Generated SBOM contains duplicate entries in dependsOn which shouldn't be the case.

[djeanprost]

Description

Trivy 0.55.1 generated the bom I provide as an attachement.
dependsOn entries for "ref": "pkg:bitnami/[email protected]?arch=amd64&distro=debian-12" contains duplicated values

"dependsOn": [
        "pkg:bitnami/[email protected]?arch=amd64&distro=debian-12",
        "pkg:bitnami/[email protected]?arch=amd64&distro=debian-12",
        "pkg:bitnami/[email protected]?arch=amd64&distro=debian-12",
        "pkg:bitnami/[email protected]?arch=amd64&distro=debian-12",
        "pkg:bitnami/[email protected]?arch=amd64&distro=debian-12",
        "pkg:bitnami/[email protected]?arch=amd64&distro=debian-12"
      ]

Desired Behavior

No duplicates entries in dependsOn

Actual Behavior

Duplicated entries in 6th dependsOn
sbom (2).json

Reproduction Steps

generated sbom with trivy.

Target

Container Image

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

N/A

Operating System

Docker image

Version

0.55.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @djeanprost
Thanks for your report!

Can you share image with this issue?

Regards, Dmitriy

[lathil]

Hello, I reply for djeanprost. The Dockerfile here attached:
Dockerfile.txt

[djeanprost]

Same in plaintext if it helps

FROM bitnami/azure-cli:2.64.0

ENV YQ_VERSION="v4.40.5"
ENV YQ_BINARY="yq_linux_amd64"
ENV WGET_VERSION="1.21.3-1+b2"
ENV CURL_VERSION="7.88.1-10+deb12u7"
ENV JQ_VERSION="1.6-2.1"
ENV GOLANG_VERSION="2:1.19~1"

USER root

RUN apt-get update -yq \
    && apt-get install curl=${CURL_VERSION} wget=${WGET_VERSION} jq=${JQ_VERSION} golang=${GOLANG_VERSION} -yq --no-install-recommends \
    && apt-get clean -y && rm -rf /var/lib/apt/lists /var/cache/apt/archives

RUN wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/${YQ_BINARY} \
 && chmod +x /usr/local/bin/yq

USER 1001

ENTRYPOINT [""]
CMD ["/bin/bash"]

[DmitriyLewen]

Hello @djeanprost @lathil
Thanks for this example.

I found problem:
bitnami/azure-cli:2.64.0 contains /opt/bitnami/python/.spdx-python.spdx file.
This file contains 2 packages with same name, but different types:

    "packages": [
         ...
         {
            "name": "virtualenv",
            "SPDXID": "SPDXRef-Package-cdcb11bd978c2887",
            "versionInfo": "20.26.3",
            "supplier": "NOASSERTION",
            "downloadLocation": "NONE",
            "filesAnalyzed": true,
            "packageVerificationCode": {
                "packageVerificationCodeValue": "27cd526ec073c846c9d246076d028bf6b39ea7b7"
            },
            "licenseConcluded": "MIT",
            "licenseDeclared": "MIT",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:pypi/[email protected]"
                }
            ],
            "primaryPackagePurpose": "LIBRARY",
            "copyrightText": "NOASSERTION"
        },
       {
            "SPDXID": "SPDXRef-virtualenv",
            "name": "virtualenv",
            "versionInfo": "20.26.3",
            "downloadLocation": "https://files.pythonhosted.org/packages/68/60/db9f95e6ad456f1872486769c55628c7901fb4de5a72c2f7bdd912abf0c1/virtualenv-20.26.3.tar.gz",
            "licenseConcluded": "MIT",
            "licenseDeclared": "MIT",
            "filesAnalyzed": false,
            "externalRefs": [
                {
                    "referenceCategory": "SECURITY",
                    "referenceType": "cpe23Type",
                    "referenceLocator": "cpe:2.3:*:virtualenv:virtualenv:20.26.3:*:*:*:*:*:*:*"
                },
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:bitnami/[email protected]?arch=arm64&distro=debian-12"
                }
            ],
            "copyrightText": "NOASSERTION"
        },
       ...
    "relationships": [
        ...
        {
            "spdxElementId": "SPDXRef-python",
            "relatedSpdxElement": "SPDXRef-Package-cdcb11bd978c2887",
            "relationshipType": "CONTAINS"
        },
        {
            "spdxElementId": "SPDXRef-python",
            "relationshipType": "CONTAINS",
            "relatedSpdxElement": "SPDXRef-virtualenv"
        }

