Spaces in URL causes CycloneDX export to be invalid #6224

RichieB2B · 2024-02-28T13:00:08Z

RichieB2B
Feb 28, 2024

Description

When I run trivy with --format cyclonedx it produces invalid CycloneDX for Debian CVE-2023-31484. The " (2.35-TRIAL)" is appended to the URL making it invalid.

Desired Behavior

I expect trivy to parse this URL as:

        {
          "url": "https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0"
        },

Actual Behavior

It is actually parsed as:

        {
          "url": "https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 (2.35-TRIAL)"
        },

This is an invalid URL, causing parsing of the CycloneDX JSON to fail in our security tooling.

Reproduction Steps

1. trivy image debian:bookworm-20240211 --format cyclonedx --scanners vuln > cyclonedx.json
2. grep TRIAL cyclonedx.json
3. result: 
          "url": "https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 (2.35-TRIAL)"

Target

Container Image

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

$ trivy image debian:bookworm-20240211 --format cyclonedx --scanners vuln --debug > cyclonedx.json
2024-02-28T12:58:19.355Z        DEBUG   ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2024-02-28T12:58:19.355Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-02-28T12:58:19.355Z        DEBUG   Ignore statuses {"statuses": null}
2024-02-28T12:58:19.369Z        DEBUG   cache dir:  /root/.cache/trivy
2024-02-28T12:58:19.369Z        DEBUG   There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2024-02-28T12:58:19.369Z        INFO    Need to update DB
2024-02-28T12:58:19.369Z        INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2024-02-28T12:58:19.369Z        INFO    Downloading DB...
2024-02-28T12:58:19.369Z        DEBUG   no metadata file
9.76 MiB / 43.38 MiB [------------->________________________________________________] 22.51% ? p/s ?17.94 MiB / 43.38 MiB [------------------------->___________________________________] 41.35% ? p/s ?31.42 MiB / 43.38 MiB [-------------------------------------------->________________] 72.43% ? p/s ?41.92 MiB / 43.38 MiB [---------------------------------------------->_] 96.64% 53.60 MiB p/s ETA 0s43.38 MiB / 43.38 MiB [---------------------------------------------->] 100.00% 53.60 MiB p/s ETA 0s43.38 MiB / 43.38 MiB [---------------------------------------------->] 100.00% 53.60 MiB p/s ETA 0s43.38 MiB / 43.38 MiB [---------------------------------------------->] 100.00% 50.30 MiB p/s ETA 0s43.38 MiB / 43.38 MiB [---------------------------------------------->] 100.00% 50.30 MiB p/s ETA 0s43.38 MiB / 43.38 MiB [---------------------------------------------->] 100.00% 50.30 MiB p/s ETA 0s43.38 MiB / 43.38 MiB [---------------------------------------------->] 100.00% 47.05 MiB p/s ETA 0s43.38 MiB / 43.38 MiB [---------------------------------------------->] 100.00% 47.05 MiB p/s ETA 0s43.38 MiB / 43.38 MiB [---------------------------------------------->] 100.00% 47.05 MiB p/s ETA 0s43.38 MiB / 43.38 MiB [-------------------------------------------------] 100.00% 19.53 MiB p/s 2.4s2024-02-28T12:58:22.492Z  DEBUG   Updating database metadata...
2024-02-28T12:58:22.492Z        DEBUG   DB Schema: 2, UpdatedAt: 2024-02-28 12:12:32.936085885 +0000 UTC, NextUpdate: 2024-02-28 18:12:32.936085544 +0000 UTC, DownloadedAt: 2024-02-28 12:58:22.492550095 +0000 UTC
2024-02-28T12:58:22.493Z        INFO    Vulnerability scanning is enabled
2024-02-28T12:58:22.493Z        DEBUG   Vulnerability type:  [os library]
2024-02-28T12:58:22.493Z        DEBUG   Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-02-28T12:58:23.400Z        DEBUG   The nuget packages directory couldn't be found. License search disabled
2024-02-28T12:58:23.580Z        DEBUG   Image ID: sha256:52f537fe03366dda9d36da695b7a02797eeabdb0e0f07cd7d3cb3c878bbf0ada
2024-02-28T12:58:23.580Z        DEBUG   Diff IDs: [sha256:1a5fc1184c481caeb279bce728e080daba423b5215282318ba86e9b8c388a2b4]
2024-02-28T12:58:23.580Z        DEBUG   Base Layers: []
2024-02-28T12:58:23.580Z        DEBUG   Missing image ID in cache: sha256:52f537fe03366dda9d36da695b7a02797eeabdb0e0f07cd7d3cb3c878bbf0ada
2024-02-28T12:58:23.580Z        DEBUG   Missing diff ID in cache: sha256:1a5fc1184c481caeb279bce728e080daba423b5215282318ba86e9b8c388a2b4
2024-02-28T12:58:23.731Z        DEBUG   Skipping directory: dev
2024-02-28T12:58:23.740Z        DEBUG   Skipping directory: proc
2024-02-28T12:58:23.741Z        DEBUG   Skipping directory: sys
2024-02-28T12:58:25.496Z        DEBUG   No secrets found in container image config
2024-02-28T12:58:25.525Z        INFO    Detected OS: debian
2024-02-28T12:58:25.525Z        INFO    Detecting Debian vulnerabilities...
2024-02-28T12:58:25.525Z        DEBUG   debian: os version: 12
2024-02-28T12:58:25.525Z        DEBUG   debian: the number of packages: 88
2024-02-28T12:58:25.533Z        INFO    Number of language-specific files: 0

