report error: unable to write results: failed to write results: CycloneDX marshal error: "": invalid bomLink format error

[candrews]

Description

When generating a Bill of Vulnerabilities (BOV) from a valid CycloneDX SBOM, trivy fails with this error:

report error: unable to write results: failed to write results: CycloneDX marshal error: "": invalid bomLink format error

To reproduce this issue, download test.cdx.json.txt and then run:

trivy sbom test.cdx.json.txt --format cyclonedx --security-checks vuln -o bov.cdx.json

The issue appears to only happen if the input SBOM doesn't have a serialNumber. Note that serialNumber is an optional field in the specification: https://cyclonedx.org/docs/1.4/json/#serialNumber

What did you expect to happen?

The command should have generated a BOV.

What happened instead?

2022-10-06T21:14:24.754Z	FATAL	report error: unable to write results: failed to write results: CycloneDX marshal error: "": invalid bomLink format error

Output of run with -debug:

$ trivy sbom test.cdx.json.txt --format cyclonedx --security-checks vuln -o bov.cdx.json --debug
2022-10-06T21:15:05.694Z	DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2022-10-06T21:15:05.694Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-10-06T21:15:05.720Z	DEBUG	cache dir:  /root/.cache/trivy
2022-10-06T21:15:05.720Z	DEBUG	There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2022-10-06T21:15:05.720Z	INFO	Need to update DB
2022-10-06T21:15:05.720Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-10-06T21:15:05.720Z	INFO	Downloading DB...
2022-10-06T21:15:05.720Z	DEBUG	no metadata file
34.33 MiB / 34.33 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 11.37 MiB p/s 3.2s
2022-10-06T21:15:09.383Z	DEBUG	Updating database metadata...
2022-10-06T21:15:09.384Z	DEBUG	DB Schema: 2, UpdatedAt: 2022-10-06 18:08:41.68651506 +0000 UTC, NextUpdate: 2022-10-07 00:08:41.68651476 +0000 UTC, DownloadedAt: 2022-10-06 21:15:09.384419795 +0000 UTC
2022-10-06T21:15:09.384Z	INFO	Vulnerability scanning is enabled
2022-10-06T21:15:09.384Z	DEBUG	Vulnerability type:  [os library]
2022-10-06T21:15:09.384Z	INFO	Detected SBOM format: cyclonedx-json
2022-10-06T21:15:09.384Z	DEBUG	Unmarshaling CycloneDX JSON...
2022-10-06T21:15:09.398Z	DEBUG	OS is not detected.
2022-10-06T21:15:09.398Z	DEBUG	Detected OS: unknown
2022-10-06T21:15:09.398Z	INFO	Number of language-specific files: 1
2022-10-06T21:15:09.398Z	INFO	Detecting jar vulnerabilities...
2022-10-06T21:15:09.398Z	DEBUG	Detecting library vulnerabilities, type: jar, path: 
2022-10-06T21:15:09.413Z	INFO	Components will not be exported in the CycloneDX report as the input is CycloneDX
2022-10-06T21:15:09.416Z	FATAL	report error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:396
  - unable to write results:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).Report
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:261
  - failed to write results:
    github.com/aquasecurity/trivy/pkg/report.Write
        /home/runner/work/trivy/trivy/pkg/report/writer.go:101
  - CycloneDX marshal error:
    github.com/aquasecurity/trivy/pkg/report/cyclonedx.Writer.Write
        /home/runner/work/trivy/trivy/pkg/report/cyclonedx/cyclonedx.go:45
  - "":
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.externalRef
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/marshal.go:179
  - invalid bomLink format error:
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.init
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/marshal.go:55
[1]

Output of trivy -v:

Version: 0.31.3

Additional details (base image name, container registry info...):

[DmitriyLewen]

Hello @candrews
Thanks for your report!

We are working on your issue.
When work is done - we will write to your.

Regards, Dmitriy

[knqyf263]

The serial number is essential for linking our BOM to the original SBOM. I've asked in the CycloneDX Slack what to do when the serial number is empty.
https://cyclonedx.slack.com/archives/CVA0G10FN/p1665478641746189

Please let us know if someone knows of that.

[candrews]

Maybe the solution to this issue is provide a better error message, explaining that in this case, the serial number is required?