzMzMTI1NDkxMy03MWJhNGM0NS01NDgxLTQ5MDAtOWI1OS1hNzYzN2QwMmJmOWMucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDUyMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA1MjNUMTg1MTM2WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9NmExMjlhZjIxNGExNjQwMDMxMGU4ZjdmN2Y0ZDE1MGZiMWVjZDQ4ZmY1MDY4YjgxZjZhYWRlNDM3YmFiZWZiOCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.3lX5uIrQn462TfpyX9Gy31_CaQpuvHccj-Y4If9_Gq8)
from dependency-track.
When I generated the SBOM for the same image as you did, uploading the file directly to Trivy server yielded different results than when it was uploaded to Dependency Track.
from dependency-track.
Do you see the requests from DT arriving to trivy?
With the image you mentioned yesterday I was able to get some result... not all of them (i will check why)... but Im getting results
![Screenshot 2024-05-17 at 12 07 34](https://private-user-images.githubusercontent.com/1815240/331552095-b908c503-a6cf-49d2-aeb9-04dd15b10962.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTY0OTA1OTYsIm5iZiI6MTcxNjQ5MDI5NiwicGF0aCI6Ii8xODE1MjQwLzMzMTU1MjA5NS1iOTA4YzUwMy1hNmNmLTQ5ZDItYWViOS0wNGRkMTViMTA5NjIucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDUyMyUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA1MjNUMTg1MTM2WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MDEzNWE1OGE1ZjVlMzJlNjQxZWYwMzlkN2IwMmYzMTBlNjJlMDIyZmJmNTllOGJhZDM2NjZhZjFmYmViN2E5ZiZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.ZmmfuqYiTRWOP7-NTh8sE0rbqZEU2uvDQuI4VGVoLJo)
from dependency-track.
Few things to clarify.
- In my initial comment I generated SBOM for php:7.4.10-fpm-alpine docker image, not the trivy image itself.
- The from Trivy (see last screenshot from my previous message) suggest SBOM arrive correctly there. The same goes for Dependency Track API logs which suggest successful analysis:
2024-05-17 10:08:15,600 INFO [TrivyAnalysisTask] Starting Trivy vulnerability analysis task
2024-05-17 10:08:15,813 INFO [TrivyAnalysisTask] Trivy vulnerability analysis complete
If there is a better way to confirm the arrival, please let me know.
3. Anyway, notice that you are getting results from language-based component only, but not OS-related packages. Looks like the issue might with OS detection on Trivy side when the SBOM is passed from DT.
from dependency-track.
I think I found the issue, just need to do some testing...
from dependency-track.
@sec-p24 Issue fixed, PR is failing due to issues with dependencies
@nscuro any ideia what could be the issue, i saw in the logs that there were a few changes on the dependencies 2 days ago
from dependency-track.
@fnxpt The build failures are related to #3726 and the corresponding changes in Alpine. I'll get that PR merged, then your build should pass.
from dependency-track.
Related Issues (20)
- False positive reported for webpack HOT 2
- NuGet component with space breaks analyzer HOT 1
- Global vulnerability audit view broken for MSSQL HOT 15
- BOM Validation: Unable to determine schema version from JSON HOT 1
- 401 HTTP Request Error HOT 2
- Allow Policies to have rules based on EPSS values HOT 1
- Upgrade REST API Spec from Swagger 2.0.0 to OAS 3.1.x HOT 3
- add more information to the Component details HOT 1
- StackOverflowError when uploading sbom twice HOT 3
- add golang module analysis in SnykAnalysisTask
- Project component view displays abnormal "t.$t is not a function" HOT 1
- Make components page default show all components HOT 2
- Aliases do not appear to be reported in notifications
- Bom.xml showing zero components after upload (Version server V4.6.3) HOT 2
- `TrivyAnalysisTaskIntegrationTest#test` fails with Trivy v0.51.2 HOT 1
- Setting BOM_VALIDATION_ENABLED environment variable to false not disabling BOM validation HOT 1
- SBOM validation fails on URL with spaces HOT 1
- Slack Notifications is not sent notifications except BOM Consumed and BOM Processed HOT 6
- Affected project name not shown in Jira ticket summary for NEW_VULNERABLE_DEPENDENCY notification type
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-track.