Skip to content

fix(sbom): add SBOM file's filePath as Application FilePath if we can't detect its path #8346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
knqyf263 merged 4 commits into from
Feb 24, 2025
Merged

fix(sbom): add SBOM file's filePath as Application FilePath if we can't detect its path #8346

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0521258
fix(sbom): add sbom file path for applications without detected filepath
DmitriyLewen Feb 4, 2025
5aed495
docs: add info about filepaths for Apps
DmitriyLewen Feb 4, 2025
7dc1ca2
docs: update info about third-party SBOMs
DmitriyLewen Feb 6, 2025
876c0f7
docs: improve SBOM documentation for container images
knqyf263 Feb 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 14 additions & 2 deletions docs/docs/target/container_image.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -403,9 +403,20 @@ Trivy supports the generation of Software Bill of Materials (SBOM) for container

### Generation
Trivy can generate SBOM for container images.
See [here](../supply-chain/sbom.md) for the detail.
See [here](../supply-chain/sbom.md) for details.

### Discovery
### Discover SBOM inside container images
Trivy can search for Software Bill of Materials (SBOMs) within container image files and scan their components for vulnerabilities.

#### Third-party SBOM files
SBOM specifications define key requirements for component documentation[^2].
However, different tools and systems often have varying approaches to documenting component types and their relationships.

Due to these variations, Trivy cannot always accurately interpret SBOMs generated by other tools.
For example, it may have difficulty determining the correct file paths to component information files (such as lock files or binaries).
In such cases, Trivy uses the path to the scanned SBOM file itself to maintain traceability and ensure accurate dependency reporting.

