Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug(sbom): Trivy overwrites Applications when multiple sbom files contain aggregated language type #7851

Closed
DmitriyLewen opened this issue Nov 1, 2024 Discussed in #7846 · 3 comments · Fixed by #8052
Closed
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone

Comments

@DmitriyLewen
Copy link
Contributor

Description

We already had similar case - when single sbom file contains multiple Applications for same aggregated language type (see #5812).
This problem has been fixed.

But we have similar behavior when image contains multiple sbom files for same aggregated type (e.g. Java, Python, etc)

FilePath for these Applications is empty:

trivy/pkg/sbom/io/decode.go

Lines 179 to 183 in 88ba460

// Aggregation Types use the name of the language (e.g. `Java`, `Python`, etc.) as the component name.
// Other language files use the file path as their name.
if !slices.Contains(ftypes.AggregatingTypes, app.Type) {
app.FilePath = c.Name
}

So when we fill nestedMap in ApplyLayers function - we overwrite Applications:

// Apply language-specific packages
for _, app := range layer.Applications {
key := fmt.Sprintf("%s/type:%s", app.FilePath, app.Type)
nestedMap.SetByString(key, sep, app)
}

Example:

➜ tree
.
├── Dockerfile
├── api
│   └── log4j-api-2.24.1.jar
└── core
    └── log4j-core-2.24.1.jar

3 directories, 3 files
➜ trivy -q rootfs ./api -f spdx-json -o report-api.spdx.json    
➜ trivy -q rootfs ./core -f spdx-json -o report-core.spdx.json

➜ cat Dockerfile 
FROM alpine

COPY ./report-api.spdx.json /api/report-api.spdx.json

COPY ./report-core.spdx.json /core/report-core.spdx.json
                       
➜ docker build -t test:7846 .
[+] Building 0.1s (8/8) FINISHED                           docker:desktop-linux
...

➜  example trivy -q image test:7846 -f json --list-all-pkgs --pkg-types library
{
...
  "Results": [
    {
      "Target": "Java",
      "Class": "lang-pkgs",
      "Type": "jar",
      "Packages": [
        {
          "ID": "org.apache.logging.log4j:log4j-core:2.24.1",
          "Name": "org.apache.logging.log4j:log4j-core",
          "Identifier": {
            "PURL": "pkg:maven/org.apache.logging.log4j/[email protected]",
            "UID": "ea631ef0af9d09d6"
          },
          "Version": "2.24.1",
          "Licenses": [
            "NOASSERTION"
          ],
          "Layer": {
            "DiffID": "sha256:efe02b781f0ce0882531fe6ae24f5e369dcd59a33cefac6d9c184e1937298507"
          },
          "FilePath": "log4j-core-2.24.1.jar"
        }
      ]
    }
  ]
}

Discussed in #7846

@DmitriyLewen DmitriyLewen added the kind/bug Categorizes issue or PR as related to a bug. label Nov 1, 2024
@javierfreire
Copy link
Contributor

Hi, is there any update on this issue? It's currently blocking us from updating Trivy. Thanks for your help!

@DmitriyLewen
Copy link
Contributor Author

Hello @javierfreire
#8052 should fix this issue.

@javierfreire
Copy link
Contributor

Thank you!!

@knqyf263 knqyf263 added this to the v0.59.0 milestone Dec 5, 2024
@DmitriyLewen DmitriyLewen modified the milestones: v0.59.0, v0.58.1 Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
Status: No status
3 participants