We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When generating a Bill of Vulnerabilities (BOV) from a valid CycloneDX SBOM, trivy fails with this error:
report error: unable to write results: failed to write results: CycloneDX marshal error: "": invalid bomLink format error
To reproduce this issue, download test.cdx.json.txt and then run:
trivy sbom test.cdx.json.txt --format cyclonedx --security-checks vuln -o bov.cdx.json
The issue appears to only happen if the input SBOM doesn't have a serialNumber. Note that serialNumber is an optional field in the specification: https://cyclonedx.org/docs/1.4/json/#serialNumber
serialNumber
The command should have generated a BOV.
2022-10-06T21:14:24.754Z FATAL report error: unable to write results: failed to write results: CycloneDX marshal error: "": invalid bomLink format error
-debug
$ trivy sbom test.cdx.json.txt --format cyclonedx --security-checks vuln -o bov.cdx.json --debug 2022-10-06T21:15:05.694Z DEBUG ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'. 2022-10-06T21:15:05.694Z DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"] 2022-10-06T21:15:05.720Z DEBUG cache dir: /root/.cache/trivy 2022-10-06T21:15:05.720Z DEBUG There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory 2022-10-06T21:15:05.720Z INFO Need to update DB 2022-10-06T21:15:05.720Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db 2022-10-06T21:15:05.720Z INFO Downloading DB... 2022-10-06T21:15:05.720Z DEBUG no metadata file 34.33 MiB / 34.33 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 11.37 MiB p/s 3.2s 2022-10-06T21:15:09.383Z DEBUG Updating database metadata... 2022-10-06T21:15:09.384Z DEBUG DB Schema: 2, UpdatedAt: 2022-10-06 18:08:41.68651506 +0000 UTC, NextUpdate: 2022-10-07 00:08:41.68651476 +0000 UTC, DownloadedAt: 2022-10-06 21:15:09.384419795 +0000 UTC 2022-10-06T21:15:09.384Z INFO Vulnerability scanning is enabled 2022-10-06T21:15:09.384Z DEBUG Vulnerability type: [os library] 2022-10-06T21:15:09.384Z INFO Detected SBOM format: cyclonedx-json 2022-10-06T21:15:09.384Z DEBUG Unmarshaling CycloneDX JSON... 2022-10-06T21:15:09.398Z DEBUG OS is not detected. 2022-10-06T21:15:09.398Z DEBUG Detected OS: unknown 2022-10-06T21:15:09.398Z INFO Number of language-specific files: 1 2022-10-06T21:15:09.398Z INFO Detecting jar vulnerabilities... 2022-10-06T21:15:09.398Z DEBUG Detecting library vulnerabilities, type: jar, path: 2022-10-06T21:15:09.413Z INFO Components will not be exported in the CycloneDX report as the input is CycloneDX 2022-10-06T21:15:09.416Z FATAL report error: github.com/aquasecurity/trivy/pkg/commands/artifact.Run /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:396 - unable to write results: github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).Report /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:261 - failed to write results: github.com/aquasecurity/trivy/pkg/report.Write /home/runner/work/trivy/trivy/pkg/report/writer.go:101 - CycloneDX marshal error: github.com/aquasecurity/trivy/pkg/report/cyclonedx.Writer.Write /home/runner/work/trivy/trivy/pkg/report/cyclonedx/cyclonedx.go:45 - "": github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.externalRef /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/marshal.go:179 - invalid bomLink format error: github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.init /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/marshal.go:55 [1]
trivy -v
Version: 0.31.3
The text was updated successfully, but these errors were encountered:
Hello @candrews Thanks for your report!
We are working on your issue. When work is done - we will write to your.
Regards, Dmitriy
Sorry, something went wrong.
The serial number is essential for linking our BOM to the original SBOM. I've asked in the CycloneDX Slack what to do when the serial number is empty. https://cyclonedx.slack.com/archives/CVA0G10FN/p1665478641746189
Please let us know if someone knows of that.
Maybe the solution to this issue is provide a better error message, explaining that in this case, the serial number is required?
DmitriyLewen
Successfully merging a pull request may close this issue.
Description
When generating a Bill of Vulnerabilities (BOV) from a valid CycloneDX SBOM, trivy fails with this error:
To reproduce this issue, download test.cdx.json.txt and then run:
The issue appears to only happen if the input SBOM doesn't have a
serialNumber
. Note thatserialNumber
is an optional field in the specification: https://cyclonedx.org/docs/1.4/json/#serialNumberWhat did you expect to happen?
The command should have generated a BOV.
What happened instead?
Output of run with
-debug
:Output of
trivy -v
:Additional details (base image name, container registry info...):
The text was updated successfully, but these errors were encountered: