Image scan produces duplicate components which only differ in bom-ref #7532

wkoot · 2024-09-17T22:36:33Z

wkoot
Sep 17, 2024

Description

I obtain the following two components which only differ by their bom-ref, within a single scan.
Only the first occurrence is listed in the bom dependencies, in both ref and dependsOn fields.
Not sure if (and if so, how) this is related to #7337, so opened as a separate discussion.

This scan and outputfile was produced with the docker image aquasec/trivy:0.55.1 as follows:

trivy image --scanners "vuln" --severity "HIGH,CRITICAL" --format cyclonedx --output gitlab.json gitlab/gitlab-ee:16.11.3-ee.0

Component 1:

    {
      "bom-ref": "94eaf415-366a-4b26-a674-b420104ca7c1",
      "type": "library",
      "name": "rustc-hash",
      "version": "1.1.0",
      "purl": "pkg:cargo/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:8b5007c54c56542ac66ec8b852df39a01ec8b91d25a6acfad20f06a22b18c120"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:8d5593650f650634958fa2a500069bc1ec634d9d575347f35175e51a5a84e1a3"
        },
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "[email protected]"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "cargo"
        }
      ]
    }

Component 2:

    {
      "bom-ref": "8b603731-118f-42a7-9190-aa409f64c2f3",
      "type": "library",
      "name": "rustc-hash",
      "version": "1.1.0",
      "purl": "pkg:cargo/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:8b5007c54c56542ac66ec8b852df39a01ec8b91d25a6acfad20f06a22b18c120"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:8d5593650f650634958fa2a500069bc1ec634d9d575347f35175e51a5a84e1a3"
        },
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "[email protected]"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "cargo"
        }
      ]
    }

Desired Behavior

Components 1 and 2 should be deduplicated, only leaving a single component - to which the vulnerabilities and dependencies are linked.

Actual Behavior

Two duplicate components were produced, which only differ from each other in their bom-ref.

Reproduction Steps

1. Run `aquasec/trivy:0.55.1`
2. Exec `trivy image --scanners "vuln" --severity "HIGH,CRITICAL" --format cyclonedx --output gitlab.json gitlab/gitlab-ee:16.11.3-ee.0`
3. Inspect output

