Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positives in Trivy analyzer ? #3774

Closed
2 tasks done
dsk-imgw opened this issue May 29, 2024 · 9 comments
Closed
2 tasks done

False positives in Trivy analyzer ? #3774

dsk-imgw opened this issue May 29, 2024 · 9 comments
Labels
FP/FN report False Positive or False Negative help wanted Extra attention is needed integration/trivy Related to the Trivy integration

Comments

@dsk-imgw
Copy link

Current Behavior

Trivy analyzer may report false positives (at least about Rocky Linux 9).

Steps to Reproduce

  1. Generate a CycloneDX SBOM file with trivy CLI on Rocky 9.4 PC, where all avaiable updates are applied.
trivy rootfs / --format=cyclonedx -o <SBOM file>
  1. Upload the SBOM generated in step 1 to Dependency-Track to identify vulnerabiliies. Trivy version is 0.51.2 running on Docker.
  2. Apart from above, run trivy CLI using the SBOM generated in step 1 to identify vulnerabiliies.
trivy sbom <SBOM file>
  1. Compare the results of step 2 and 3.
    => The result was … step 2: 77 vulnerabilities (all detected by trivy analyzer), and step 3: 27 vulnerabilties (please see the screenshots below for details).

Results by Dependency Track
DT_Detection_Results

Results by trivy CLI
Trivy_Detection_Results

Expected Behavior

I think trivy analyzer in Dependency-Track should detect only 27 vulnerabitiles detected by trivy CLI by the following reasons.

  • 27 vulnerabilities (in common with those detected by Dependency-Track) directry detetced by trivy CLI are all about old kernel-* rpms, which co-exist with the patched version rpms, and thus are not false positives.
  • The rest 50 Vulnerabilities detected only by Dependency-Track are found to be all false positives according to the Rocky's official security advisory.
  • As the common data (SBOM) and analyzer are used, the results should be the same for Dependency-Track and trivy CLI.

Dependency-Track Version

4.11.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

10.5

Browser

Google Chrome

Checklist
@dsk-imgw dsk-imgw added defect Something isn't working in triage labels May 29, 2024
@nscuro nscuro added help wanted Extra attention is needed FP/FN report False Positive or False Negative integration/trivy Related to the Trivy integration and removed defect Something isn't working in triage labels May 29, 2024
@dsk-imgw
Copy link
Author

dsk-imgw commented Jun 7, 2024
edited
Loading

I inspected HTTP traffic of vulnerability scans between client (both Dependency-Track and Trivy CLI) and Trivy server. I discovered the slight difference of POST data between Dependency-Track and Trivy CLI.
More precisely, when POST to /twirp/trivy.cache.v1.Cache/PutBlob,

  • (a) The value of "version" in "package" dot NOT contain the value of "epoch" and "release".
  • (b) The key "release" exists in "packages" section.

Please see the example below.
If the source code of Dependency-Track could be modified to send the data below 2), this issue might be resolved, but I have not tried to modify the source code of Dependency-Track, since the change impacts could not be estimated precisely (just OK by changing the structure of "Package" class and POST data?).

  1. Dependency-Track -> Trivy Server
{
	"diff_id": "sha256:0f4c5915d0608864abfca0081bd1f1b71b6b23a61c90b3dc59b693ea859fb8f0",
	"blob_info": {
		"schema_version": 2,
		"os": {
			"family": "rocky",
			"name": "9.4",
			"eosl": false,
			"extended": false
		},
		"package_infos": [
			{
				"packages": [
					{
						...
					},
					{
						"name": "dbus",
						"version": "1:1.12.20-8.el9", // <-- %{EPOCH}:%{VERSION}-%{RELEASE} and no "release" key.
						"arch": "x86_64",
						"epoch": 1,
						"src_name": "dbus",
						"src_version": "1.12.20",
						"src_epoch": 1,
						"src_release": "8.el9",
						"licenses": [],
						"layer": {
							"eosl": false,
							"extended": false
						}
					},
					{
						...
					},
				]
			}
		]
	}
}
  1. Trivy CLI Client -> Trivy Server (Below is JSON equivalent representation. The actual "Content-Type" is "application/protobuf", not "application/json".)
{
	"diff_id": "sha256:0f4c5915d0608864abfca0081bd1f1b71b6b23a61c90b3dc59b693ea859fb8f0",
	"blob_info": {
		"schema_version": 2,
		"os": {
			"family": "rocky",
			"name": "9.4",
			"eosl": false,
			"extended": false
		},
		"package_infos": [
			{
				"packages": [
					{
						...
					},
					{
						"name": "dbus",
						"version": "1.12.20", // <-- (a) %{VERSION}
						"release": "8.el9",   // <-- (b) %{RELEASE}
						"arch": "x86_64",
						"epoch": 1,
						"src_name": "dbus",
						"src_version": "1.12.20",
						"src_epoch": 1,
						"src_release": "8.el9",
						"licenses": [],
						"layer": {
							"eosl": false,
							"extended": false
						}
					},
					{
						...
					},
				]
			}
		]
	}
}

@dsk-imgw
Copy link
Author

As for RPM and DEB packages, false positives by Trivy Analyser seems to be resolved by modifying the source code a little.

I modified the source code of 4.11.3. Modified files are 2 files, "main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java" and "main/java/org/dependencytrack/parser/trivy/model/Package.java". For your reference, the patch file ("dependency-track-4.11.3_trivy_rpm+deb.patch") is attached to the last of this message.

After deploying the modified apiserver JAR file, I re-analysed the project of rpm packages in "Rocky Linux 9.4" which I mentioned in this issue. The result is "27 vulnerabilities detected" (screenshot is below), as I wanted.

Result_by_my_custom_code

Inaddition, I also confirmed the same thing for DEB packages; scan results of deb packages in Ubuntu 22.04 are the same both by Dependency-Track and by Trivy CLI.

dependency-track-4.11.3_trivy_rpm+deb.patch

Thank you.

@fnxpt
Copy link

fnxpt commented Jun 10, 2024

Hey sorry for missing this, I will try to have a look into it today

@fnxpt
Copy link

fnxpt commented Jun 12, 2024

@dsk-imgw do you want to create a PR for this or do you want me to handle it?

@dsk-imgw
Copy link
Author

If possible, I would appreciate it if you could handle a PR.

@fnxpt
Copy link

fnxpt commented Jun 12, 2024

Ok, Im a little busy right now, but I will try to create it the next few days

@dsk-imgw dsk-imgw closed this as not planned Won't fix, can't repro, duplicate, stale Jun 25, 2024
@nscuro
Copy link
Member

nscuro commented Jul 8, 2024

@dsk-imgw What's the reason for closing this issue? Does the proposed patch not work as expected?

@dsk-imgw
Copy link
Author

dsk-imgw commented Jul 9, 2024 via email

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 8, 2024

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 8, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FP/FN report False Positive or False Negative help wanted Extra attention is needed integration/trivy Related to the Trivy integration
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fnxpt @nscuro @dsk-imgw