Trivy fs cannot generate SBoM for a folder containing RPMs

[gabrielericciardi]

Description

I would like to obtain a SBoM for a created ISO (based on a RedHat distribution), listing all the packages in the media.
I then unpacked the ISO in a folder and used trivy fs to scan it, but the SBoM produced reports a single item, the scanned folder, without any vulnerability or license information.
I also tried to scan a single RPM package present in that folder, and also in this case the SBoM produced reports a single item, the scanned RPM, without any vulnerability or license information.

Using the --list-all-pkgs parameter had no effect.

What did you expect to happen?

trivy fs creates a valid SBoM for a folder that contains a set of RPM packages.

What happened instead?

trivy fs creates an "empty" SBoM that only mentions the scanned item without any vulnerability and license information.

Output of run with -debug:

2023-03-24T14:15:39.180Z        DEBUG   ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-03-24T14:15:39.181Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-03-24T14:15:39.187Z        DEBUG   cache dir:  /root/.cache/trivy
2023-03-24T14:15:39.187Z        DEBUG   Skipping DB update...
2023-03-24T14:15:39.187Z        DEBUG   DB Schema: 2, UpdatedAt: 2023-03-07 12:09:45.458086481 +0000 UTC, NextUpdate: 2023-03-07 18:09:45.458086281 +0000 UTC, DownloadedAt: 0001-01-01 00:00:00 +0000 UTC
2023-03-24T14:15:39.187Z        INFO    Vulnerability scanning is enabled
2023-03-24T14:15:39.187Z        DEBUG   Vulnerability type:  [os library]
2023-03-24T14:15:39.187Z        INFO    License scanning is enabled
2023-03-24T14:15:39.187Z        DEBUG   Walk the file tree rooted at '/media' in parallel
2023-03-24T14:15:39.190Z        DEBUG   OS is not detected.
2023-03-24T14:15:39.190Z        DEBUG   Detected OS: unknown
2023-03-24T14:15:39.190Z        INFO    Number of language-specific files: 0

Output of trivy -v:

Version: 0.38.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-03-07 12:09:45.458086481 +0000 UTC
  NextUpdate: 2023-03-07 18:09:45.458086281 +0000 UTC
  DownloadedAt: 0001-01-01 00:00:00 +0000 UTC

Additional details (base image name, container registry info...):

• I am running the containerized version of Trivy.
• I am using an air-gapped configuration where both DB and JAVADB are downloaded and mounted inside the container in the expected location ( /root/.cache/trivy)
• Command line I used:

podman run --rm \
  -v $TRIVY_CACHE:/root/.cache/trivy \
  -v $TARGET_FOLDER:/media \
  docker.io/aquasec/trivy:0.38.3 \
  fs /media \
  --offline-scan --skip-db-update --skip-java-db-update \
  --format cyclonedx --output /root/.cache/trivy/folder_scan.json \
  --scanners vuln,license \

• Output SBoM content (folder_scan.json)

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:3bb749f5-e895-4537-8e11-d51979ee3033",
  "version": 1,
  "metadata": {
    "timestamp": "2023-03-24T14:16:15+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "0.38.3"
      }
    ],
    "component": {
      "bom-ref": "c339574a-b8b4-4a28-960b-4203e6a95e5e",
      "type": "application",
      "name": "/media",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ]
    }
  },
  "components": [],
  "dependencies": [
    {
      "ref": "c339574a-b8b4-4a28-960b-4203e6a95e5e",
      "dependsOn": []
    }
  ],
  "vulnerabilities": []
}

• I tried to do the same with another tool (Anchore Syft), and it can scan the folder and generate a SBoM listing all the RPMs in the folder, including license information (probably extracted from the RPM metadata).

[knqyf263]

Need to use rootfs
https://aquasecurity.github.io/trivy/v0.38/docs/target/rootfs/

[gabrielericciardi]

Thanks for your swift reply.

I tried that one too, same result.
I opted for fs since rootfs looked more for unpacked containers, while my target folder contains just a bunch of loose RPMs, without any RPMDB in it.
In fact, the target folder is obtained by 7-zipping extract a RHEL-like distribution ISO.
Am I misinterpreting or missing something?

[DmitriyLewen]

Hello @gabrielericciardi
Thanks for your report!

Could you tell me which path you are using for scanning please.
Trivy uses these paths to find installed rpm packages.

