search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.68k stars 577 forks source link

Trivy analyzer can't detect SLES OS #4051

Open PaulRitzkat0110 opened 2 months ago

PaulRitzkat0110 commented 2 months ago

Current Behavior

Uploading sboms generated with trivy 0.53 for SLES 12.5 and 15.x can't be scanned by the trivy analyzer, because the OS is not detected by trivy, trivy 0.53 server log:

INFO    Detected OS family="none" version=""
WARN    Unsupported os  family="none"
INFO    Number of language-specific files   num=0

dtrack-logs-2024-08-08 17_28_28.txt

Steps to Reproduce

  1. upload a trivy generated sbom with SLES 12.5 or 15.x OS packages: trivy.json
  2. have dtrack configured to analyze with trivy
  3. no OS dectected by trivy, no vulns in dtrack: 403cb7b7-81b6-4ffd-bbbb-dd910ea39249-withVulnerabilities.cdx.json

Expected Behavior

OS is set correctly by dtrack and discovered by trivy, like it does for example for redhat, and vulns are reported back to dtrack

Dependency-Track Version

4.11.5

Dependency-Track Distribution

Container Image

Database Server

H2

Database Server Version

No response

Browser

N/A

Checklist

cyrilfantin commented 2 months ago

Hi

I have the same issue for trivy 0.54, dtrack 4.11.7 and amazon linux2. If i try directly trivy server has the correct platform : Detected OS family="amazon" version="2 (Karoo)" [amazon] Detecting vulnerabilities... os_version="2" pkg_num=117