Problem with support BOM from trivy 0.50.0 (also 0.50.1)
pawelrosada opened this issue · comments
Current Behavior
We are creating an BOM scan, using command:
trivy image --format cyclonedx --output bom.txt IMAGE
With Trivy version 0.49.1, the dependencies list in the generated file appears correctly.
However, after upgrading to Trivy version 0.50.1, the format of the dependencies list in the BOM file changes adversely.
The primary issue seems to stem from the software version numbering in the BOM generated by Trivy 0.50.1, which now includes a prefix "1:" before the version numbers. This change correlates with Trivy's update to incorporate an "intermediate representation for BOM," as detailed in their commit: aquasecurity/trivy@8fcef35.
This adjustment appears to disrupt how DependencyTrack interprets and displays software versions, impacting the usability and clarity of the scan results.
I believe this issue arises from Trivy's modification to its BOM generation process, specifically the introduction of an intermediate representation that alters the version numbering format. This new format might be incompatible with DependencyTrack's current parsing logic, leading to the problematic display of software versions.
Steps to Reproduce
- trivy image --format cyclonedx --output bom.txt IMAGE
- Configure trivy scaner add-on (Enable Trivy analyzer)
- curl -v -X "POST" "https://domain/api/v1/bom" -H 'Content-Type: multipart/form-data' -H "X-Api-Key: KEY" -F "autoCreate=true" -F "projectName=test" -F "projectVersion=test" -F "bom=@bom.txt"
- Go to dashboard and check result - you can see issues from different soft version that is installed (oldest)
Expected Behavior
Getting same result as from trivy 0.49.1
Dependency-Track Version
4.11.0-SNAPSHOT
Dependency-Track Distribution
Container Image
Database Server
H2
Database Server Version
No response
Browser
Apple Safari
Checklist
- I have read and understand the contributing guidelines
- I have checked the existing issues for whether this defect was already reported
Although it may appear similar to the issue described in #3602, I believe that issue address some other problem
The prefix of those versions looks more like the epoch to me: https://manpages.debian.org/stretch/dpkg-dev/deb-version.5.en.html
So in a sense, if the BOMs previously generated by Trivy were missing those, that was technically a defect they now resolved.
Not sure what all the file
components are about though, that looks odd.
This appears to be a change in what Trivy includes in the SBOM. However it's not something we can deal with on our end.