Dependency Ttrack makes Trivy-generated SBOM unusable to Trivy server

[sec-p24]

Current Behavior

I am trying to use recently added Trivy analyzer but in some cases Dependency Track transforms uploaded SBOM in a way that unables Trivy server to detect OS vulnerabilities correctly (see logs below).

trivy_1             | 2024-05-16T11:51:45.145Z  INFO    Detected OS: none
trivy_1             | 2024-05-16T11:51:45.145Z  WARN    unsupported os : none
trivy_1             | 2024-05-16T11:51:45.145Z  INFO    Number of language-specific files: 0

When I generate SBOM using Trivy and then specify the same Trivy server that is used by Dependency Track while analyzing then it works correctly:

2024-05-16T14:02:41.844+0200    INFO    Detected OS: alpine
2024-05-16T14:02:41.844+0200    INFO    Detecting Alpine vulnerabilities...
2024-05-16T14:02:41.845+0200    INFO    Number of language-specific files: 0

When I upload SBOM to Dependency Track either through UI or API then the same SBOM file does not show any vulnerabilities.

Steps to Reproduce

1.Create SBOM with Trivy. In my case the command is trivy image --format cyclonedx --output test.json php:7.4.10-fpm-alpine
2. Upload it to Dependency Track (either using UI or API)
3. In Dependency Track dependencies are correctly listed but no vulnerabilities are shown

Expected Behavior

Trivy server correctly parses SBOM uploaded to Dependency Track.

Dependency-Track Version

4.11.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

15.0

Browser

N/A

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[nscuro]

cc @fnxpt

@sec-p24 Can you please share the version of Trivy you're using? Also sharing the exact SBOM you're uploading could help in reproducing this.

[sec-p24]

My current production setup uses Trivy v0.49.1 to generate SBOM and Trivy v0.51.1 in server mode.
However I tested the same locally with both Trivy's v0.51.1 and the issue remains the same. I am attaching 2 SBOMs - one straight after it was generated with Trivy and the other one downloaded from Dependency Track UI (Download BOM -> Inventory).

After performing few additional tests I have noticed that when I access the Trivy server directly (through Trivy SBOM command, ommiting dtrack) then sometimes it parses the dtrack-proccessed SBOM file correctly, while other times it does not (like 50/50). When I upload the same file through Dependency Track, then it always fails it's assessment.

dt-processed-sbom.json
raw-trivy-sbom.json

[fnxpt]

When I try to run the sbom locally on trivy I get this.

[sec-p24]

Trivy client logs:

$ trivy sbom --server http://localhost:7070 raw-trivy-sbom.json
2024-05-16T16:25:12.145+0200    INFO    Vulnerability scanning is enabled
2024-05-16T16:25:12.147+0200    INFO    Detected SBOM format: cyclonedx-json
2024-05-16T16:25:12.203+0200    WARN    This OS version is no longer supported by the distribution: alpine 3.12.0
2024-05-16T16:25:12.203+0200    WARN    The vulnerability detection may be insufficient because security updates are not provided

Trivy server logs:

$ docker run -p 7070:7070 aquasec/trivy:0.51.1 server --listen 0.0.0.0:7070
2024-05-16T14:25:01Z    INFO    Need to update DB
2024-05-16T14:25:01Z    INFO    Downloading DB...       repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-16T14:25:08Z    INFO    Listening 0.0.0.0:7070...
2024-05-16T14:25:12Z    INFO    Detected OS     family="alpine" version="3.12.0"
2024-05-16T14:25:12Z    INFO    [alpine] Detecting vulnerabilities...   os_version="3.12" repository="" pkg_num=31
2024-05-16T14:25:12Z    INFO    Number of language-specific files       num=0

[fnxpt]

Generated a new sbom for that image using trivy and it worked

[sec-p24]

When I generated the SBOM for the same image as you did, uploading the file directly to Trivy server yielded different results than when it was uploaded to Dependency Track.

[fnxpt]

Do you see the requests from DT arriving to trivy?
With the image you mentioned yesterday I was able to get some result... not all of them (i will check why)... but Im getting results

[sec-p24]

Few things to clarify.

1. In my initial comment I generated SBOM for php:7.4.10-fpm-alpine docker image, not the trivy image itself.
2. The from Trivy (see last screenshot from my previous message) suggest SBOM arrive correctly there. The same goes for Dependency Track API logs which suggest successful analysis:

2024-05-17 10:08:15,600 INFO [TrivyAnalysisTask] Starting Trivy vulnerability analysis task
2024-05-17 10:08:15,813 INFO [TrivyAnalysisTask] Trivy vulnerability analysis complete

If there is a better way to confirm the arrival, please let me know.
3. Anyway, notice that you are getting results from language-based component only, but not OS-related packages. Looks like the issue might with OS detection on Trivy side when the SBOM is passed from DT.

[fnxpt]

Ok I confirm its not working as expected, I will try to debug it later today

[fnxpt]

I think I found the issue, just need to do some testing...

[fnxpt]

@sec-p24 Issue fixed, PR is failing due to issues with dependencies
@nscuro any ideia what could be the issue, i saw in the logs that there were a few changes on the dependencies 2 days ago

for the php:7.4.10-fpm-alpine

for the aquasec/trivy:0.51.1

[nscuro]

@fnxpt The build failures are related to #3726 and the corresponding changes in Alpine. I'll get that PR merged, then your build should pass.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.