Closed DmitriyLewen closed 2 months ago
Also there is problem with same jars in different folders.
We create only 1 component:
json
report:
"Packages": [
{
"Name": "com.fasterxml.jackson.core:jackson-databind",
"Version": "2.13.4",
"Layer": {},
"FilePath": "1/jackson-databind-2.13.4.jar"
},
{
"Name": "com.fasterxml.jackson.core:jackson-databind",
"Version": "2.13.4",
"Layer": {},
"FilePath": "2/jackson-databind-2.13.4.jar"
}
],
cyclonedx report:
"components": [
{
"bom-ref": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4?file_path=2%2Fjackson-databind-2.13.4.jar",
"type": "library",
"group": "com.fasterxml.jackson.core",
"name": "jackson-databind",
"version": "2.13.4",
"purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4",
"properties": [
{
"name": "aquasecurity:trivy:FilePath",
"value": "2/jackson-databind-2.13.4.jar"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "jar"
}
]
}
],
Things look a bit different after further investigation:
trivy image --ignore-unfixed confluentinc/cp-schema-registry:7.5.2 --scanners vuln --severity CRITICAL
) reports the same CVE (CVE-2023-44981) and with count 5 but now for 2 jars: org.apache.zookeeper:zookeeper (acl-7.5.2.jar) and org.apache.zookeeper:zookeeper (zookeeper-3.6.3.jar).Now I'm confused - cyclonedx format reporting issues, table format partially ok (showing 2 separate files with this CVE), both formats don't show additional 12 critical CVEs (total 62 CVEs, both numbers with --ignore-unfixed switch).
Hello @LesSyner Thanks for your investigation.
both formats don't show additional 12 critical CVEs
I am focusing on fixing CycloneDX logic. After that i will check this case.
I checked acl-7.5.2.jar
:
When you scan in fs
more - Trivy checks pom.xml
files
But when you scan in image
(or rootfs
) mode Trivy checks jar
files (Trivy checks pom.properties
, MANIFEST.MF
and nested jars inside found jar) - https://aquasecurity.github.io/trivy/v0.48/docs/coverage/language/java/#jarwarparear
More about fs/image mode - https://aquasecurity.github.io/trivy/v0.48/docs/coverage/language/#supported-languages
For your case:
fs
mode - Trivy finds ./acl/META-INF/maven/com.hubspot.jackson/jackson-datatype-protobuf/pom.xml
file:
<groupId>com.hubspot.jackson</groupId>
<artifactId>jackson-datatype-protobuf</artifactId>
<version>0.9.11-jackson2.9</version>
<description>Jackson Module that adds support for reading/writing protobufs</description>
<properties>
<basepom.check.skip-dependency-versions-check>true</basepom.check.skip-dependency-versions-check>
<dep.jackson.version>2.9.9</dep.jackson.version>
<dep.jackson-databind.version>2.9.9</dep.jackson-databind.version>
<dep.protobuf-java.version>3.8.0</dep.protobuf-java.version>
</properties>
<dependencies>
...
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</dependency>
<dependency>
And detects jackson-databind
2.9.9, just like mvn
does:
[INFO] com.hubspot.jackson:jackson-datatype-protobuf:jar:0.9.11-jackson2.9
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9:compile
image
mode: Trivy finds ./acl/META-INF/maven/com.hubspot.jackson/jackson-datatype-protobuf/pom.properties
file:
#Created by Apache Maven 3.6.1
version=0.9.11-jackson2.9
groupId=com.hubspot.jackson
artifactId=jackson-datatype-protobuf
This file doesn't have info about jackson-databind
.
But acl-7.5.2.jar
have ./acl/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.properties
file:
version=2.14.2
groupId=com.fasterxml.jackson.core
artifactId=jackson-databind
That is why Trivy finds vulnerabilities only for com.fasterxml.jackson.core:jackson-databind@2.14.2
.
I digged deeper since so far there was no justification for 5 critical CVEs. And I've found them in report in json format. So in fact summary in all formats is ok (regarding 5 instances of CVE-2023-44981), only proper details are missing in table and cyclonedx format.
"VulnerabilityID": "CVE-2023-44981",
"PkgName": "org.apache.zookeeper:zookeeper",
"PkgPath": "usr/share/java/acl/acl-7.5.2.jar",
"InstalledVersion": "3.6.3",
"VulnerabilityID": "CVE-2023-44981",
"PkgName": "org.apache.zookeeper:zookeeper",
"PkgPath": "usr/share/java/confluent-control-center/zookeeper-3.6.3.jar",
"InstalledVersion": "3.6.3",
"VulnerabilityID": "CVE-2023-44981",
"PkgName": "org.apache.zookeeper:zookeeper",
"PkgPath": "usr/share/java/confluent-security/connect/zookeeper-3.6.3.jar",
"InstalledVersion": "3.6.3",
"VulnerabilityID": "CVE-2023-44981",
"PkgName": "org.apache.zookeeper:zookeeper",
"PkgPath": "usr/share/java/cp-base-new/zookeeper-3.6.3.jar",
"InstalledVersion": "3.6.3",
"VulnerabilityID": "CVE-2023-44981",
"PkgName": "org.apache.zookeeper:zookeeper",
"PkgPath": "usr/share/java/schema-registry/zookeeper-3.6.3.jar",
"InstalledVersion": "3.6.3",
this problem is related with Applications aggregation. there is #4249 about table format.
