trivy cannot scan using sbom generated by apko

[tuananh]

Description

i'm using --sbom-sources flag to scan sbom generated by apko however, trivy cannot detect what OS is that and therefore cannot detect any CVE.

Grype, however, can detect it.

We can either fix it in apko (generating an additional OS package) or we can fix it in trivy. Wdyt?

Desired Behavior

trivy should be able to detect the OS and show the known CVE.

Actual Behavior

trivy failed to detect OS and CVE.

Reproduction Steps

trivy sbom <myimage> --sbom-sources oci

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

2024-02-21T06:39:41.781Z        INFO    Vulnerability scanning is enabled
2024-02-21T06:39:41.782Z        INFO    Detected SBOM format: spdx-json
2024-02-21T06:39:41.787Z        INFO    Detected OS: none
2024-02-21T06:39:41.787Z        WARN    unsupported os : none
2024-02-21T06:39:41.787Z        INFO    Number of language-specific files: 0

### Operating System

Ubuntu 22

### Version

```bash
Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-02-21 06:10:07.237036536 +0000 UTC
  NextUpdate: 2024-02-21 12:10:07.237036135 +0000 UTC
  DownloadedAt: 2024-02-21 06:39:08.453534116 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[tuananh]

related: chainguard-dev/apko#1046

[DmitriyLewen]

Hello @tuananh
Thanks for your report!

Can you send me an example of your SBOM file for investigation?

Regards, Dmitriy

[tuananh]

here's the sbom generated by apko

apko.json

this is the sbom of cgr.dev/chainguard/python image

commands used to get this sbom

crane blob cgr.dev/chainguard/python@sha256:852191e9690f99741349dc464b76e3ee32bae47d6d0997f1c9e2309ba915ace0 | jq -r .payload | base64 -d | jq > apko.json

[DmitriyLewen]

Thanks!

I checked your SPDX file.
I don't see package to detect OS name and version for selecting advisory database.

We use OperatingSystem to mark OS info:

{
      "name": "alpine",
      "SPDXID": "SPDXRef-ContainerImage-502eca2e0ccad5b0",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:oci/alpine@sha256%3A82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1?arch=arm64\u0026repository_url=index.docker.io%2Flibrary%2Falpine"
        }
      ],
      "attributionTexts": [
        "SchemaVersion: 2",
        "ImageID: sha256:5053b247d78b5e43b5543fec77c856ce70b8dc705d9f38336fa77736f25ff47c",
        "RepoDigest: alpine@sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1",
        "DiffID: sha256:61f2871f545a9b23a9340f96b331fb660b43008a9e84a03ad8564271bce5743b",
        "RepoTag: alpine:latest"
      ],
      "primaryPackagePurpose": "CONTAINER"
    },
    {
      "name": "alpine",
      "SPDXID": "SPDXRef-OperatingSystem-4c1e0ad415ba45b5",
      "versionInfo": "3.18.2",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "primaryPackagePurpose": "OPERATING-SYSTEM"
    },

[tuananh]

yeah, i came to the same conclusion. however, i'm not sure what's the best place to fix this? should I send a PR over to apko? or should I fix here?

Because grype seems to work but I'm not sure how grype detect the OS.

Is this "primaryPackagePurpose": "OPERATING-SYSTEM" the recommended way by the spdx spec?

[DmitriyLewen]

Because grype seems to work but I'm not sure how grype detect the OS.

I haven't looked, but perhaps they use language advisories (e.g. from the GitHub database) for the packages they find.
But for this we use a database of OS vendors.

should I send a PR over to apko? or should I fix here?

I think you need to do that in apko.
This SPDX file doesn't contain info to detect OS. So you can't fix this in Trivy.

Is this "primaryPackagePurpose": "OPERATING-SYSTEM" the recommended way by the spdx spec?

yes - https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-target-field. But this is not a required field.
We use package type (ContainerImage, OperatingSystem, Application, etc.) in the SPDX-ID ("SPDXID": "SPDXRef-OperatingSystem-4c1e0ad415ba45b5",).

[tuananh]

Thanks @DmitriyLewen. lemme discuss over apko repo and send PR over there.