search

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
23.8k stars 2.34k forks source link

"Multiple types of OS packages in SBOM are not supported (["rpm" "deb"])" #6581

Closed erinmcgill closed 6 months ago

erinmcgill commented 6 months ago

Discussed in https://github.com/aquasecurity/trivy/discussions/6489

Originally posted by **erinmcgill** April 12, 2024 ### Description We are using cyclonedx `cdxgen` to generate our SBOMs - this is including our code package and any Dockerfiles included there - and using trivy to scan for vulnerabilities using the command: `trivy sbom -f json --output software-dependency-findings.json bom.json` Trivy is failing with the error: `2024-04-12T16:39:06.688Z FATAL sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: failed to parse sbom: failed to aggregate packages: multiple types of OS packages in SBOM are not supported (["rpm" "deb"])` Our package includes a Dockerfile that uses `"postgres:14.1-alpine"` who's layers contain a lot of bom-ref references to `"bom-ref": "pkg:rpm` and another container who's bom-ref references `"purl": "pkg:deb`. Our tool supports many different teams and code bases so it needs to be flexible. Are there any suggestions on how to go about supporting this package and others like it with trivy? I'm just looking for some guidance on how to navigate this issue. ### Desired Behavior Trivy will work as expected without error ### Actual Behavior Trivy is failing with the error: `2024-04-12T16:39:06.688Z FATAL sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: failed to parse sbom: failed to aggregate packages: multiple types of OS packages in SBOM are not supported (["rpm" "deb"])` ### Reproduction Steps ```bash 1. Run cdxgen to generate an SBOM on a package that includes multiple different container images 2. Run `trivy sbom -f json --output software-dependency-findings.json bom.json` on the generated SBOM file ``` ### Target SBOM ### Scanner Vulnerability ### Output Format JSON ### Mode Standalone ### Debug Output ```bash 2024-04-12T17:41:18.539-0400 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"] 2024-04-12T17:41:18.539-0400 DEBUG Ignore statuses {"statuses": null} 2024-04-12T17:41:18.546-0400 DEBUG cache dir: /Users/erinmc/Library/Caches/trivy 2024-04-12T17:41:18.546-0400 DEBUG DB update was skipped because the local DB is the latest 2024-04-12T17:41:18.546-0400 DEBUG DB Schema: 2, UpdatedAt: 2024-04-12 18:10:50.275607572 +0000 UTC, NextUpdate: 2024-04-13 00:10:50.275607411 +0000 UTC, DownloadedAt: 2024-04-12 21:19:19.260021 +0000 UTC 2024-04-12T17:41:18.547-0400 INFO Vulnerability scanning is enabled 2024-04-12T17:41:18.547-0400 DEBUG Vulnerability type: [os library] 2024-04-12T17:41:18.547-0400 DEBUG Enabling misconfiguration scanners: [] 2024-04-12T17:41:18.574-0400 INFO Detected SBOM format: cyclonedx-json 2024-04-12T17:41:18.598-0400 DEBUG Unmarshaling CycloneDX JSON... 2024-04-12T17:41:18.640-0400 WARN Third-party SBOM may lead to inaccurate vulnerability detection 2024-04-12T17:41:18.640-0400 WARN Recommend using Trivy to generate SBOMs 2024-04-12T17:41:18.649-0400 FATAL sbom scan error: github.com/aquasecurity/trivy/pkg/commands/artifact.Run /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:441 - scan error: github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:269 - scan failed: github.com/aquasecurity/trivy/pkg/commands/artifact.scan /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:706 - failed analysis: github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact /home/runner/work/trivy/trivy/pkg/scanner/scan.go:148 - SBOM decode error: github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom.Artifact.Inspect /home/runner/work/trivy/trivy/pkg/fanal/artifact/sbom/sbom.go:55 - failed to decode: github.com/aquasecurity/trivy/pkg/sbom.Decode /home/runner/work/trivy/trivy/pkg/sbom/sbom.go:225 - failed to parse sbom: github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*BOM).UnmarshalJSON /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:60 - failed to aggregate packages: github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*BOM).parseSBOM /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:147 - multiple types of OS packages in SBOM are not supported (["rpm" "deb"]): github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.aggregatePkgs /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:303 ``` ### Operating System Codebuild Ubuntu standard:7.0 ### Version ```bash v0.49.0 ``` ### Checklist - [ ] Run `trivy image --reset` - [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
github-actions[bot] commented 6 months ago

Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/