trivy
trivy copied to clipboard
Published
3 weeks ago
•
aquasecurity
aquasecurity
purls starting with `pkg:gradle` result in error: unsupported type gradle
Description
GitLab Dependency Scanning (aka Gemnasium) creates CycloneDX SBOMs for Gradle projects with purls like this: pkg:maven/com.fasterxml.jackson.core/[email protected]
Here's a minimal example:
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"metadata": {
"tools": [
{
"vendor": "GitLab",
"name": "Gemnasium",
"version": "3.9.0"
},
{
"vendor": "GitLab",
"name": "Gemnasium",
"version": "not-configured"
}
]
},
"components": [
{
"type": "library",
"bom-ref": "pkg:gradle/org.yaml/[email protected]",
"name": "org.yaml/snakeyaml",
"version": "1.30",
"purl": "pkg:gradle/org.yaml/[email protected]"
}
]
}
Running trivy against this sbom results in an error:
2022-09-15T21:42:38.326Z INFO Need to update DB
2022-09-15T21:42:38.326Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-09-15T21:42:38.326Z INFO Downloading DB...
33.96 MiB / 33.96 MiB [--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 6.40 MiB p/s 5.5s
2022-09-15T21:42:44.265Z INFO Vulnerability scanning is enabled
2022-09-15T21:42:44.265Z INFO Detected SBOM format: cyclonedx-json
2022-09-15T21:42:44.280Z INFO Number of language-specific files: 1
2022-09-15T21:42:44.280Z INFO Detecting gradle vulnerabilities...
2022-09-15T21:42:44.293Z FATAL sbom scan error: scan error: scan failed: scan failed: failed to detect vulnerabilities: failed to scan application libraries: failed vulnerability detection of libraries: failed to new driver: unsupported type gradle
What did you expect to happen?
If pkg:gradle is replaced with pkg:maven then Trivy works as expected:
2022-09-15T21:41:56.865Z INFO Need to update DB
2022-09-15T21:41:56.865Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-09-15T21:41:56.865Z INFO Downloading DB...
33.96 MiB / 33.96 MiB [--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 6.41 MiB p/s 5.5s
2022-09-15T21:42:02.892Z INFO Vulnerability scanning is enabled
2022-09-15T21:42:02.892Z INFO Detected SBOM format: cyclonedx-json
2022-09-15T21:42:02.906Z INFO Number of language-specific files: 1
2022-09-15T21:42:02.906Z INFO Detecting jar vulnerabilities...
Java (jar)
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)
┌────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ org.yaml:snakeyaml │ CVE-2022-25857 │ HIGH │ 1.30 │ 1.31 │ snakeyaml: Denial of Service due missing to nested depth │
│ │ │ │ │ │ limitation for... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25857 │
│ ├────────────────┼──────────┤ │ ├──────────────────────────────────────────────────────────┤
│ │ CVE-2022-38749 │ MEDIUM │ │ │ Using snakeYAML to parse untrusted YAML files may be │
│ │ │ │ │ │ vulnerable to Den... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-38749 │
│ ├────────────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────┤
│ │ CVE-2022-38752 │ │ │ 1.32 │ Using snakeYAML to parse untrusted YAML files may be │
│ │ │ │ │ │ vulnerable to Den... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-38752 │
└────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘
What happened instead?
2022-09-15T21:42:44.293Z FATAL sbom scan error: scan error: scan failed: scan failed: failed to detect vulnerabilities: failed to scan application libraries: failed vulnerability detection of libraries: failed to new driver: unsupported type gradle
Output of trivy -v:
Version: 0.31.3
Additional details (base image name, container registry info...):
According to https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst
gradlefor Gradle plugins
So I believe there are two problems:
- Since these dependencies are maven dependencies (they're specified in gradle, but they are maven dependencies), GitLab Dependency Scanning is using the wrong "type" in its "purl" value; it's using
gradlewhen it should be usingmaven. I've reported to this to GitLab at: https://gitlab.com/gitlab-org/gitlab/-/issues/374043 - Trivy doesn't support the
gradletype (which should be used for Gradle plugins per the PURL specification) and it should.
Hello @candrews Thanks for your report!
Trivy started supporting Gradle with version 0.32.0.
But in v0.32.0 there is a problem with the Gradle package name separator. I created a PR with a fix for this. I will send you when this PR is merged.
Best regards, Dmitry
