Inconsistencies on SBOM vulnerabilities scanning

[juan131]

Description

SBOM scanning with more than one Python applications result on inconsistent reported vulns.

Note: it also affected Node pkgs, Conda pkgs, Ruby gems & JARs.

Given a SPDX file with two Python apps (such as the one shown below) each of them containing dozens of packages, Trivy reports a different number of vulnerabilities on consecutive executions.

"packages": [{
  {
    "SPDXID": "SPDXRef-Application-gnrtd7",
    "downloadLocation": "NONE",
    "filesAnalyzed": false,
    "licenseConcluded": "NOASSERTION",
    "licenseDeclared": "NOASSERTION",
    "name": "python-pkg",
    "primaryPackagePurpose": "APPLICATION",
    "sourceInfo": "Python"
  }, {
    "SPDXID": "SPDXRef-Application-gnrtd8",
    "downloadLocation": "NONE",
    "filesAnalyzed": false,
    "licenseConcluded": "NOASSERTION",
    "licenseDeclared": "NOASSERTION",
    "name": "python-pkg",
    "primaryPackagePurpose": "APPLICATION",
    "sourceInfo": "Python"
  }

The problem seems be related with setting the application file path with an empty string for these apps:

• /~https://github.com/aquasecurity/trivy/blob/main/pkg/sbom/spdx/unmarshal.go#L230-L240

When the nested map below is populated at ApplyLayers, given both apps don't have a file path, the resulting "key" used in the map is the same /type:python-pkg, therefore the last app extracted from the layer overwrites the previous one:

• /~https://github.com/aquasecurity/trivy/blob/main/pkg/fanal/applier/docker.go#L116-L120

As a consequence, the info about the packages included on that application gets lost.

Desired Behavior

Consistency on reported vulnerabilities.

Actual Behavior

Number of reported vulnerabilities differs between executions.

Reproduction Steps

Run the Trivy scanner several times to receive different amount of reported vulnerabilities:

$ trivy sbom airflow-spdx.json --quiet --format json | grep VulnerabilityID | wc -l
     385
$ trivy sbom airflow-spdx.json --quiet --format json | grep VulnerabilityID | wc -l
     380
$ trivy sbom airflow-spdx.json --quiet --format json | grep VulnerabilityID | wc -l
     385

Target

SBOM

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

Irrelevant

Operating System

macOS sonoma

Version

Version: 0.48.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-12-15 12:12:09.918117448 +0000 UTC
  NextUpdate: 2023-12-15 18:12:09.918116827 +0000 UTC
  DownloadedAt: 2023-12-15 15:57:47.294271 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-12-12 00:46:36.610548653 +0000 UTC
  NextUpdate: 2023-12-15 00:46:36.610548473 +0000 UTC
  DownloadedAt: 2023-12-12 12:29:27.481363 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[juan131]

Here you can find a airflow-spdx.json to test it that's generated by merging the SPDX included on Bitnami Airflow image:
airflow.json

[DmitriyLewen]

Hello @juan131
Thanks for your report and investigation!

Created #5812 for this task.

Regards, Dmitriy

[juan131]

Awesome! Thanks Dmitriy