Target

Container Image

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

# trivy image --debug --scanners "vuln" --severity "HIGH,CRITICAL" --format cyclonedx --output gitlab.json gitlab/gitlab-ee:16.11.3-ee.0
2024-09-17T22:28:11Z    DEBUG   No plugins loaded
2024-09-17T22:28:11Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-09-17T22:28:11Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2024-09-17T22:28:11Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2024-09-17T22:28:11Z    DEBUG   Parsed severities       severities=[HIGH CRITICAL]
2024-09-17T22:28:11Z    DEBUG   Ignore statuses statuses=[]
2024-09-17T22:28:11Z    DEBUG   There is no valid metadata file err="unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory"
2024-09-17T22:28:11Z    INFO    [db] Need to update DB
2024-09-17T22:28:11Z    INFO    [db] Downloading DB...  repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-17T22:28:11Z    DEBUG   No metadata file
53.31 MiB / 53.31 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 5.95 MiB p/s 9.2s
2024-09-17T22:28:21Z    DEBUG   Updating database metadata...
2024-09-17T22:28:21Z    DEBUG   DB info schema=2 updated_at=2024-09-17T18:13:06.582103158Z next_update=2024-09-18T00:13:06.582102878Z downloaded_at=2024-09-17T22:28:21.178127654Z
2024-09-17T22:28:21Z    DEBUG   [pkg] Package types     types=[os library]
2024-09-17T22:28:21Z    DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-09-17T22:28:21Z    INFO    [vuln] Vulnerability scanning is enabled
2024-09-17T22:28:21Z    DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-17T22:28:21Z    DEBUG   Initializing scan cache...      type="fs"
2024-09-17T22:28:22Z    DEBUG   [image] Detected image ID       image_id="sha256:bb4cc92f6254d851927d30d583149aa0d2a229d0a33154c1acb4676a002866c2"
2024-09-17T22:28:22Z    DEBUG   [image] Detected diff ID        diff_ids=[sha256:629ca62fb7c791374ce57626d6b8b62c76378be091a0daf1a60d32700b49add7 sha256:ef68194a5bfd5161da824b44469e801cada142e9f3b9dad7e9cf174ac243371a sha256:2e68a69458fbf05bc18f4d6880a69907d24b75a41a7baaf2b0b8653aacc6ea01 sha256:06edcae761e1fd7621c0eafa774f6dc1ef91b05d8069ca990e1392c48b310a1e sha256:504711d354e0f6db9dfbb6f782c08fe70b53966060ef758b226702ecbdfdd5a8 sha256:9f63700803a29ac8fdbc744d4cd11281d883d24e9230f16603dc2ada7913b0bb sha256:ab3ae652fe99dc26f5d93ace47423f7d7f6dfcca90c2169d94cb1cae9e364129 sha256:eab2debbe369d78a19f5ae18915b000874b514efae8658d662e0e3b9cb31c2f9 sha256:8b5007c54c56542ac66ec8b852df39a01ec8b91d25a6acfad20f06a22b18c120]
2024-09-17T22:28:22Z    DEBUG   [image] Detected base layers    diff_ids=[sha256:629ca62fb7c791374ce57626d6b8b62c76378be091a0daf1a60d32700b49add7]
2024-09-17T22:28:22Z    DEBUG   [image] Missing image ID in cache       image_id="sha256:bb4cc92f6254d851927d30d583149aa0d2a229d0a33154c1acb4676a002866c2"
2024-09-17T22:28:22Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:629ca62fb7c791374ce57626d6b8b62c76378be091a0daf1a60d32700b49add7"
2024-09-17T22:28:22Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:504711d354e0f6db9dfbb6f782c08fe70b53966060ef758b226702ecbdfdd5a8"
2024-09-17T22:28:22Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:2e68a69458fbf05bc18f4d6880a69907d24b75a41a7baaf2b0b8653aacc6ea01"
2024-09-17T22:28:22Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:ef68194a5bfd5161da824b44469e801cada142e9f3b9dad7e9cf174ac243371a"
2024-09-17T22:28:22Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:06edcae761e1fd7621c0eafa774f6dc1ef91b05d8069ca990e1392c48b310a1e"
2024-09-17T22:28:22Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:9f63700803a29ac8fdbc744d4cd11281d883d24e9230f16603dc2ada7913b0bb"
2024-09-17T22:28:22Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:ab3ae652fe99dc26f5d93ace47423f7d7f6dfcca90c2169d94cb1cae9e364129"
2024-09-17T22:28:22Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:eab2debbe369d78a19f5ae18915b000874b514efae8658d662e0e3b9cb31c2f9"
2024-09-17T22:28:22Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:8b5007c54c56542ac66ec8b852df39a01ec8b91d25a6acfad20f06a22b18c120"
2024-09-17T22:28:23Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="github.com/prometheus/alertmanager"
2024-09-17T22:28:23Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="github.com/prometheus/alertmanager" -ldflags=[-X github.com/prometheus/common/version.Version=0.27.0 -X github.com/prometheus/common/version.Branch=master -X github.com/prometheus/common/version.BuildUser=GitLab-Omnibus -s -w]
2024-09-17T22:28:23Z    DEBUG   [dpkg] Unable to parse the available file       file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-17T22:28:26Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="github.com/hashicorp/consul"
2024-09-17T22:28:26Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="github.com/hashicorp/consul" -ldflags=[-X github.com/hashicorp/consul/version.GitCommit=895390c600 -X github.com/hashicorp/consul/version.BuildDate=2024-02-13T18:30:24Z]
2024-09-17T22:28:26Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.                                                                              dependency="github.com/hashicorp/consul"
2024-09-17T22:28:26Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="./api"
2024-09-17T22:28:26Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="./envoyextensions"
2024-09-17T22:28:26Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="./proto-public"
2024-09-17T22:28:26Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="./sdk"
2024-09-17T22:28:26Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="./troubleshoot"
2024-09-17T22:28:26Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="github.com/docker/distribution"
2024-09-17T22:28:26Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="github.com/docker/distribution" -ldflags=[-s -w -X github.com/docker/distribution/version.Version=v3.92.0-gitlab -X github.com/docker/distribution/version.Revision=4da5b7c3dc3a49426d889bfc2fbc1f531112f6b8 -X github.com/docker/distribution/version.Package=github.com/docker/distribution -X github.com/docker/distribution/version.BuildTime=2024-05-17T22:24:38]
2024-09-17T22:28:26Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/docker-distribution-pruner"
2024-09-17T22:28:26Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/docker-distribution-pruner" -ldflags=[-s -w]
2024-09-17T22:28:26Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.                                                                              dependency="gitlab.com/gitlab-org/docker-distribution-pruner"
2024-09-17T22:28:30Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitaly/v16"
2024-09-17T22:28:30Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitaly/v16" -ldflags=[-B 0x54454D505F474954414C595F4255494C445F4944 -X gitlab.com/gitlab-org/gitaly/v16/internal/version.version=16.11.3]
2024-09-17T22:28:30Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitaly/v16"
2024-09-17T22:28:30Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitaly/v16" -ldflags=[-B 0x54454D505F474954414C595F4255494C445F4944 -X gitlab.com/gitlab-org/gitaly/v16/internal/version.version=16.11.3]
2024-09-17T22:28:31Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitaly/v16"
2024-09-17T22:28:31Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitaly/v16" -ldflags=[-B 0x54454D505F474954414C595F4255494C445F4944 -X gitlab.com/gitlab-org/gitaly/v16/internal/version.version=16.11.3]
2024-09-17T22:28:31Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitaly/v16"
2024-09-17T22:28:31Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitaly/v16" -ldflags=[-B 0x54454D505F474954414C595F4255494C445F4944 -X gitlab.com/gitlab-org/gitaly/v16/internal/version.version=16.11.3]
2024-09-17T22:28:32Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitaly/v16"
2024-09-17T22:28:32Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitaly/v16" -ldflags=[-B 0x54454D505F474954414C595F4255494C445F4944 -X gitlab.com/gitlab-org/gitaly/v16/internal/version.version=16.11.3]
2024-09-17T22:28:33Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitlab-elasticsearch-indexer"
2024-09-17T22:28:33Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitlab-elasticsearch-indexer" -ldflags=[-X "main.Version=v4.8.0" -X "main.BuildTime=2024-05-22-0006 UTC"]
2024-09-17T22:28:33Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/cluster-integration/gitlab-agent/v16"
2024-09-17T22:28:33Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/cluster-integration/gitlab-agent/v16" -ldflags=[-X "gitlab.com/gitlab-org/cluster-integration/gitlab-agent/v16/cmd.Version=v16.11.3" -X "gitlab.com/gitlab-org/cluster-integration/gitlab-agent/v16/cmd.Commit=7c2640f9" -X "gitlab.com/gitlab-org/cluster-integration/gitlab-agent/v16/cmd.BuildTime=20240522.000707"]
2024-09-17T22:28:34Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitlab-pages"
2024-09-17T22:28:34Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitlab-pages" -ldflags=[-X main.VERSION=16.11.3 -X main.REVISION=9f6b8fa3 -B 0xe6435cbd0d639dfd59c209c93274264645e2be03]
2024-09-17T22:28:34Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitlab/workhorse"
2024-09-17T22:28:34Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitlab/workhorse" -ldflags=[-X main.Version=v16.11.3-ee -X main.BuildTime=20240522.000918 -B 0x684d61a3310fc5603d3109c595fa57113df2df87]
2024-09-17T22:28:35Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitlab/workhorse"
2024-09-17T22:28:35Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitlab/workhorse" -ldflags=[-X main.Version=v16.11.3-ee -X main.BuildTime=20240522.000918 -B 0xb538c00617530a1e7831fc32518fc1664218d094]
2024-09-17T22:28:35Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitlab/workhorse"
