search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.74k stars 2.33k forks source link

SBOM scan: unsupported type github #3994

Closed chr-b closed 1 year ago

chr-b commented 1 year ago

Description

I am scanning a CycloneDX SBOM that contains a component with a Github package URL. Trivy exits with an error (unsupported type github).

What did you expect to happen?

I was hoping that a vulnerability scan is possible, considering that GitHub advisory databases are a supported data source.

What happened instead?

2023-04-05T15:58:11.178+0200    FATAL   sbom scan error: scan error: scan failed: scan failed: failed to detect vulnerabilities: failed to scan application libraries: failed vulnerability detection of libraries: failed to initialize a driver: unsupported type github

Output of run with -debug:

$ trivy  --debug sbom test_sbom.json 
2023-04-05T16:02:49.726+0200    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-04-05T16:02:49.729+0200    DEBUG   cache dir:  /home/user/.cache/trivy
2023-04-05T16:02:49.729+0200    DEBUG   DB update was skipped because the local DB is the latest
2023-04-05T16:02:49.729+0200    DEBUG   DB Schema: 2, UpdatedAt: 2023-04-05 12:08:03.416475873 +0000 UTC, NextUpdate: 2023-04-05 18:08:03.416475473 +0000 UTC, DownloadedAt: 2023-04-05 13:58:11.168521624 +0000 UTC
2023-04-05T16:02:49.729+0200    INFO    Vulnerability scanning is enabled
2023-04-05T16:02:49.730+0200    DEBUG   Vulnerability type:  [os library]
2023-04-05T16:02:49.730+0200    INFO    Detected SBOM format: cyclonedx-json
2023-04-05T16:02:49.730+0200    DEBUG   Unmarshaling CycloneDX JSON...
2023-04-05T16:02:49.731+0200    WARN    Third-party SBOM may lead to inaccurate vulnerability detection
2023-04-05T16:02:49.731+0200    WARN    Recommend using Trivy to generate SBOMs
2023-04-05T16:02:49.731+0200    WARN    Ignore the OS package as no OS information is found.
2023-04-05T16:02:49.733+0200    DEBUG   OS is not detected.
2023-04-05T16:02:49.733+0200    DEBUG   Detected OS: unknown
2023-04-05T16:02:49.733+0200    INFO    Number of language-specific files: 1
2023-04-05T16:02:49.733+0200    INFO    Detecting github vulnerabilities...
2023-04-05T16:02:49.733+0200    DEBUG   Detecting library vulnerabilities, type: github, path: 
2023-04-05T16:02:49.737+0200    FATAL   sbom scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:413
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:257
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:588
  - scan failed:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:156
  - failed to detect vulnerabilities:
    github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.Scan
        /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:120
  - failed to scan application libraries:
    github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.scanVulnerabilities
        /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:231
  - failed vulnerability detection of libraries:
    github.com/aquasecurity/trivy/pkg/scanner/local.Scanner.scanLangPkgs
        /home/runner/work/trivy/trivy/pkg/scanner/local/scan.go:296
  - failed to initialize a driver:
    github.com/aquasecurity/trivy/pkg/detector/library.Detect
        /home/runner/work/trivy/trivy/pkg/detector/library/detect.go:19
  - unsupported type github:
    github.com/aquasecurity/trivy/pkg/detector/library.NewDriver
        /home/runner/work/trivy/trivy/pkg/detector/library/driver.go:66

Output of trivy -v:

$ trivy  -v sbom test_sbom.json 
2023-04-05T16:06:36.211+0200    INFO    Vulnerability scanning is enabled
2023-04-05T16:06:36.211+0200    INFO    Detected SBOM format: cyclonedx-json
2023-04-05T16:06:36.211+0200    WARN    Third-party SBOM may lead to inaccurate vulnerability detection
2023-04-05T16:06:36.211+0200    WARN    Recommend using Trivy to generate SBOMs
2023-04-05T16:06:36.211+0200    WARN    Ignore the OS package as no OS information is found.
2023-04-05T16:06:36.213+0200    INFO    Number of language-specific files: 1
2023-04-05T16:06:36.213+0200    INFO    Detecting github vulnerabilities...
2023-04-05T16:06:36.214+0200    FATAL   sbom scan error: scan error: scan failed: scan failed: failed to detect vulnerabilities: failed to scan application libraries: failed vulnerability detection of libraries: failed to initialize a driver: unsupported type github

Additional details (base image name, container registry info...):

Trivy version:

Version: 0.36.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-04-05 12:08:03.416475873 +0000 UTC
  NextUpdate: 2023-04-05 18:08:03.416475473 +0000 UTC
  DownloadedAt: 2023-04-05 13:58:11.168521624 +0000 UTC

Minimal SBOM input file triggering the error:

{"bomFormat":"CycloneDX","specVersion":"1.4","version":1,"metadata":{"timestamp":"2023-04-05T08:55:01.123Z","component":{"type":"application","name":"test","version":"1","bom-ref":"test-app"}},"components":[{"type":"library","name":"pcre2","version":"10.42","purl":"pkg:github/PCRE2Project/pcre2@10.42","bom-ref":"pcre2"}],"dependencies":[{"ref":"test-app","dependsOn":["pcre2"]}]}
afdesk commented 1 year ago

It seems this issue and #4566 have the same reasons.