Trivy doesn't take into account packages types for child deps (DependOn array), that is why you see duplicates (although these are different packages, the types were simply not taken into account when converting SBOM to Trivy structures).

Hi @juan131 Sorry for pinging you, but I remember we worked with you on bitnami images.
Can you help in this case or maybe recommend someone who can answer my questions?

The case above looks a bit weird. It looks like SPDXRef-python contains 2 identical packages (pkg:bitnami/[email protected] and pkg:pypi/[email protected]). Or are they different packages with the same names (but different types)?

@knqyf263 In any case, we might want to consider adding type(or use purl) to DependsOn array to use the correct package types for child dependencies in cases like this.

[knqyf263]

I can't think of a practical example where one component depends on several identical components with different types. We can implement it after asking what justification Bitnami has.

[juan131]

@knqyf263 thanks for reporting it! I'm checking this issue with my colleague @gongomgra
We'll keep you updated about our insights

[sleicht]

We have a similar/same issue with maven dependencies. Here the sample with the duplicate entries:

  "components": [
    {
      "bom-ref": "00532c6a-1ce8-4da7-ade8-97786a0f7a79",
      "type": "library",
      "group": "org.springdoc",
      "name": "springdoc-openapi-starter-common",
      "version": "2.6.0",
      "licenses": [
        {
          "license": {
            "name": "Apache-2.0"
          }
        }
      ],
      "purl": "pkg:maven/org.springdoc/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "org.springdoc:springdoc-openapi-starter-common:2.6.0"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "36164fe1-2608-4917-a6bf-fd317f1134fe",
      "type": "library",
      "group": "io.swagger.core.v3",
      "name": "swagger-core-jakarta",
      "version": "2.2.22",
      "licenses": [
        {
          "license": {
            "name": "Apache-2.0"
          }
        }
      ],
      "purl": "pkg:maven/io.swagger.core.v3/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "io.swagger.core.v3:swagger-core-jakarta:2.2.22"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    {
      "bom-ref": "d500277b-f879-455e-ab31-151457b6c9ef",
      "type": "library",
      "group": "org.springframework.boot",
      "name": "spring-boot-autoconfigure",
      "version": "3.3.4",
      "licenses": [
        {
          "license": {
            "name": "Apache-2.0"
          }
        }
      ],
      "purl": "pkg:maven/org.springframework.boot/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "org.springframework.boot:spring-boot-autoconfigure:3.3.4"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "pom"
        }
      ]
    },
    ...
  ], 
  "dependencies": [
    {
      "ref": "00532c6a-1ce8-4da7-ade8-97786a0f7a79",
      "dependsOn": [
        "36164fe1-2608-4917-a6bf-fd317f1134fe",
        "36164fe1-2608-4917-a6bf-fd317f1134fe",
        "d500277b-f879-455e-ab31-151457b6c9ef",
        "d500277b-f879-455e-ab31-151457b6c9ef"
      ]
    },
    ...
  ]

[DmitriyLewen]

Hello @sleicht
Can you send the pom.xml file to reproduce this case?

[sleicht]

Hi, I can reproduce it with this springdoc demo project: https://github.com/springdoc/springdoc-openapi-demos/tree/master/demo-microservices

[DmitriyLewen]

Hello @sleicht
Thanks for this example.

I finally found problem. I created #7802 for this issue.