2024-09-17T22:28:35Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitlab/workhorse" -ldflags=[-X main.Version=v16.11.3-ee -X main.BuildTime=20240522.000918 -B 0x1c83a07717fdfb4882c9d127120e9f2af9bd3252]
2024-09-17T22:28:36Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitlab/workhorse"
2024-09-17T22:28:36Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitlab/workhorse" -ldflags=[-X main.Version=v16.11.3-ee -X main.BuildTime=20240522.000918 -B 0x435384f04576ae928d2dad38274363b48cc1f487]
2024-09-17T22:28:36Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="github.com/webdevops/go-crond"
2024-09-17T22:28:36Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="github.com/webdevops/go-crond" -ldflags=[-X "main.gitTag=23.12.0" -X "main.gitCommit=4f2e74e" -extldflags "-static" -s -w]
2024-09-17T22:28:36Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.                                                                              dependency="github.com/webdevops/go-crond"
2024-09-17T22:28:38Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="github.com/mattermost/mattermost/server/v8"
2024-09-17T22:28:38Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="github.com/mattermost/mattermost/server/v8" -ldflags=[]
2024-09-17T22:28:38Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.                                                                              dependency="github.com/mattermost/mattermost/server/v8"
2024-09-17T22:28:38Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="github.com/mattermost/mattermost/server/public"
2024-09-17T22:28:39Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="github.com/mattermost/mattermost/server/v8"
2024-09-17T22:28:39Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="github.com/mattermost/mattermost/server/v8" -ldflags=[]
2024-09-17T22:28:39Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.                                                                              dependency="github.com/mattermost/mattermost/server/v8"
2024-09-17T22:28:39Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="github.com/mattermost/mattermost/server/public"
2024-09-17T22:28:39Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="github.com/prometheus/node_exporter"
2024-09-17T22:28:39Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="github.com/prometheus/node_exporter" -ldflags=[-X github.com/prometheus/common/version.Version=1.7.0 -X github.com/prometheus/common/version.Branch=master -X github.com/prometheus/common/version.BuildUser=GitLab-Omnibus -s -w]
2024-09-17T22:28:39Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="github.com/prometheus-community/pgbouncer_exporter"
2024-09-17T22:28:39Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="github.com/prometheus-community/pgbouncer_exporter" -ldflags=[-X github.com/prometheus/common/version.Version=0.8.0 -X github.com/prometheus/common/version.Branch=master -X github.com/prometheus/common/version.BuildUser=GitLab-Omnibus -s -w]
2024-09-17T22:28:40Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="github.com/prometheus-community/postgres_exporter"
2024-09-17T22:28:40Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="github.com/prometheus-community/postgres_exporter" -ldflags=[-X github.com/prometheus/common/version.Version=0.15.0 -X github.com/prometheus/common/version.Branch=master -X github.com/prometheus/common/version.BuildUser=GitLab-Omnibus -s -w]
2024-09-17T22:28:41Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitaly/v16"
2024-09-17T22:28:41Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitaly/v16" -ldflags=[-B 0x54454D505F474954414C595F4255494C445F4944 -X gitlab.com/gitlab-org/gitaly/v16/internal/version.version=16.11.3]
2024-09-17T22:28:42Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="github.com/prometheus/prometheus"
2024-09-17T22:28:42Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="github.com/prometheus/prometheus" -ldflags=[-X github.com/prometheus/common/version.Version=2.51.2 -X github.com/prometheus/common/version.Branch=master -X github.com/prometheus/common/version.BuildUser=GitLab-Omnibus -s -w]
2024-09-17T22:28:43Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="github.com/oliver006/redis_exporter"
2024-09-17T22:28:43Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="github.com/oliver006/redis_exporter" -ldflags=[-X main.BuildVersion=1.58.0 -X main.BuildDate= -X main.BuildCommitSha= -s -w]
2024-09-17T22:28:43Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.                                                                              dependency="github.com/oliver006/redis_exporter"
2024-09-17T22:28:44Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="github.com/docker/distribution"
