trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 4 weeks ago verified publisher icon aquasecurity

fix(sbom): detect main OS and ignore pkgs for other OSes

Open DmitriyLewen opened this issue 1 year ago • 11 comments

Description

Trivy doesn't currently support multiple OSes. To avoid flaky packages - we need to sort found OS and select only one of them (packages for other OS should be ignored).

Sorting order:

  1. Take the OS with the largest number of packages.
  2. If OSes contain same number of packages, we compare them by SPDXID/BOMRef.

example flaky pkgs (nginx-helm.json file(see https://github.com/aquasecurity/trivy/issues/5812#issuecomment-2158643712):

➜  trivy sbom nginx-helm.json --quiet --format json --list-all-pkgs | jq '.Results[0].Packages | length'
128
➜  trivy sbom nginx-helm.json --quiet --format json --list-all-pkgs | jq '.Results[0].Packages | length'
159

New Field

This PR adds new SPDXID field for Package.Identifier. We populate this field from SPDX files, similar to BOMRef for CycloneDX files.

Related issues

  • https://github.com/aquasecurity/trivy/issues/5812#issuecomment-2158643712

Checklist

  • [x] I've read the guidelines for contributing to this repository.
  • [x] I've followed the conventions in the PR title.
  • [x] I've added tests that prove my fix is effective or that my feature works.
  • [ ] I've updated the documentation with the relevant information (if needed).
  • [ ] I've added usage information (if the PR introduces new options)
  • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

DmitriyLewen avatar Jun 11 '24 10:06 DmitriyLewen

hmm... you're probably right, but then we must maintain order in order to exclude uncertainty (I mean that every time we scan a file with multiple OSes, we should take only the first one found)

DmitriyLewen avatar Jun 20 '24 10:06 DmitriyLewen

then we must maintain order in order to exclude uncertainty

Yes, we keep OSes as an array instead of picking up the first one, sort them somehow and pick up one of them deterministically. https://github.com/aquasecurity/trivy/blob/f7720f55eba15370a90ac021aad8a6715fc4a6e5/pkg/sbom/io/decode.go#L121-L130

knqyf263 avatar Jun 20 '24 10:06 knqyf263

pick up one of them deterministically.

We can take OS with the most related packages. wdyt?

DmitriyLewen avatar Jun 20 '24 10:06 DmitriyLewen

We can take OS with the most related packages.

Sounds good. But we must consider cases where several OSes have the same number of packages.

knqyf263 avatar Jun 21 '24 02:06 knqyf263

But we must consider cases where several OSes have the same number of packages.

Name fields can be same. So it looks like we need to use SPDXID to sort these OSes (and BomRef for CycloneDX).

DmitriyLewen avatar Jun 21 '24 02:06 DmitriyLewen

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Sep 03 '24 00:09 github-actions[bot]

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Nov 19 '24 00:11 github-actions[bot]

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Feb 09 '25 00:02 github-actions[bot]

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Jun 08 '25 00:06 github-actions[bot]