I have the same problem. I made a very simple script that you can use to temporarily fix this issue. Here is the up-to-date gist : https://gist.github.com/topiga/4d459e6a922c2f08fec5a211975316fb Here is the code as of today, 25th April 2024
import json
import argparse
def remove_duplicates(json_data):
for vulnerability in json_data['vulnerabilities']:
affects = vulnerability['affects']
unique_affects = []
seen_refs = set()
for affect in affects:
ref = affect['ref']
if ref not in seen_refs:
seen_refs.add(ref)
unique_affects.append(affect)
vulnerability['affects'] = unique_affects
return json_data
def main():
parser = argparse.ArgumentParser(description='Fix CycloneDX file by removing duplicate items in the "affects" array.')
parser.add_argument('--input', dest='input_file', required=True, help='Path to the input CycloneDX file')
parser.add_argument('--output', dest='output_file', required=True, help='Path to the output fixed CycloneDX file')
args = parser.parse_args()
try:
with open(args.input_file, 'r') as file:
cyclonedx_data = json.load(file)
except FileNotFoundError:
print(f'Error: input file "{args.input_file}" not found')
return
except json.JSONDecodeError as e:
print(f'Error: invalid JSON format in input file "{args.input_file}"')
print(f'JSON error: {str(e)}')
return
updated_data = remove_duplicates(cyclonedx_data)
try:
with open(args.output_file, 'w') as file:
json.dump(updated_data, file, indent=2)
except IOError as e:
print(f'Error: failed to write output file "{args.output_file}"')
print(f'IO error: {str(e)}')
return
print(f'Fixed CycloneDX data written to "{args.output_file}"')
if __name__ == '__main__':
main()
Hello @topiga
Can you check this issue with latest Trivy? I think #6240 should fix this problem. e.g.:
Last login: Fri Apr 26 07:35:23 on ttys001
➜ tree ./dir
./dir
├── dir1
│ └── jackson-databind-2.13.4.jar
└── dir2
└── jackson-databind-2.13.4.jar
3 directories, 2 files
➜ trivy -q rootfs -f cyclonedx ./dir
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:45d8a637-d34b-4700-949d-911410f35c5a",
"version": 1,
"metadata": {
"timestamp": "2024-04-26T01:45:03+00:00",
"tools": {
"components": [
{
"type": "application",
"group": "aquasecurity",
"name": "trivy",
"version": "0.50.4"
}
]
},
"component": {
"bom-ref": "138052f2-ad09-4e00-824f-575c21306aaf",
"type": "application",
"name": "dir",
"properties": [
{
"name": "aquasecurity:trivy:SchemaVersion",
"value": "2"
}
]
}
},
"components": [
{
"bom-ref": "08210638-25c1-4d60-b4e6-2c59ed622f01",
"type": "library",
"group": "com.fasterxml.jackson.core",
"name": "jackson-databind",
"version": "2.13.4",
"purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4",
"properties": [
{
"name": "aquasecurity:trivy:FilePath",
"value": "dir2/jackson-databind-2.13.4.jar"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "jar"
}
]
},
{
"bom-ref": "5fb0bb40-d596-4e92-8597-5a1ccb4fa503",
"type": "library",
"group": "com.fasterxml.jackson.core",
"name": "jackson-databind",
"version": "2.13.4",
"purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.4",
"properties": [
{
"name": "aquasecurity:trivy:FilePath",
"value": "dir1/jackson-databind-2.13.4.jar"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "jar"
}
]
}
],
"dependencies": [
{
"ref": "08210638-25c1-4d60-b4e6-2c59ed622f01",
"dependsOn": []
},
{
"ref": "138052f2-ad09-4e00-824f-575c21306aaf",
"dependsOn": [
"08210638-25c1-4d60-b4e6-2c59ed622f01",
"5fb0bb40-d596-4e92-8597-5a1ccb4fa503"
]
},
{
"ref": "5fb0bb40-d596-4e92-8597-5a1ccb4fa503",
"dependsOn": []
}
],
"vulnerabilities": []
}
The problem still persists, also with the latest trivy version (0.52.2). In fact the CycloneDX file generated violates the schema (because of non-unique $.vulnerabilities[x].affects[*]
which means that tools such as Dependency Track will reject the SBOM when being uploaded.
To reproduce run trivy image -f cyclonedx -o ap.cdx.json --scanners license,vuln registry.hub.knime.com/knime/knime-full:r-5.2.0-271
and look for CVE-2014-125087.
Hello @sithmein Thanks for information!
Created #7023 for your issue.
Regards, Dmitriy
Discussed in https://github.com/aquasecurity/trivy/discussions/5788