2024-09-17T22:28:44Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="github.com/docker/distribution" -ldflags=[-s -w -X github.com/docker/distribution/version.Version=v3.92.0-gitlab -X github.com/docker/distribution/version.Revision=4da5b7c3dc3a49426d889bfc2fbc1f531112f6b8 -X github.com/docker/distribution/version.Package=github.com/docker/distribution -X github.com/docker/distribution/version.BuildTime=2024-05-17T22:24:36]
2024-09-17T22:28:44Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/spamcheck"
2024-09-17T22:28:44Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/spamcheck" -ldflags=[-X 'gitlab.com/gitlab-org/spamcheck=v0.0.1' -X 'gitlab.com/gitlab-org/spamcheck.gitCommit=' -X 'gitlab.com/gitlab-org/spamcheck.buildTag=42' -X 'gitlab.com/gitlab-org/spamcheck.buildTimestamp=2024-05-17T22:32:26Z']
2024-09-17T22:28:44Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.                                                                              dependency="gitlab.com/gitlab-org/spamcheck"
2024-09-17T22:28:49Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab-org/ruby/gems/devfile-gem"
2024-09-17T22:28:49Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab-org/ruby/gems/devfile-gem" -ldflags=[]
2024-09-17T22:28:49Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.                                                                              dependency="gitlab-org/ruby/gems/devfile-gem"
2024-09-17T22:29:05Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitlab-shell/v14"
2024-09-17T22:29:05Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitlab-shell/v14" -ldflags=[-X main.Version=v14.35.0 -X main.BuildTime=20240522.000746]
2024-09-17T22:29:06Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitlab-shell/v14"
2024-09-17T22:29:06Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitlab-shell/v14" -ldflags=[-X main.Version=v14.35.0 -X main.BuildTime=20240522.000746]
2024-09-17T22:29:06Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitlab-shell/v14"
2024-09-17T22:29:06Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitlab-shell/v14" -ldflags=[-X main.Version=v14.35.0 -X main.BuildTime=20240522.000746]
2024-09-17T22:29:06Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitlab-shell/v14"
2024-09-17T22:29:06Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitlab-shell/v14" -ldflags=[-X main.Version=v14.35.0 -X main.BuildTime=20240522.000746]
2024-09-17T22:29:07Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used       dependency="gitlab.com/gitlab-org/gitlab-shell/v14"
2024-09-17T22:29:07Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="gitlab.com/gitlab-org/gitlab-shell/v14" -ldflags=[-X main.Version=v14.35.0 -X main.BuildTime=20240522.000746]
2024-09-17T22:29:12Z    INFO    Java DB Repository      repository=ghcr.io/aquasecurity/trivy-java-db:1
2024-09-17T22:29:12Z    INFO    Downloading the Java DB...
644.31 MiB / 644.31 MiB [----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 5.54 MiB p/s 1m57s
2024-09-17T22:31:10Z    INFO    The Java DB is cached for 3 days. If you want to update the database more frequently, "trivy clean --java-db" command clears the DB cache.
2024-09-17T22:31:10Z    DEBUG   [jar] Parsing Java artifacts... file_path="opt/gitlab/embedded/lib/ruby/gems/3.1.0/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent/concurrent_ruby.jar"
2024-09-17T22:31:10Z    DEBUG   [jar] Parsing Java artifacts... file_path="opt/gitlab/embedded/lib/ruby/gems/3.1.0/gems/ed25519-1.3.0/lib/ed25519_jruby.jar"
2024-09-17T22:31:10Z    DEBUG   [jar] No such POM in the central repositories   file="ed25519_jruby.jar"
2024-09-17T22:31:10Z    DEBUG   [jar] No such POM in the central repositories   file="concurrent_ruby.jar"
2024-09-17T22:31:10Z    INFO    [python] License acquired from METADATA classifiers may be subject to additional terms name="psycopg2" version="2.8.6"
2024-09-17T22:31:10Z    DEBUG   [cargo] Cargo.toml not found    file_path="opt/gitlab/embedded/lib/ruby/gems/3.1.0/gems/gitlab-glfm-markdown-0.0.14-x86_64-linux/Cargo.toml"
2024-09-17T22:31:10Z    DEBUG   [dpkg] Unable to parse the available file       file_path="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-09-17T22:31:10Z    DEBUG   No secrets found in container image config
2024-09-17T22:31:10Z    INFO    Detected OS     family="ubuntu" version="22.04"
2024-09-17T22:31:10Z    INFO    [ubuntu] Detecting vulnerabilities...   os_version="22.04" pkg_num=123
2024-09-17T22:31:10Z    INFO    Number of language-specific files       num=2
2024-09-17T22:31:10Z    INFO    [cargo] Detecting vulnerabilities...
2024-09-17T22:31:10Z    DEBUG   [cargo] Scanning packages for vulnerabilities   file_path="opt/gitlab/embedded/lib/ruby/gems/3.1.0/gems/gitlab-glfm-markdown-0.0.14-x86_64-linux/Cargo.lock"
2024-09-17T22:31:10Z    DEBUG   [cargo] Scanning packages for vulnerabilities   file_path="opt/gitlab/embedded/lib/ruby/gems/3.1.0/gems/prometheus-client-mmap-1.1.1-x86_64-linux/ext/fast_mmaped_file_rs/Cargo.lock"
2024-09-17T22:31:10Z    DEBUG   [vex] VEX filtering is disabled

