DependencyTrack
0 Vulnerabilities not detected in imported SBOM with vulnerabilities
Current Behavior
I created a new project and imported an SBOM of an old version of debian-slim. Trivy reports vulnerabilities but dependencyTrack doesn't. I created a Sonatype OSS account and configured but that did not change the result.
Trivy:
└─(11:13:45)──> trivy image debian:stable-20230202 ──(Thu,Aug03)─┘
2023-08-03T11:23:28.203+0200 INFO Vulnerability scanning is enabled
2023-08-03T11:23:28.203+0200 INFO Secret scanning is enabled
2023-08-03T11:23:28.203+0200 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-03T11:23:28.203+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
2023-08-03T11:23:34.212+0200 INFO Detected OS: debian
2023-08-03T11:23:34.212+0200 INFO Detecting Debian vulnerabilities...
2023-08-03T11:23:34.235+0200 INFO Number of language-specific files: 0
debian:stable-20230202 (debian 11.6)
Total: 99 (UNKNOWN: 0, LOW: 66, MEDIUM: 10, HIGH: 22, CRITICAL: 1)
DependencyTrack:
Steps to Reproduce
- Create SBOM using trivy
trivy image debian:stable-20230202 --format cyclonedx --output ~/win_tmp/result-debian.cdx
- Install DependencyTrack following the regular installation instructions
curl -LO https://dependencytrack.org/docker-compose.yml
docker-compose up
-
Configure Sonatype OSS credentials
-
Import SBOM generated in step 1
Expected Behavior
Vulnerabilities reported.
Dependency-Track Version
4.8.2
Dependency-Track Distribution
Container Image
Database Server
N/A
Database Server Version
No response
Browser
Google Chrome
Checklist
- [X] I have read and understand the contributing guidelines
- [X] I have checked the existing issues for whether this defect was already reported
I have no experience with scanning OS images, but it looks like your SBOM contains purls. And both github and OSS don't report vulnerabilities on debian packages I think. So you might need to enable the Snyk analyzer to get some results: https://security.snyk.io/vuln/SNYK-DEBIAN13-UTILLINUX-5698535
As @valentijnscholten said, OSS Index does not support Debian (see https://ossindex.sonatype.org/ecosystems). For the NVD, we can only match against its data when the components in the SBOM have a CPE.
FWIW, OSV supports Debian.
As @valentijnscholten said, OSS Index does not support Debian (see https://ossindex.sonatype.org/ecosystems). For the NVD, we can only match against its data when the components in the SBOM have a CPE.
FWIW, OSV supports Debian.
Even with OSV enabled I'm getting 0 vulnerabilities
Example:
trivy image php:8.1.0-fpm
php:8.1.0-fpm (debian 11.1)
Total: 1108 (UNKNOWN: 2, LOW: 452, MEDIUM: 351, HIGH: 269, CRITICAL: 34)
trivy image -f cyclonedx --scanners vuln --vuln-type os,library -o report.cdx php:8.1.0-fpm
curl -X "POST" "http://localhost:8081/api/v1/bom" -H 'Content-Type: multipart/form-data' -H "X-Api-Key: q1vnvPSrCG9sFClJaAOQdrz9u1Lfk0Zb" -F "autoCreate=true" -F "projectName=php-fpm" -F "projectVersion=8.1.0" -F "[email protected]"
Is there some additional config?
EDIT: ok I restarted the container and it pulled the definitions from OSV for Debian 11, now it shows something but the results are far from what Trivy found
Hi I have the same issue with Debian and rocky What is the osv analyser task ? I haven't oss index and snyk Thanks
Same issue but I don't see any call to trivy in dependency-track logs. Is-it normal ?
Do we have logs when we set the trivy integration in dtrack ? Do we have logs when we send the trivy sbom to dtrack ?
@amergey Trivy 0.54.0 introduced a breaking change to their server API, please make sure you're using a verion lower than that. See #4021.