Giters

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

Home Page:https://dependencytrack.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Problem with support BOM from trivy 0.50.0 (also 0.50.1)

pawelrosada opened this issue · comments

commented

Current Behavior

We are creating an BOM scan, using command:
trivy image --format cyclonedx --output bom.txt IMAGE

With Trivy version 0.49.1, the dependencies list in the generated file appears correctly.
Zrzut ekranu 2024-04-5 o 17 46 34

However, after upgrading to Trivy version 0.50.1, the format of the dependencies list in the BOM file changes adversely.
Zrzut ekranu 2024-04-5 o 17 46 21

The primary issue seems to stem from the software version numbering in the BOM generated by Trivy 0.50.1, which now includes a prefix "1:" before the version numbers. This change correlates with Trivy's update to incorporate an "intermediate representation for BOM," as detailed in their commit: aquasecurity/trivy@8fcef35.

This adjustment appears to disrupt how DependencyTrack interprets and displays software versions, impacting the usability and clarity of the scan results.

I believe this issue arises from Trivy's modification to its BOM generation process, specifically the introduction of an intermediate representation that alters the version numbering format. This new format might be incompatible with DependencyTrack's current parsing logic, leading to the problematic display of software versions.

Steps to Reproduce

  1. trivy image --format cyclonedx --output bom.txt IMAGE
  2. Configure trivy scaner add-on (Enable Trivy analyzer)
  3. curl -v -X "POST" "https://domain/api/v1/bom" -H 'Content-Type: multipart/form-data' -H "X-Api-Key: KEY" -F "autoCreate=true" -F "projectName=test" -F "projectVersion=test" -F "bom=@bom.txt"
  4. Go to dashboard and check result - you can see issues from different soft version that is installed (oldest)

Expected Behavior

Getting same result as from trivy 0.49.1

Dependency-Track Version

4.11.0-SNAPSHOT

Dependency-Track Distribution

Container Image

Database Server

H2

Database Server Version

No response

Browser

Apple Safari

Checklist

commented

Although it may appear similar to the issue described in #3602, I believe that issue address some other problem

commented

The prefix of those versions looks more like the epoch to me: https://manpages.debian.org/stretch/dpkg-dev/deb-version.5.en.html

So in a sense, if the BOMs previously generated by Trivy were missing those, that was technically a defect they now resolved.

Not sure what all the file components are about though, that looks odd.

commented

This appears to be a change in what Trivy includes in the SBOM. However it's not something we can deal with on our end.