Operating System

Ubuntu 22

Version

$ trivy --version
Version: 0.49.1

Checklist

Run trivy image --reset
Read the troubleshooting

DmitriyLewen · 2024-02-29T06:59:17Z

DmitriyLewen
Feb 29, 2024
Maintainer

Hello @RichieB2B
Thanks for your report!

CycloneDX docs doesn't have info that url field should be only URL - https://cyclonedx.org/docs/1.5/json/#vulnerabilities_items_advisories_items_url
In this case URL points to commit + branch.
If we remove this suffix - users can miss important information.
So I'm not sure we should do this.
@knqyf263 wdyt?

3 replies

RichieB2B Feb 29, 2024
Author

The definition or the "url" field is "string" because there is no URI/IRI JSON datatype. The description says "location" so it is fair to validate the "url" as an IRI which is what our tooling does. With a space in the string the link will obviously not lead anywhere, so it is not very usable as it is presented at the moment.

knqyf263 Mar 4, 2024
Maintainer

I don't think Trivy should trim URLs unless CycloneDX defines it in the spec.

RichieB2B Mar 4, 2024
Author

The current CycloneDX definition of "url" is:

Type: string
Location where the advisory can be obtained.

What do you want to change so it is more clear this should be a clickable URL?

knqyf263 · 2024-05-28T07:31:22Z

knqyf263
May 28, 2024
Maintainer

I still believe it's Ubuntu's problem, but it looks like we should fix it on our end.
#6663
#6790

2 replies

DmitriyLewen May 28, 2024
Maintainer

Can you create issue for this task?

knqyf263 May 28, 2024
Maintainer

done #6801

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Spaces in URL causes CycloneDX export to be invalid #6224

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 5 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

Spaces in URL causes CycloneDX export to be invalid #6224

RichieB2B Feb 28, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments · 5 replies

DmitriyLewen Feb 29, 2024 Maintainer

RichieB2B Feb 29, 2024 Author

knqyf263 Mar 4, 2024 Maintainer

RichieB2B Mar 4, 2024 Author

knqyf263 May 28, 2024 Maintainer

DmitriyLewen May 28, 2024 Maintainer

knqyf263 May 28, 2024 Maintainer

RichieB2B
Feb 28, 2024

Replies: 2 comments 5 replies

DmitriyLewen
Feb 29, 2024
Maintainer

RichieB2B Feb 29, 2024
Author

knqyf263 Mar 4, 2024
Maintainer

RichieB2B Mar 4, 2024
Author

knqyf263
May 28, 2024
Maintainer

DmitriyLewen May 28, 2024
Maintainer

knqyf263 May 28, 2024
Maintainer