Operating System

Docker version 26.1.0, build 9714adc, Rocky Linux release 8.9 (Green Obsidian)

Version

# trivy --version
Version: 0.55.1

Checklist

Run trivy clean --all
Read the troubleshooting

DmitriyLewen · 2024-09-18T05:07:18Z

DmitriyLewen
Sep 18, 2024
Maintainer

Hello @wkoot
Thanks for your report!

These components were found from different lock files:

opt/gitlab/embedded/lib/ruby/gems/3.1.0/gems/gitlab-glfm-markdown-0.0.14-x86_64-linux/Cargo.lock
opt/gitlab/embedded/lib/ruby/gems/3.1.0/gems/prometheus-client-mmap-1.1.1-x86_64-linux/ext/fast_mmaped_file_rs/Cargo.lock

That is why we create 2 components for pkg:cargo/[email protected].

regards, Dmitriy

6 replies

wkoot Sep 18, 2024
Author

Because the data is duplicate as far as the python lib's equality check is concerned, data is lost upon deserialization.
See also the explanation as in issue report CycloneDX/cyclonedx-python-lib#540 (comment)

DmitriyLewen Sep 19, 2024
Maintainer

Hello @wkoot
python-lib's arguments look logical, but, as you correctly noted, C# library doesn't remove duplicates (CycloneDX/cyclonedx-python-lib#540 (comment))

as far as I remember - libraries for different languages are developed by different people. Because of this, it may be difficult to understand controversial points.

Let's wait for the answer at CycloneDX/cyclonedx-cli#399
if a collective decision is made to remove duplicates - we will update the logic in Trivy (or perhaps it will be more correct to write/make a PR in github.com/CycloneDX/cyclonedx-go)

wkoot Sep 19, 2024
Author

I don't think waiting will bring much as there is no agreement on merging algorithms, see CycloneDX/specification#320.
However, given your reasoning that the components originate from different files, component nesting is a great solution.