### Discover SBOM referencing the container image
Trivy can search for Software Bill of Materials (SBOMs) that reference container images.
If an SBOM is found, the vulnerability scan is performed using the SBOM instead of the container image.
By using the SBOM, you can perform a vulnerability scan more quickly, as it allows you to skip pulling the container image and analyzing its layers.
Expand Down Expand Up @@ -551,3 +562,4 @@ Error: uncompressed image size (15GB) exceeds maximum allowed size (10GB)
```

[^1]: Trivy uses decimal (SI) prefixes (based on 1000) for size.
[^2]: SPDX uses `package` instead of `component`.
11 changes: 7 additions & 4 deletions pkg/fanal/analyzer/sbom/sbom.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ import (
"context"
"os"
"path"
"slices"
"strings"

"golang.org/x/xerrors"
Expand Down Expand Up @@ -58,10 +57,14 @@ func (a sbomAnalyzer) Analyze(ctx context.Context, input analyzer.AnalysisInput)
bom.Packages[i].FilePath = path.Join(input.FilePath, pkgInfo.FilePath)
}

// FilePath for apps with aggregatingTypes is empty.
// Set the SBOM file path as Application.FilePath to correctly overwrite applications when merging layers.
// There are cases when FilePath for Application is empty:
// - FilePath for apps with aggregatingTypes is empty.
// - Third party SBOM without Application component.
// We need to use SBOM file path as Application.FilePath to correctly:
// - overwrite applications when merging layers. See https://github.com/aquasecurity/trivy/issues/7851
// - show FilePath as Target of Application. See https://github.com/aquasecurity/trivy/issues/8189.
for i, app := range bom.Applications {
if slices.Contains(ftypes.AggregatingTypes, app.Type) && app.FilePath == "" {
Comment thread
knqyf263 marked this conversation as resolved.
if app.FilePath == "" {
bom.Applications[i].FilePath = input.FilePath
Copy link
Copy Markdown
Contributor Author

@DmitriyLewen DmitriyLewen Feb 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't add the type prefix (as we discussed in #7556 (reply in thread)) because name is not a unique field (for CycloneDX and SPDX), so we can use the same name for multiple components.

}
}
Expand Down
51 changes: 51 additions & 0 deletions pkg/fanal/analyzer/sbom/sbom_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,57 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
},
wantErr: require.NoError,
},
{
name: "valid sbom spdx file without application component",
file: "testdata/sbom-without-app-component.spdx.json",
filePath: "layers/sbom/launch/buildpacksio_lifecycle/launcher/sbom.spdx.json",
want: &analyzer.AnalysisResult{
Applications: []types.Application{
{
Type: types.GoBinary,
FilePath: "layers/sbom/launch/buildpacksio_lifecycle/launcher/sbom.spdx.json",
Packages: types.Packages{
{
ID: "github.com/buildpacks/[email protected]",
Name: "github.com/buildpacks/lifecycle",
Version: "v0.20.2",
Identifier: types.PkgIdentifier{
PURL: &packageurl.PackageURL{
Type: packageurl.TypeGolang,
Namespace: "github.com/buildpacks",
Name: "lifecycle",
Version: "v0.20.2",
},
},
Licenses: []string{
"NOASSERTION",
},
},
},
},
{
Type: types.Jar,
FilePath: "layers/sbom/launch/buildpacksio_lifecycle/launcher/sbom.spdx.json",
Packages: types.Packages{
{
ID: "co.elastic.apm:apm-agent:1.36.0",
Name: "co.elastic.apm:apm-agent",
Version: "1.36.0",
Identifier: types.PkgIdentifier{
PURL: &packageurl.PackageURL{
Type: packageurl.TypeMaven,
Namespace: "co.elastic.apm",
Name: "apm-agent",
Version: "1.36.0",
},
},
},
},
},
},
},
wantErr: require.NoError,
},
{
name: "valid postgresql spdx file",
file: "testdata/postgresql.spdx.json",
Expand Down
111 changes: 111 additions & 0 deletions pkg/fanal/analyzer/sbom/testdata/sbom-without-app-component.spdx.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "launcher",
"documentNamespace": "https://anchore.com/syft/file/launcher-268e7779-ba66-4422-a5b0-d4d83f7b5d8c",
"creationInfo": {
"licenseListVersion": "3.25",
"creators": [
"Organization: Anchore, Inc",
"Tool: syft-1.13.0"
],
"created": "2024-09-25T21:11:50Z"
},
"packages": [
{
"name": "co.elastic.apm:apm-agent",
"SPDXID": "SPDXRef-Package-f0db45781e6813a1",
"versionInfo": "1.36.0",
"supplier": "NOASSERTION",
"downloadLocation": "NONE",
"licenseConcluded": "NONE",
"licenseDeclared": "NONE",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE_MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:maven/co.elastic.apm/[email protected]"
}
],
"filesAnalyzed": false
},
{
"name": "github.com/buildpacks/lifecycle",
"SPDXID": "SPDXRef-Package-go-module-github.zerozr99.workers.dev-buildpacks-lifecycle-89c3bd8d4c2e75b7",
"versionInfo": "v0.20.2",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"sourceInfo": "acquired package info from go module information: /launcher",
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:buildpacks:lifecycle:v0.20.2:*:*:*:*:*:*:*"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:golang/github.com/buildpacks/[email protected]"
}
]
},
{
"name": "launcher",
"SPDXID": "SPDXRef-DocumentRoot-File-launcher",
"versionInfo": "sha256:716665ae98fb4b4675d5184f80884547597d47be1395d1049dc9e16035f32cc1",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "716665ae98fb4b4675d5184f80884547597d47be1395d1049dc9e16035f32cc1"
}
],
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"primaryPackagePurpose": "FILE"
}
],
"files": [
{
"fileName": "/launcher",
"SPDXID": "SPDXRef-File-launcher-361242815a383bec",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": [
"NOASSERTION"
],
"copyrightText": ""
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-Package-go-module-github.zerozr99.workers.dev-buildpacks-lifecycle-89c3bd8d4c2e75b7",
"relatedSpdxElement": "SPDXRef-File-launcher-361242815a383bec",
"relationshipType": "OTHER",
"comment": "evident-by: indicates the package's existence is evident by the given file"
},
{
"spdxElementId": "SPDXRef-DocumentRoot-File-launcher",
"relatedSpdxElement": "SPDXRef-Package-go-module-github.zerozr99.workers.dev-buildpacks-lifecycle-89c3bd8d4c2e75b7",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-DocumentRoot-File-launcher",
"relationshipType": "DESCRIBES"
}
]
}