Closed dsk-imgw closed 3 months ago
I inspected HTTP traffic of vulnerability scans between client (both Dependency-Track and Trivy CLI) and Trivy server. I discovered the slight difference of POST data between Dependency-Track and Trivy CLI. More precisely, when POST to /twirp/trivy.cache.v1.Cache/PutBlob,
Please see the example below. If the source code of Dependency-Track could be modified to send the data below 2), this issue might be resolved, but I have not tried to modify the source code of Dependency-Track, since the change impacts could not be estimated precisely (just OK by changing the structure of "Package" class and POST data?).
1) Dependency-Track -> Trivy Server
{
"diff_id": "sha256:0f4c5915d0608864abfca0081bd1f1b71b6b23a61c90b3dc59b693ea859fb8f0",
"blob_info": {
"schema_version": 2,
"os": {
"family": "rocky",
"name": "9.4",
"eosl": false,
"extended": false
},
"package_infos": [
{
"packages": [
{
...
},
{
"name": "dbus",
"version": "1:1.12.20-8.el9", // <-- %{EPOCH}:%{VERSION}-%{RELEASE} and no "release" key.
"arch": "x86_64",
"epoch": 1,
"src_name": "dbus",
"src_version": "1.12.20",
"src_epoch": 1,
"src_release": "8.el9",
"licenses": [],
"layer": {
"eosl": false,
"extended": false
}
},
{
...
},
]
}
]
}
}
2) Trivy CLI Client -> Trivy Server (Below is JSON equivalent representation. The actual "Content-Type" is "application/protobuf", not "application/json".)
{
"diff_id": "sha256:0f4c5915d0608864abfca0081bd1f1b71b6b23a61c90b3dc59b693ea859fb8f0",
"blob_info": {
"schema_version": 2,
"os": {
"family": "rocky",
"name": "9.4",
"eosl": false,
"extended": false
},
"package_infos": [
{
"packages": [
{
...
},
{
"name": "dbus",
"version": "1.12.20", // <-- (a) %{VERSION}
"release": "8.el9", // <-- (b) %{RELEASE}
"arch": "x86_64",
"epoch": 1,
"src_name": "dbus",
"src_version": "1.12.20",
"src_epoch": 1,
"src_release": "8.el9",
"licenses": [],
"layer": {
"eosl": false,
"extended": false
}
},
{
...
},
]
}
]
}
}
As for RPM and DEB packages, false positives by Trivy Analyser seems to be resolved by modifying the source code a little.
I modified the source code of 4.11.3. Modified files are 2 files, "main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java" and "main/java/org/dependencytrack/parser/trivy/model/Package.java". For your reference, the patch file ("dependency-track-4.11.3_trivy_rpm+deb.patch") is attached to the last of this message.
After deploying the modified apiserver JAR file, I re-analysed the project of rpm packages in "Rocky Linux 9.4" which I mentioned in this issue. The result is "27 vulnerabilities detected" (screenshot is below), as I wanted.
Inaddition, I also confirmed the same thing for DEB packages; scan results of deb packages in Ubuntu 22.04 are the same both by Dependency-Track and by Trivy CLI.
dependency-track-4.11.3_trivy_rpm+deb.patch
Thank you.
Hey sorry for missing this, I will try to have a look into it today
@dsk-imgw do you want to create a PR for this or do you want me to handle it?
If possible, I would appreciate it if you could handle a PR.
Ok, Im a little busy right now, but I will try to create it the next few days
@dsk-imgw What's the reason for closing this issue? Does the proposed patch not work as expected?
I closed the issue as "stale" or "inactive" by the following reasons:
2024年7月9日(火) 1:54 Niklas @.***>:
@dsk-imgw https://github.com/dsk-imgw What's the reason for closing this issue? Does the proposed patch not work as expected?
— Reply to this email directly, view it on GitHub https://github.com/DependencyTrack/dependency-track/issues/3774#issuecomment-2214689893, or unsubscribe https://github.com/notifications/unsubscribe-auth/AX7E4DA7QLPPN5ZCYXYAZXDZLK73XAVCNFSM6AAAAABIPCTSLWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMJUGY4DSOBZGM . You are receiving this because you were mentioned.Message ID: @.***>
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Current Behavior
Trivy analyzer may report false positives (at least about Rocky Linux 9).
Steps to Reproduce
Results by Dependency Track
Results by trivy CLI
Expected Behavior
I think trivy analyzer in Dependency-Track should detect only 27 vulnerabitiles detected by trivy CLI by the following reasons.
Dependency-Track Version
4.11.1
Dependency-Track Distribution
Container Image
Database Server
PostgreSQL
Database Server Version
10.5
Browser
Google Chrome
Checklist