In this example, cargo/rustc-hash should not be added twice as root level components - but nested under other components.
I believe it should resemble a structure like this (I'm totally guessing the purl for gems for the example):

components:
 - gem/[email protected]
   components:
    - cargo/[email protected]
 - gem/[email protected]
   components:
    - cargo/[email protected]

With this approach, the other data objects in dependencies and vulnerabilities will not need to be altered.

knqyf263 Sep 19, 2024
Maintainer

For example, identical packages installed in different paths would not be nested as they don't have parents and are added twice as root-level components in the current implementation. We didn't have any other idea for that.

Also, is it discussed anywhere that identical components should not appear at the top level but only if they are nested? They happen to have the same name and version, but have different dependencies and are effectively different components. We don't currently see anything wrong with them being added to the top level, but we would like to fix it if it seems to violate anything.

Just so you know, we had a similar discussion before.
#6694 (reply in thread)

wkoot Sep 19, 2024
Author

Also, is it discussed anywhere that identical components should not appear at the top level but only if they are nested? They happen to have the same name and version, but have different dependencies and are effectively different components. We don't currently see anything wrong with them being added to the top level, but we would like to fix it if it seems to violate anything.

I took this from CycloneDX/cyclonedx-python-lib#540 (comment) (see also CycloneDX/cyclonedx-python-lib#540 (comment) above)
And note that I have opened a separate issue CycloneDX/cyclonedx-python-lib#677 re duplicate components as produced by Trivy

Note that it is also disputed in a change (and test) I proposed with CycloneDX/cyclonedx-python-lib#678 (comment)

wkoot · 2024-10-24T19:36:49Z

wkoot
Oct 24, 2024
Author

I would like to add that this is now also producing SBOM files that are no longer accepted by Dependency-Track
As mentioned in CycloneDX/cyclonedx-cli#399 (comment):

Since the file validation changes introduced to Dependency-Track in version 4.11, files produced by cyclonedx-cli merge in this manner also produce errors in DT:

ERROR [BomUploadProcessingTask] Error while processing bom
java.lang.IllegalStateException: Duplicate key Identity[group=aquasecurity, name=trivy:FilePath, value=home/frontend/node_modules/body-parser/node_modules/debug/package.json] (attempted merging values ComponentProperty{id=97037, component=pkg:npm/[email protected], groupName=aquasecurity, propertyName=trivy:FilePath, propertyValue=home/frontend/node_modules/body-parser/node_modules/debug/package.json, propertyType=STRING, uuid=c7528c5d-c315-4aa8-b259-6010af83c96c} and ComponentProperty{id=101526, component=pkg:npm/[email protected], groupName=aquasecurity, propertyName=trivy:FilePath, propertyValue=home/frontend/node_modules/body-parser/node_modules/debug/package.json, propertyType=STRING, uuid=0a33962a-62c7-4952-a108-f77edfc143d9})
	at java.base/java.util.stream.Collectors.duplicateKeyException(Unknown Source)
	at java.base/java.util.stream.Collectors.lambda$uniqKeysMapAccumulator$1(Unknown Source)
	at java.base/java.util.stream.ReduceOps$3ReducingSink.accept(Unknown Source)
	at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(Unknown Source)
[...]

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Image scan produces duplicate components which only differ in bom-ref #7532

{{title}}

Replies: 2 comments 6 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Image scan produces duplicate components which only differ in bom-ref #7532

wkoot Sep 17, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments · 6 replies

DmitriyLewen Sep 18, 2024 Maintainer

wkoot Sep 18, 2024 Author

DmitriyLewen Sep 19, 2024 Maintainer

wkoot Sep 19, 2024 Author

knqyf263 Sep 19, 2024 Maintainer

wkoot Sep 19, 2024 Author

wkoot Oct 24, 2024 Author

wkoot
Sep 17, 2024

Replies: 2 comments 6 replies

DmitriyLewen
Sep 18, 2024
Maintainer

wkoot Sep 18, 2024
Author

DmitriyLewen Sep 19, 2024
Maintainer

wkoot Sep 19, 2024
Author

knqyf263 Sep 19, 2024
Maintainer

wkoot Sep 19, 2024
Author

wkoot
Oct 24, 2024
Author