Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBOM unmarshalling does not deal with valid cyclonedx json #2654

Closed
AntiTiming opened this issue Aug 2, 2022 · 0 comments · Fixed by #2673
Closed

SBOM unmarshalling does not deal with valid cyclonedx json #2654

AntiTiming opened this issue Aug 2, 2022 · 0 comments · Fixed by #2673
Assignees
@masahiro331
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. scan/sbom Issues relating to SBOM
Milestone
v0.31.0

Comments

@AntiTiming
Copy link

Description

When trying to scan an existing SBOM with trivy, the unmarhsalling fails for an SBOM created with the python tool cyclonedx-bom (version 3.5.0), which does not add the metadata->component part.

As far as I understand the cyclonedx json schema (https://cyclonedx.org/schema/bom-1.4.schema.json), the metadata property "component" is optional. Validating example SBOMs against the official schema does succeed with and without the metadata->component part.

This can be easily reproduced by creating an SBOM with trivy itself, remove the metadata->component part and scan the SBOM with trivy.

What did you expect to happen?

The scanning should work like for an unmodified SBOM created with trivy itself. Trivy should deal with any proper cyclonedx json.

What happened instead?

An error/stacktrace is shown (see next section), parsing fails and with this, the scan is aborted.

Output of run with -debug:

$ trivy sbom cyclonedx.json --debug
2022-08-02T13:41:33.744+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-08-02T13:41:33.748+0200	DEBUG	cache dir:  /home/tilo.eissler/.cache/trivy
2022-08-02T13:41:33.748+0200	DEBUG	DB update was skipped because the local DB is the latest
2022-08-02T13:41:33.748+0200	DEBUG	DB Schema: 2, UpdatedAt: 2022-08-02 06:07:49.729911451 +0000 UTC, NextUpdate: 2022-08-02 12:07:49.72991095 +0000 UTC, DownloadedAt: 2022-08-02 09:46:21.048738361 +0000 UTC
2022-08-02T13:41:33.748+0200	INFO	Vulnerability scanning is enabled
2022-08-02T13:41:33.748+0200	DEBUG	Vulnerability type:  [os library]
2022-08-02T13:41:33.748+0200	INFO	Detected SBOM format: cyclonedx-json
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x100a740]

goroutine 1 [running]:
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.componentMap(...)
	/home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:203
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*Unmarshaler).Unmarshal(0xc000e99b00, {0x41b9360?, 0xc000e9a810})
	/home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:39 +0x320
github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom.Artifact.Inspect({{0x7ffcbd8dbc81, 0xe}, {0x7feca5c94238, 0xc002f82af0}, {{0x0, 0x0, 0x0}, {0x0, 0x0, 0x0}}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/artifact/sbom/sbom.go:70 +0x3d7
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0xc004048780, 0x2, 0x2}, {0xc002f82a20, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/scanner/scan.go:125 +0xeb
github.com/aquasecurity/trivy/pkg/commands/artifact.scan({_, _}, {{{0x3733841, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0xc003644060, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:529 +0x3de
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x3733841, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:225 +0xd0
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanSBOM(_, {_, _}, {{{0x3733841, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:221 +0xcd
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x3733841, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0xc003644060, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:382 +0x538
github.com/aquasecurity/trivy/pkg/commands.NewSBOMCommand.func2(0xc004264780, {0xc004045680, 0x1, 0x2})
	/home/runner/work/trivy/trivy/pkg/commands/app.go:835 +0x26e
github.com/spf13/cobra.(*Command).execute(0xc004264780, {0xc004045640, 0x2, 0x2})
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.5.0/command.go:872 +0x694
github.com/spf13/cobra.(*Command).ExecuteC(0xc0041cc280)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.5.0/command.go:990 +0x3b4
github.com/spf13/cobra.(*Command).Execute(...)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.5.0/command.go:918
main.run()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:37 +0x17c
main.main()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x19

Output of trivy -v:

$ trivy sbom cyclonedx.json -v
2022-08-02T13:42:47.702+0200	INFO	Vulnerability scanning is enabled
2022-08-02T13:42:47.702+0200	INFO	Detected SBOM format: cyclonedx-json
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x100a740]

goroutine 1 [running]:
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.componentMap(...)
	/home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:203
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*Unmarshaler).Unmarshal(0xc000d1f1b8, {0x41b9360?, 0xc000957418})
	/home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:39 +0x320
github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom.Artifact.Inspect({{0x7ffea7242c86, 0xe}, {0x7f8942aa92f0, 0xc0027f4360}, {{0x0, 0x0, 0x0}, {0x0, 0x0, 0x0}}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/fanal/artifact/sbom/sbom.go:70 +0x3d7
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0xc0040b46a0, 0x2, 0x2}, {0xc0027f42a0, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/scanner/scan.go:125 +0xeb
github.com/aquasecurity/trivy/pkg/commands/artifact.scan({_, _}, {{{0x3733841, 0xa}, 0x1, 0x0, 0x0, 0x0, 0x45d964b800, {0xc0036ae040, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:529 +0x3de
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x3733841, 0xa}, 0x1, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:225 +0xd0
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanSBOM(_, {_, _}, {{{0x3733841, 0xa}, 0x1, 0x0, 0x0, 0x0, 0x45d964b800, ...}, ...})
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:221 +0xcd
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x3733841, 0xa}, 0x1, 0x0, 0x0, 0x0, 0x45d964b800, {0xc0036ae040, ...}, ...}, ...}, ...)
	/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:382 +0x538
github.com/aquasecurity/trivy/pkg/commands.NewSBOMCommand.func2(0xc004132500, {0xc00401e340, 0x1, 0x2})
	/home/runner/work/trivy/trivy/pkg/commands/app.go:835 +0x26e
github.com/spf13/cobra.(*Command).execute(0xc004132500, {0xc00401e300, 0x2, 0x2})
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.5.0/command.go:872 +0x694
github.com/spf13/cobra.(*Command).ExecuteC(0xc003b6e000)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.5.0/command.go:990 +0x3b4
github.com/spf13/cobra.(*Command).Execute(...)
	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.5.0/command.go:918
main.run()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:37 +0x17c
main.main()
	/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x19

Additional details (base image name, container registry info...):

As far as I understand the source code, making the failing assignment optional should be sufficient. Adding another check for metadata.Component being nil might fix the issue. Maybe further changes are required in case the value is used somewhere. But I'm not familiar with Go, so I may be wrong.

pkg/sbom/cyclonedx/unmarshal.go line 203

...
if metadata != nil {
cmap[metadata.Component.BOMRef] = *metadata.Component
}
...
@AntiTiming AntiTiming added the kind/bug Categorizes issue or PR as related to a bug. label Aug 2, 2022
@knqyf263 knqyf263 added scan/sbom Issues relating to SBOM priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Aug 4, 2022
@knqyf263 knqyf263 added this to the v0.31.0 milestone Aug 4, 2022
@masahiro331 masahiro331 mentioned this issue Aug 6, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@masahiro331 masahiro331

Labels
kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. scan/sbom Issues relating to SBOM
Projects
None yet
Milestone
v0.31.0
Development

Successfully merging a pull request may close this issue.

fix(cyclonedx): add nil check to metadata.component masahiro331/trivy
3 participants
@knqyf263 @AntiTiming @masahiro331