"Multiple types of OS packages in SBOM are not supported (["rpm" "deb"])"

[erinmcgill]

Description

We are using cyclonedx cdxgen to generate our SBOMs - this is including our code package and any Dockerfiles included there - and using trivy to scan for vulnerabilities using the command:
trivy sbom -f json --output software-dependency-findings.json bom.json

Trivy is failing with the error:
2024-04-12T16:39:06.688Z FATAL sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: failed to parse sbom: failed to aggregate packages: multiple types of OS packages in SBOM are not supported (["rpm" "deb"])

Our package includes a Dockerfile that uses "postgres:14.1-alpine" who's layers contain a lot of bom-ref references to "bom-ref": "pkg:rpm and another container who's bom-ref references "purl": "pkg:deb.

Our tool supports many different teams and code bases so it needs to be flexible.

Are there any suggestions on how to go about supporting this package and others like it with trivy? I'm just looking for some guidance on how to navigate this issue.

Desired Behavior

Trivy will work as expected without error

Actual Behavior

Trivy is failing with the error:
2024-04-12T16:39:06.688Z FATAL sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: failed to parse sbom: failed to aggregate packages: multiple types of OS packages in SBOM are not supported (["rpm" "deb"])

Reproduction Steps

1. Run cdxgen to generate an SBOM on a package that includes multiple different container images
2. Run `trivy sbom -f json --output software-dependency-findings.json bom.json` on the generated SBOM file

Target

SBOM

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

2024-04-12T17:41:18.539-0400	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-12T17:41:18.539-0400	DEBUG	Ignore statuses	{"statuses": null}
2024-04-12T17:41:18.546-0400	DEBUG	cache dir:  /Users/erinmc/Library/Caches/trivy
2024-04-12T17:41:18.546-0400	DEBUG	DB update was skipped because the local DB is the latest
2024-04-12T17:41:18.546-0400	DEBUG	DB Schema: 2, UpdatedAt: 2024-04-12 18:10:50.275607572 +0000 UTC, NextUpdate: 2024-04-13 00:10:50.275607411 +0000 UTC, DownloadedAt: 2024-04-12 21:19:19.260021 +0000 UTC
2024-04-12T17:41:18.547-0400	INFO	Vulnerability scanning is enabled
2024-04-12T17:41:18.547-0400	DEBUG	Vulnerability type:  [os library]
2024-04-12T17:41:18.547-0400	DEBUG	Enabling misconfiguration scanners: []
2024-04-12T17:41:18.574-0400	INFO	Detected SBOM format: cyclonedx-json
2024-04-12T17:41:18.598-0400	DEBUG	Unmarshaling CycloneDX JSON...
2024-04-12T17:41:18.640-0400	WARN	Third-party SBOM may lead to inaccurate vulnerability detection
2024-04-12T17:41:18.640-0400	WARN	Recommend using Trivy to generate SBOMs
2024-04-12T17:41:18.649-0400	FATAL	sbom scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:441
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:269
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:706
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:148
  - SBOM decode error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/sbom/sbom.go:55
  - failed to decode:
    github.com/aquasecurity/trivy/pkg/sbom.Decode
        /home/runner/work/trivy/trivy/pkg/sbom/sbom.go:225
  - failed to parse sbom:
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*BOM).UnmarshalJSON
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:60
  - failed to aggregate packages:
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*BOM).parseSBOM
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:147
  - multiple types of OS packages in SBOM are not supported (["rpm" "deb"]):
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.aggregatePkgs
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:303

Operating System

Codebuild Ubuntu standard:7.0

Version

v0.49.0

Checklist

• Run trivy image --reset
• Read the troubleshooting

[erinmcgill]

I saw a similar discussion, however my issue is different.
My sbom contains no operating system types. When I search my sbom, there are no entries with "type": "operating-system",.

The only packages that match any deb or apk are libraries. For example:

 {
      "bom-ref": "pkg:deb/debian/adduser@3.118?arch=all&distro=debian-11&distro_name=bullseye",
      "type": "library",
      "supplier": {
        "name": "Debian Adduser Developers <adduser@packages.debian.org>"
      },
      "name": "adduser",
      "version": "3.118",
      "hashes": [
        {
          "alg": "SHA-256",
          "content": "bd71dd1ab8dcd6005390708f23741d07f1913877affb7604dfd55f85d009aa2b"
        }
      ],
      "purl": "pkg:deb/debian/adduser@3.118?arch=all&distro=debian-11&distro_name=bullseye",
      "group": "debian",
      "properties": [
        {
          "name": "SrcFile",
          "value": "/codebuild/output/src503648286/src/source/modules/acdp/backstage/packages/backend/Dockerfile"
        },
        {
          "name": "oci:SrcImage",
          "value": "public.ecr.aws/docker/library/node:18.17.1-bullseye-slim"
        }
      ]
    },

   {
      "bom-ref": "pkg:apk/alpine/.postgresql-rundeps@20211130.050811?arch=noarch&distro=alpine-3.15.0&distro_name=alpine-3.15",
      "type": "library",
      "name": ".postgresql-rundeps",
      "version": "20211130.050811",
      "hashes": [
        {
          "alg": "SHA-1",
          "content": "d832f904f16a4590c9d4cd5f73c6cad7a0e2717d"
        }
      ],
      "purl": "pkg:apk/alpine/.postgresql-rundeps@20211130.050811?arch=noarch&distro=alpine-3.15.0&distro_name=alpine-3.15",
      "group": "alpine",
      "properties": [
        {
          "name": "SrcFile",
          "value": "/codebuild/output/src503648286/src/source/modules/acdp/backstage/docker-compose.yaml"
        },
        { "name": "oci:SrcImage", "value": "postgres:14.1-alpine" }
      ]
    },

Trivy can handle other different libraries, like packages that come from npm and pypi in the same pacakge. It seems logical that it would support these as well, since they're libraries.

Note: The team has made some changes so the rpm packages are no longer there but we are still getting the same error.

[erinmcgill]

Is there a reason for not supporting multiple OSes?

This is a a blocker for us so I'd be interested in contributing an update to resolve this for us and others. Understanding the why behind this restriction would help with understanding the direction we need to go in with the code change.

[knqyf263]

Simply for historical background, Trivy was originally created as a tool to scan container images, so it was implemented to scan only one OS.

[emcfins]

Can I assume that means it's no longer needed/a requirement? I'm relatively new to trivy and not aware of downstream impact but am interested in investigating this as long as the team is open to the change.

[knqyf263]

Yes, if it can be added without affecting existing usage we are open to it.

[emcfins]

Is there a way to ignore or bypass this check?
I tried running with --pkg-types library but ti still fails when there are multiple OS packages.

[DmitriyLewen]

Hello @emcfins
unfortunately this flag works with analyzers.
We can't disable part of sbom analyzer.

So now there is only one way - update the scanned SBOM file (remove non-core OS packages).