Multiple OS components in SBOM are not supported properly

[omallo]

Discussed in https://github.com/aquasecurity/trivy/discussions/6481

^{Originally posted by **omallo** April 10, 2024} ### Description I'm using the Trivy Operator which generates an SBOM for the Kubernetes cluster. The SBOM contains multiple components of type "operating-system", one per node of the cluster. Trivy is not able to scan the SBOM due to the multiple operating-system components. ### Desired Behavior The SBOM generated by the Trivy Operator seems correct to me and Trivy should not fail because of the multiple components of type operating-system. Having multiple such components, one per node, seems correct to me. ### Actual Behavior I get the following error: ``` $ trivy sbom /tmp/sbom-k8s-cluster.json 2024-04-10T17:55:52.400+0200 INFO Vulnerability scanning is enabled 2024-04-10T17:55:52.401+0200 INFO Detected SBOM format: cyclonedx-json 2024-04-10T17:55:52.402+0200 FATAL sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: failed to decode components: multiple OS components are not supported ``` ### Reproduction Steps ```bash 1. Run the command `trivy sbom /tmp/sbom-k8s-cluster.json` with the attached SBOM. ``` ### Target SBOM ### Scanner Vulnerability ### Output Format None ### Mode None ### Debug Output ```bash $ trivy sbom /tmp/sbom-k8s-cluster.json --debug 2024-04-10T18:00:53.568+0200 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"] 2024-04-10T18:00:53.568+0200 DEBUG Ignore statuses {"statuses": null} 2024-04-10T18:00:53.579+0200 DEBUG cache dir: /Users/omallo/Library/Caches/trivy 2024-04-10T18:00:53.579+0200 DEBUG DB update was skipped because the local DB is the latest 2024-04-10T18:00:53.579+0200 DEBUG DB Schema: 2, UpdatedAt: 2024-04-10 12:11:18.716332374 +0000 UTC, NextUpdate: 2024-04-10 18:11:18.716332083 +0000 UTC, DownloadedAt: 2024-04-10 15:45:56.880723 +0000 UTC 2024-04-10T18:00:53.580+0200 INFO Vulnerability scanning is enabled 2024-04-10T18:00:53.580+0200 DEBUG Vulnerability type: [os library] 2024-04-10T18:00:53.580+0200 DEBUG Enabling misconfiguration scanners: [] 2024-04-10T18:00:53.580+0200 INFO Detected SBOM format: cyclonedx-json 2024-04-10T18:00:53.580+0200 DEBUG Unmarshalling CycloneDX JSON... 2024-04-10T18:00:53.581+0200 DEBUG Skipping a component with an unsupported type {"name": "node-core-components", "version": "", "type": ""} 2024-04-10T18:00:53.581+0200 DEBUG Skipping a component with an unsupported type {"name": "node-core-components", "version": "", "type": ""} 2024-04-10T18:00:53.584+0200 FATAL sbom scan error: github.com/aquasecurity/trivy/pkg/commands/artifact.Run github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:441 - scan error: github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:269 - scan failed: github.com/aquasecurity/trivy/pkg/commands/artifact.scan github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:710 - failed analysis: github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact github.com/aquasecurity/trivy/pkg/scanner/scan.go:148 - SBOM decode error: github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom.Artifact.Inspect github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom/sbom.go:56 - failed to decode: github.com/aquasecurity/trivy/pkg/sbom.Decode github.com/aquasecurity/trivy/pkg/sbom/sbom.go:231 - failed to decode components: github.com/aquasecurity/trivy/pkg/sbom/io.(*Decoder).Decode github.com/aquasecurity/trivy/pkg/sbom/io/decode.go:54 - multiple OS components are not supported: github.com/aquasecurity/trivy/pkg/sbom/io.(*Decoder).decodeComponents github.com/aquasecurity/trivy/pkg/sbom/io/decode.go:114 ``` ### Operating System Linux ### Version ```bash $ trivy --version Version: 0.50.1 Vulnerability DB: Version: 2 UpdatedAt: 2024-04-10 12:11:18.716332374 +0000 UTC NextUpdate: 2024-04-10 18:11:18.716332083 +0000 UTC DownloadedAt: 2024-04-10 15:45:56.880723 +0000 UTC Java DB: Version: 1 UpdatedAt: 2024-04-08 00:49:12.317761931 +0000 UTC NextUpdate: 2024-04-11 00:49:12.317761761 +0000 UTC DownloadedAt: 2024-04-08 22:56:58.568085 +0000 UTC ``` ### Checklist - [X] Run `trivy image --reset` - [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)

[github-actions[bot]]

Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/

[omallo]

The SBOM generated by the Trivy Operator which produces the error: sbom-k8s-cluster.json