go-dep-parser
go-dep-parser copied to clipboard
aquasecurity
Incorrect .NET deps parsing
I originally posted this on the trivy repo, but figured it should actually be posted here. Original post: https://github.com/aquasecurity/trivy/discussions/5208
Description
Trivy doesn't generate a correct .NET dependency tree in CycloneDX. Please see this gist for the reference .deps.json file im using https://gist.github.com/noqcks/49089249820126cbaabe59b70ba12ae4
See the desired and actual behaviour section
Desired Behavior
Dependencies are listed for this package
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": [
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]"
]
}
Actual Behavior
The dependencies are empty.
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
Reproduction Steps
Copy the .deps.json file from here https://gist.github.com/noqcks/49089249820126cbaabe59b70ba12ae4
Run
trivy fs MyWebApp.deps.json --format cyclonedx
### Target
Filesystem
### Scanner
None
### Output Format
CycloneDX
### Mode
Standalone
### Debug Output
```bash
``
trivy fs MyWebApp.deps.json --format cyclonedx --debug
2023-09-18T09:13:42.744-0700 DEBUG ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-09-18T09:13:42.745-0700 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-09-18T09:13:42.745-0700 DEBUG Ignore statuses {"statuses": null}
2023-09-18T09:13:42.746-0700 INFO "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2023-09-18T09:13:42.759-0700 DEBUG cache dir: /Users/noqcks/Library/Caches/trivy
2023-09-18T09:13:42.762-0700 DEBUG Walk the file tree rooted at 'MyWebApp.deps.json' in parallel
2023-09-18T09:13:42.783-0700 DEBUG OS is not detected.
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:6e5fc8cb-f23a-4d7d-aae9-9d8b60335e40",
"version": 1,
"metadata": {
"timestamp": "2023-09-18T16:13:42+00:00",
"tools": [
{
"vendor": "aquasecurity",
"name": "trivy",
"version": "0.45.0"
}
],
"component": {
"bom-ref": "658f88d9-f9eb-4fdd-be0b-a1c4772fd1fe",
"type": "application",
"name": "MyWebApp.deps.json",
"properties": [
{
"name": "aquasecurity:trivy:SchemaVersion",
"value": "2"
}
]
}
},
"components": [
{
"bom-ref": "073fa28b-e147-4c07-8bec-046dadbc456e",
"type": "application",
"name": "MyWebApp.deps.json",
"properties": [
{
"name": "aquasecurity:trivy:Class",
"value": "lang-pkgs"
},
{
"name": "aquasecurity:trivy:Type",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.AspNetCore.Authentication.Abstractions",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.AspNetCore.Authentication.Core",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.AspNetCore.Connections.Abstractions",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.AspNetCore.Hosting.Abstractions",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.AspNetCore.Hosting.Server.Abstractions",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.AspNetCore.Http.Abstractions",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.AspNetCore.Http.Extensions",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.AspNetCore.Http.Features",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.AspNetCore.Http",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.AspNetCore.Server.IIS",
"version": "2.2.6",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.AspNetCore.WebUtilities",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.Extensions.Configuration.Abstractions",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.Extensions.DependencyInjection.Abstractions",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.Extensions.FileProviders.Abstractions",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.Extensions.Hosting.Abstractions",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.Extensions.Logging.Abstractions",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.Extensions.ObjectPool",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.Extensions.Options",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.Extensions.Primitives",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.NETCore.Platforms",
"version": "2.0.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "Microsoft.Net.Http.Headers",
"version": "2.2.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "System.Buffers",
"version": "4.5.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "System.ComponentModel.Annotations",
"version": "4.5.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "System.IO.Pipelines",
"version": "4.5.3",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "System.Memory",
"version": "4.5.1",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "System.Runtime.CompilerServices.Unsafe",
"version": "4.5.1",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "System.Security.Principal.Windows",
"version": "4.5.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
},
{
"bom-ref": "pkg:nuget/[email protected]",
"type": "library",
"name": "System.Text.Encodings.Web",
"version": "4.5.0",
"purl": "pkg:nuget/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:PkgType",
"value": "dotnet-core"
}
]
}
],
"dependencies": [
{
"ref": "073fa28b-e147-4c07-8bec-046dadbc456e",
"dependsOn": [
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]"
]
},
{
"ref": "658f88d9-f9eb-4fdd-be0b-a1c4772fd1fe",
"dependsOn": [
"073fa28b-e147-4c07-8bec-046dadbc456e"
]
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
}
],
"vulnerabilities": []
}
Operating System
macOS
Version
Version: 0.45.0
Vulnerability DB:
Version: 2
UpdatedAt: 2023-09-18 12:17:08.645500979 +0000 UTC
NextUpdate: 2023-09-18 18:17:08.645500079 +0000 UTC
DownloadedAt: 2023-09-18 15:19:46.14853 +0000 UTC
### Checklist
- [X] Run `trivy image --reset`
- [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
