trivy generates CycloneDX boms with invalid MD5 hashes for certain rpms

[eredwine]

Description

go-rpmdb prior to last week was improperly removing all trailing 0 bytes from MD5 hashes. So c1e561f13d39aee443a1f00258fba000 became c1e561f13d39aee443a1f00258fba0. trivy should update the dependency so that MD5 hashes are correct.

I ran into this issue while trying to validate a CycloneDX bom generated by trivy. The Cyclone DX Spec requires that hashes be 32, 40, 64, 96 or 128 hexadecimal characters. But, since some MD5 hashes were truncated, the MD5 hashes were sometimes only 30 or 31 hexadecimal characters.

Desired Behavior

I expected the CycloneDX bom generated by Trivy to pass schema validation.

Actual Behavior

The CycloneDX bom generated by Trivy failed schema validation.

Reproduction Steps

1.trivy image redhat/ubi8:8.8-854 -o ubi8-bom.json --format cyclonedx
2.Check the length of the MD5 hash in the hashes section for the `libuuid` component. Confirm it is not 32 characters

Target

Container Image

Scanner

None

Output Format

CycloneDX

Mode

Standalone

Debug Output

trivy redhat/ubi8:8.8-854 -o ubi8-bom.json --format cyclonedx --debug
2023-10-16T16:42:10.547Z        DEBUG   ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-10-16T16:42:10.550Z        DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-10-16T16:42:10.551Z        DEBUG   Ignore statuses {"statuses": null}
2023-10-16T16:42:10.552Z        INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2023-10-16T16:42:10.557Z        DEBUG   cache dir:  /home/vagrant/.cache/trivy
2023-10-16T16:42:12.281Z        DEBUG   Image ID: sha256:817f060b4672f886292b297d96d2288dec751013210f35a4c89cd9499866e7a5
2023-10-16T16:42:12.282Z        DEBUG   Diff IDs: [sha256:486dcc5a5ac3b9d7452d24fdd0c8e1d6c1d452a5827276febe9f194ba2cb2992]
2023-10-16T16:42:12.282Z        DEBUG   Base Layers: []

Operating System

Rocky 8

Version

trivy --version
Version: 0.45.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-10-16 12:17:46.055483802 +0000 UTC
  NextUpdate: 2023-10-16 18:17:46.055483102 +0000 UTC
  DownloadedAt: 2023-10-16 16:39:16.539980556 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[knqyf263]

Thanks. Created #5390