trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

fix(sbom): detect OS from `purl` if OS component not found

Open DmitriyLewen opened this issue 1 year ago • 11 comments

Description

There are cases when SBOM file doesn't contain OS component. To avoid missing OS packages -we can try to get OS from purl. More details - https://github.com/aquasecurity/trivy/discussions/7073#discussioncomment-9932362

Related issues

  • Close #7100

Checklist

  • [x] I've read the guidelines for contributing to this repository.
  • [x] I've followed the conventions in the PR title.
  • [x] I've added tests that prove my fix is effective or that my feature works.
  • [ ] I've updated the documentation with the relevant information (if needed).
  • [ ] I've added usage information (if the PR introduces new options)
  • [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

DmitriyLewen avatar Jul 05 '24 07:07 DmitriyLewen

@DmitriyLewen thank you for creating this PR, I too am seeing a lot of warnings when scanning wolfi images.

Question unrelated to PR: For these warning you mention in discussions/7073, is Trivy unable to scan the packages in the image therefore being unable to report accurate vulnerability info for Wolfi images?

eshafaq1 avatar Jul 31 '24 23:07 eshafaq1

Hello @eshafaq1

is Trivy unable to scan the packages in the image therefore being unable to report accurate vulnerability info for Wolfi images?

Trivy detects the following packages from wolfi images:

  1. apk packages obtained from lib/apk/db/installed file (default way to detect apk packages)
  2. packages from SBOM files (this PR for these packages).

IIUC packages from p1 and p2 is same (duplicates). So you shouldn't have problem, because Trivy correctly detectы vulnerabilities for packages from p1.

DmitriyLewen avatar Aug 01 '24 03:08 DmitriyLewen

Hopefully @knqyf263 can get some time to review :)

eshafaq1 avatar Aug 08 '24 19:08 eshafaq1

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Oct 08 '24 00:10 github-actions[bot]

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Dec 08 '24 00:12 github-actions[bot]

is there anything we can do to move this forward?

tuananh avatar Dec 26 '24 03:12 tuananh

Hello @tuananh

Unfortunately, we are currently busy with more priority tasks.

Please be patient. As soon as we have time, we will return to this PR

Regarrds, Dmitriy

DmitriyLewen avatar Dec 26 '24 07:12 DmitriyLewen

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Feb 25 '25 00:02 github-actions[bot]

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Apr 27 '25 00:04 github-actions[bot]

@DmitriyLewen Do you all have time to prioritize this?

dalejrodriguez avatar May 15 '25 20:05 dalejrodriguez

Hello @dalejrodriguez We don't have time to this task at the moment.

Release plans can be found here - https://github.com/aquasecurity/trivy/milestones

DmitriyLewen avatar May 16 '25 05:05 DmitriyLewen

It seems that I was mistaken. I had assumed that wolfi-base did not contain OS package information (like /etc/os-release) and that we would need to extract OS information from the SBOM. Based on that assumption, I suggested retrieving OS information from the PURL. However, I have since realized that wolfi-base does include /etc/os-release. In other words, as long as we can retrieve the package information, it's not necessary to get OS information from the SBOM. I have created a new PR. https://github.com/aquasecurity/trivy/pull/9034

knqyf263 avatar Jun 12 '25 11:06 knqyf263

closed in favor #9034

DmitriyLewen avatar Jun 16 '25 04:06 DmitriyLewen