search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.84k stars 2.34k forks source link

Multiple OS components in SBOM are not supported properly #6506

Closed chen-keinan closed 7 months ago

chen-keinan commented 7 months ago

Discussed in https://github.com/aquasecurity/trivy/discussions/6481

Originally posted by **omallo** April 10, 2024 ### Description I'm using the Trivy Operator which generates an SBOM for the Kubernetes cluster. The SBOM contains multiple components of type "operating-system", one per node of the cluster. Trivy is not able to scan the SBOM due to the multiple operating-system components. ### Desired Behavior The SBOM generated by the Trivy Operator seems correct to me and Trivy should not fail because of the multiple components of type operating-system. Having multiple such components, one per node, seems correct to me. ### Actual Behavior I get the following error: ``` $ trivy sbom /tmp/sbom-k8s-cluster.json 2024-04-10T17:55:52.400+0200 INFO Vulnerability scanning is enabled 2024-04-10T17:55:52.401+0200 INFO Detected SBOM format: cyclonedx-json 2024-04-10T17:55:52.402+0200 FATAL sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: failed to decode components: multiple OS components are not supported ``` ### Reproduction Steps ```bash 1. Run the command `trivy sbom /tmp/sbom-k8s-cluster.json` with the attached SBOM. ``` ### Target SBOM ### Scanner Vulnerability ### Output Format None ### Mode None ### Debug Output ```bash $ trivy sbom /tmp/sbom-k8s-cluster.json --debug 2024-04-10T18:00:53.568+0200 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"] 2024-04-10T18:00:53.568+0200 DEBUG Ignore statuses {"statuses": null} 2024-04-10T18:00:53.579+0200 DEBUG cache dir: /Users/omallo/Library/Caches/trivy 2024-04-10T18:00:53.579+0200 DEBUG DB update was skipped because the local DB is the latest 2024-04-10T18:00:53.579+0200 DEBUG DB Schema: 2, UpdatedAt: 2024-04-10 12:11:18.716332374 +0000 UTC, NextUpdate: 2024-04-10 18:11:18.716332083 +0000 UTC, DownloadedAt: 2024-04-10 15:45:56.880723 +0000 UTC 2024-04-10T18:00:53.580+0200 INFO Vulnerability scanning is enabled 2024-04-10T18:00:53.580+0200 DEBUG Vulnerability type: [os library] 2024-04-10T18:00:53.580+0200 DEBUG Enabling misconfiguration scanners: [] 2024-04-10T18:00:53.580+0200 INFO Detected SBOM format: cyclonedx-json 2024-04-10T18:00:53.580+0200 DEBUG Unmarshalling CycloneDX JSON... 2024-04-10T18:00:53.581+0200 DEBUG Skipping a component with an unsupported type {"name": "node-core-components", "version": "", "type": ""} 2024-04-10T18:00:53.581+0200 DEBUG Skipping a component with an unsupported type {"name": "node-core-components", "version": "", "type": ""} 2024-04-10T18:00:53.584+0200 FATAL sbom scan error: github.com/aquasecurity/trivy/pkg/commands/artifact.Run github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:441 - scan error: github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:269 - scan failed: github.com/aquasecurity/trivy/pkg/commands/artifact.scan github.com/aquasecurity/trivy/pkg/commands/artifact/run.go:710 - failed analysis: github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact github.com/aquasecurity/trivy/pkg/scanner/scan.go:148 - SBOM decode error: github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom.Artifact.Inspect github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom/sbom.go:56 - failed to decode: github.com/aquasecurity/trivy/pkg/sbom.Decode github.com/aquasecurity/trivy/pkg/sbom/sbom.go:231 - failed to decode components: github.com/aquasecurity/trivy/pkg/sbom/io.(*Decoder).Decode github.com/aquasecurity/trivy/pkg/sbom/io/decode.go:54 - multiple OS components are not supported: github.com/aquasecurity/trivy/pkg/sbom/io.(*Decoder).decodeComponents github.com/aquasecurity/trivy/pkg/sbom/io/decode.go:114 ``` ### Operating System Linux ### Version ```bash $ trivy --version Version: 0.50.1 Vulnerability DB: Version: 2 UpdatedAt: 2024-04-10 12:11:18.716332374 +0000 UTC NextUpdate: 2024-04-10 18:11:18.716332083 +0000 UTC DownloadedAt: 2024-04-10 15:45:56.880723 +0000 UTC Java DB: Version: 1 UpdatedAt: 2024-04-08 00:49:12.317761931 +0000 UTC NextUpdate: 2024-04-11 00:49:12.317761761 +0000 UTC DownloadedAt: 2024-04-08 22:56:58.568085 +0000 UTC ``` ### Checklist - [X] Run `trivy image --reset` - [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
chen-keinan commented 7 months ago

Analysis:

k8s cluster could have more than one Node where each node has an os.

kbom scanning on trivy with latest version is failing for cluster with more than one Node

bhmdtv commented 7 months ago

We get the same error (with 0.20.0). Let me know if you need more logs, etc.

bhmdtv commented 7 months ago

@knqyf263 @chen-keinan We still get the error with v0.20.1, should the fix be part of the new release?!

chen-keinan commented 7 months ago

@chen-keinan We still get the error with v0.20.1, should the fix be part of the new release?!

@bhmdtv the fix is merged but not yet released, it will be out with next trivy-operator release