Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(sbom): Trivy overwrites Applications when multiple sbom files contain aggregated language type #7851

Open
DmitriyLewen opened this issue Nov 1, 2024 Discussed in #7846 · 0 comments
Open

bug(sbom): Trivy overwrites Applications when multiple sbom files contain aggregated language type #7851

DmitriyLewen opened this issue Nov 1, 2024 Discussed in #7846 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@DmitriyLewen
Copy link
Contributor

Description

We already had similar case - when single sbom file contains multiple Applications for same aggregated language type (see #5812).
This problem has been fixed.

But we have similar behavior when image contains multiple sbom files for same aggregated type (e.g. Java, Python, etc)

FilePath for these Applications is empty:

trivy/pkg/sbom/io/decode.go

Lines 179 to 183 in 88ba460

// Aggregation Types use the name of the language (e.g. `Java`, `Python`, etc.) as the component name.
// Other language files use the file path as their name.
if !slices.Contains(ftypes.AggregatingTypes, app.Type) {
app.FilePath = c.Name
}

So when we fill nestedMap in ApplyLayers function - we overwrite Applications:

trivy/pkg/fanal/applier/docker.go

Lines 121 to 125 in 69bf7e0

// Apply language-specific packages
for _, app := range layer.Applications {
key := fmt.Sprintf("%s/type:%s", app.FilePath, app.Type)
nestedMap.SetByString(key, sep, app)
}

Example:

➜ tree
.
├── Dockerfile
├── api
│   └── log4j-api-2.24.1.jar
└── core
    └── log4j-core-2.24.1.jar

3 directories, 3 files
➜ trivy -q rootfs ./api -f spdx-json -o report-api.spdx.json    
➜ trivy -q rootfs ./core -f spdx-json -o report-core.spdx.json

➜ cat Dockerfile 
FROM alpine

COPY ./report-api.spdx.json /api/report-api.spdx.json

COPY ./report-core.spdx.json /core/report-core.spdx.json
                       
➜ docker build -t test:7846 .
[+] Building 0.1s (8/8) FINISHED                           docker:desktop-linux
...

➜  example trivy -q image test:7846 -f json --list-all-pkgs --pkg-types library
{
...
  "Results": [
    {
      "Target": "Java",
      "Class": "lang-pkgs",
      "Type": "jar",
      "Packages": [
        {
          "ID": "org.apache.logging.log4j:log4j-core:2.24.1",
          "Name": "org.apache.logging.log4j:log4j-core",
          "Identifier": {
            "PURL": "pkg:maven/org.apache.logging.log4j/[email protected]",
            "UID": "ea631ef0af9d09d6"
          },
          "Version": "2.24.1",
          "Licenses": [
            "NOASSERTION"
          ],
          "Layer": {
            "DiffID": "sha256:efe02b781f0ce0882531fe6ae24f5e369dcd59a33cefac6d9c184e1937298507"
          },
          "FilePath": "log4j-core-2.24.1.jar"
        }
      ]
    }
  ]
}

Discussed in #7846
@DmitriyLewen DmitriyLewen added the kind/bug Categorizes issue or PR as related to a bug. label Nov 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DmitriyLewen