---

I created some example: i download registry.access.redhat.com/ubi7, extract this image and scan it:

➜  ls -hl
total 208M
lrwxrwxrwx  1 dmitriy dmitriy    7 мар 20 15:59 bin -> usr/bin
dr-xr-xr-x  2 dmitriy dmitriy 4,0K дек 14  2017 boot
drwxr-xr-x  2 dmitriy dmitriy 4,0K мар 20 15:58 dev
drwxr-xr-x 50 dmitriy dmitriy 4,0K мар 20 16:01 etc
drwxr-xr-x  2 dmitriy dmitriy 4,0K мар 20 16:01 home
-rw-r--r--  1 dmitriy dmitriy 208M мар 20 16:09 layer.tar
lrwxrwxrwx  1 dmitriy dmitriy    7 мар 20 15:59 lib -> usr/lib
lrwxrwxrwx  1 dmitriy dmitriy    9 мар 20 15:59 lib64 -> usr/lib64
drwxr-xr-x  2 dmitriy dmitriy 4,0K дек 14  2017 media
drwxr-xr-x  2 dmitriy dmitriy 4,0K дек 14  2017 mnt
drwxr-xr-x  2 dmitriy dmitriy 4,0K мар 20 15:58 proc
dr-xr-x---  3 dmitriy dmitriy 4,0K мар 20 16:09 root
drwxr-xr-x 13 dmitriy dmitriy 4,0K мар 20 16:09 run
lrwxrwxrwx  1 dmitriy dmitriy    8 мар 20 15:59 sbin -> usr/sbin
drwxr-xr-x  2 dmitriy dmitriy 4,0K дек 14  2017 srv
drwxr-xr-x  2 dmitriy dmitriy 4,0K мар 20 15:58 sys
drwxrwxr-x  7 dmitriy dmitriy 4,0K мар 20 16:09 tmp
drwxr-xr-x 13 dmitriy dmitriy 4,0K мар 20 15:59 usr
drwxr-xr-x 18 dmitriy dmitriy 4,0K мар 20 15:59 var

➜  trivy -f spdx-json rootfs ./ | grep pkg:rpm 
2023-03-27T11:47:56.602+0600	INFO	"--format spdx" and "--format spdx-json" disable security scanning
					"referenceLocator": "pkg:rpm/redhat/libstdc%2B%2B@4.8.5-44.el7?arch=x86_64\u0026distro=redhat-7.9",
					"referenceLocator": "pkg:rpm/redhat/libpwquality@1.2.3-5.el7?arch=x86_64\u0026distro=redhat-7.9",
					"referenceLocator": "pkg:rpm/redhat/tzdata@2022g-1.el7?arch=noarch\u0026distro=redhat-7.9",
...

---

trivy fs creates a valid SBoM for a folder that contains a set of RPM packages.

If you try to scan RPM files - Trivy can't scan them We only find rpm packages installed on the system.

Regards, Dmitriy

[gabrielericciardi]

Hi @DmitriyLewen,

OK, as I suspected trivy needs some form of repodb to generate the SBoM, but such a repodb will exist only on an installed system: I had the impression that trivy rootfs was meant to handle such situations, while trivy fs was more for file/folder based scanning.
I guess that also for the scanning of a single file (trivy fs /path/to/your/file) a DB is needed then, so that the single file can be traced back to the package that ships it, right?
But then, if I may ask, what's the difference between trivy fs and trivy rootfs?
And, according to you, is there an actual way to achieve what I need (i.e. scan a folder with loose packages and obtain a SBoM out of it)?

Thanks for your support,

Gabriele

[DmitriyLewen]

Hello @gabrielericciardi

But then, if I may ask, what's the difference between trivy fs and trivy rootfs?

fs mode is needed for dependency files( lock files, go.mod, etc...).
rootfs mode is needed for program files(binaries, jar files, etc...).
You can read more about supported files for these modes here.

And, according to you, is there an actual way to achieve what I need (i.e. scan a folder with loose packages and obtain a SBoM out of it)?

If you need to scan *.rpm file(before install) => Trivy currectly can't parse these files.
If you need to scan installed packages from a saved image:
You need extract file system and scan with path to this folder. e.g.

trivy rootfs /path/to/extracted/system

But these is 1 point- one of DB file must exist.(e.g. /path/to/extracted/system/var/lib/rpm/Packages)