trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

fix(sbom): detect OS from `purl` if OS component not found

Open DmitriyLewen opened this issue 1 year ago • 3 comments

Description

Detect OS from purl if OS component not found. See #7073 for more details.

Discussed in https://github.com/aquasecurity/trivy/discussions/7073

DmitriyLewen avatar Jul 05 '24 07:07 DmitriyLewen

Any plan when this issue will be fixed and released ? I have the same problem when running trivy version 0.54.1 on wolfi image and get the WARN [sbom] Ignore the OS package as no OS is detected.

2024-08-31T03:46:39-04:00       INFO    [vuln] Vulnerability scanning is enabled
2024-08-31T03:46:39-04:00       INFO    [secret] Secret scanning is enabled
2024-08-31T03:46:39-04:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-31T03:46:39-04:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/apk-tools-2.14.4-r0.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/bash-5.2.32-r2.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/busybox-1.36.1-r10.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/docker-cli-27.2.0-r0.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/ca-certificates-bundle-20240705-r0.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/git-2.46.0-r2.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/glibc-locale-posix-2.40-r1.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/glibc-2.40-r1.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/ld-linux-2.40-r1.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libbrotlicommon1-1.1.0-r4.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libbrotlidec1-1.1.0-r4.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libcrypt1-2.40-r1.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libcrypto3-3.3.1-r5.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libcurl-openssl4-8.9.1-r3.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libidn2-2.3.7-r2.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libexpat1-2.6.2-r1.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libnghttp2-14-1.63.0-r0.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libpcre2-8-0-10.44-r1.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libpsl-0.21.5-r3.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libssl3-3.3.1-r5.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libunistring-1.2-r2.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/libxcrypt-4.4.36-r7.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/ncurses-6.5_p20240629-r0.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/ncurses-terminfo-base-6.5_p20240629-r0.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/wget-1.24.5-r4.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/wolfi-baselayout-20230201-r15.spdx.json"
2024-08-31T03:46:44-04:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="var/lib/db/sbom/zlib-1.3.1-r4.spdx.json"
2024-08-31T03:46:46-04:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="pip" version="24.2"
2024-08-31T03:46:46-04:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="autocommand" version="2.2.2"
2024-08-31T03:46:46-04:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="typeguard" version="4.3.0"
2024-08-31T03:46:46-04:00       INFO    Detected OS     family="wolfi" version="20230201"
2024-08-31T03:46:46-04:00       INFO    [wolfi] Detecting vulnerabilities...    pkg_num=27
2024-08-31T03:46:46-04:00       INFO    Number of language-specific files       num=1
2024-08-31T03:46:46-04:00       INFO    [python-pkg] Detecting vulnerabilities...

<image>-wolfi (wolfi 20230201)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

josephlim75 avatar Aug 31 '24 07:08 josephlim75

Just reran trivy scan today, seems like the WARN message is no longer showing.

josephlim75 avatar Sep 01 '24 07:09 josephlim75

Hello @josephlim75

Just reran trivy scan today, seems like the WARN message is no longer showing.

I think you don't see warnings because Trivy takes the package list from the cache.

Any plan when this issue will be fixed and released ?

We have delay in work - https://github.com/aquasecurity/trivy/discussions/7303

But as I already wrote in https://github.com/aquasecurity/trivy/pull/7101#issuecomment-2261893231 - worlfi images duplicate packages - that's why Trivy doesn't pass packages.

DmitriyLewen avatar Sep 02 '24 03:09 DmitriyLewen