NodeJS package-lock.json SBOM libraries list inconsistent

[OfirSandak]

Description

I want to report an issue related to Trivy filesystem scan when generating CycloneDX SBOM from package-lock.json. The problem arises when running the scan multiple times, as it returns different libraries with each run.

Upon investigation, the root cause of this inconsistency appears to be the presence of two instances of a library in package-lock.json, one with "dev": true and another without. The issue lies within the go-dep-parser package. In the Node.js npm parser, the dependencies map in package-lock.json is unmarshaled into a slice. During this process, any duplicate libraries are removed. However, the first instance of a library is kept after deduplication. Since the map unmarshaling is not in order, the first instance of the library can be either with or without "dev": true.

In the Trivy local scan, the dev libraries are removed at the excludeDevDeps function in pkg/scanner/local/scan.go. Consequently, this leads to different results for the same package-lock.json file.

Desired Behavior

Runs should be consistent, ensuring that libraries with an instance of "dev": false always supersede any instance with "dev": true.

Actual Behavior

The inconsistency arises because each run produces different results, depending on which library instance is first unmarshaled from the package-lock.json file

Reproduction Steps

Running this command:

trivy fs --scanners license --license-full --license-confidence-level 0.4 --format cyclonedx package-lock.json

Example package-lock.json:
{
  "name": "store",
  "version": "1.13.0",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
    "rs": {
      "version": "3.0.0",
      "resolved": "https://someothersite.com/repository/rs-npm-group/rs/-/rs-3.0.0.tgz",
      "integrity": "sha512-EUAyP5UHU5hxF8VPT0LKfW8gjYLshq1DQIcneOX/pL/m2Alo+OYDQAJlHq+yseMP50Os2nHXOSic6Ss3vSQeyf4A==",
      "dev": true,
      "requires": {
        "readable-stream": "^3.0.1"
      },
      "dependencies": {
        "readable-stream": {
          "version": "3.6.0",
          "resolved": "https://someothersite.com/repository/ps-npm-group/readable-stream/-/readable-stream-3.6.0.tgz",
          "integrity": "sha512-BViHy7LKeVz4oNnkcLJ+lVSL6dvpiFeX6/d3oSH8zCW7UxP2oncdhk+vTGB143xuFjHS3deTgkKoXXymXqymiIdA==",
          "dev": true,
          "requires": {
            "inherits": "^2.0.3",
            "string_decoder": "^1.1.1",
            "util-deprecate": "^1.0.1"
          }
        },
        "safe-buffer": {
          "version": "5.2.0",
          "resolved": "https://someothersite.com/repository/ps-npm-group/safe-buffer/-/safe-buffer-5.2.0.tgz",
          "integrity": "sha512-fZEwUGbVV7kouZs1jCdMfLdt95hdIv0ZeHg6L7qPeciMZhsZ+/gdesW4wgTARkrFWEpspjEATAzUGPG8N2jJiwbg==",
          "dev": true
        },
        "string_decoder": {
          "version": "1.3.0",
          "resolved": "https://someothersite.com/repository/ps-npm-group/string_decoder/-/string_decoder-1.3.0.tgz",
          "integrity": "sha512-hkRX8U1WjJFd8LVDJ2yQ/wWgWxaopEsABU1XfkM8A+j0s+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==",
          "dev": true,
          "requires": {
            "safe-buffer": "~5.2.0"
          }
        }
      }
    },
    "sorted-union-stream": {
      "version": "2.1.3",
      "bundled": true,
      "dev": true,
      "requires": {
        "from2": "^1.3.0",
        "stream-iterate": "^1.1.0"
      },
      "dependencies": {
        "from2": {
          "version": "1.3.0",
          "bundled": true,
          "dev": true,
          "requires": {
            "inherits": "~2.0.1",
            "readable-stream": "~1.1.10"
          }
        },
        "isarray": {
          "version": "0.0.1",
          "bundled": true,
          "dev": true
        },
        "readable-stream": {
          "version": "1.1.14",
          "bundled": true,
          "dev": true,
          "requires": {
            "core-util-is": "~1.0.0",
            "inherits": "~2.0.1",
            "isarray": "0.0.1",
            "string_decoder": "~0.10.x"
          }
        },
        "string_decoder": {
          "version": "0.10.31",
          "bundled": true,
          "dev": true
        }
      }
    },
    "string_decoder": {
      "version": "0.10.31",
      "resolved": "https://somesite.com:4873/string_decoder/-/string_decoder-0.10.31.tgz",
      "integrity": "sha1-YuIDvEF2bGwoyfYfEfMB2rHFMS+pQ="
    }
  }
}

Sometimes the SBOM results with no library:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:acc20020-5aa2-4697-99e4-9e6f5ae38d39",
  "version": 1,
  "metadata": {
    "timestamp": "2023-11-06T10:22:06+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "0.44.1"
      }
    ],
    "component": {
      "bom-ref": "a8432caf-eb70-4d5c-8367-4ad4d511d9fb",
      "type": "application",
      "name": "package-lock.json",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ]
    }
  },
  "components": [],
  "dependencies": [
    {
      "ref": "a8432caf-eb70-4d5c-8367-4ad4d511d9fb",
      "dependsOn": []
    }
  ],
  "vulnerabilities": []
}

Sometime with SBOM results containing string_decoder library:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:9584412b-e641-4d28-b8bd-a3210fa912b2",
  "version": 1,
  "metadata": {
    "timestamp": "2023-11-06T10:22:05+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "0.44.1"
      }
    ],
    "component": {
      "bom-ref": "6c4a5ce3-6c04-442d-8713-eeba498a987e",
      "type": "application",
      "name": "package-lock.json",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ]
    }
  },
  "components": [
    {
      "bom-ref": "16c041e0-974a-401a-83e5-38fcaa4dea9f",
      "type": "application",
      "name": "package-lock.json",
      "properties": [
        {
          "name": "aquasecurity:trivy:Class",
          "value": "lang-pkgs"
        },
        {
          "name": "aquasecurity:trivy:Type",
          "value": "npm"
        }
      ]
    },
    {
      "bom-ref": "pkg:npm/[email protected]",
      "type": "library",
      "name": "string_decoder",
      "version": "0.10.31",
      "purl": "pkg:npm/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "[email protected]"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "npm"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "16c041e0-974a-401a-83e5-38fcaa4dea9f",
      "dependsOn": [
        "pkg:npm/[email protected]"
      ]
    },
    {
      "ref": "6c4a5ce3-6c04-442d-8713-eeba498a987e",
      "dependsOn": [
        "16c041e0-974a-401a-83e5-38fcaa4dea9f"
      ]
    },
    {
      "ref": "pkg:npm/[email protected]",
      "dependsOn": []
    }
  ],
  "vulnerabilities": []
}

Target

Filesystem

Scanner

None

Output Format

CycloneDX

Mode

Standalone

Debug Output

trivy fs --scanners license --license-full --license-confidence-level 0.4 --format cyclonedx package-lock.json --debug
2023-11-06T12:25:49.045+0200	DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-11-06T12:25:49.045+0200	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-06T12:25:49.046+0200	DEBUG	Ignore statuses	{"statuses": null}
2023-11-06T12:25:49.053+0200	DEBUG	cache dir:  /Users/osandak/Library/Caches/trivy
2023-11-06T12:25:49.053+0200	INFO	Full license scanning is enabled
2023-11-06T12:25:49.054+0200	DEBUG	Walk the file tree rooted at 'package-lock.json' in parallel
2023-11-06T12:25:49.055+0200	INFO	To collect the license information of packages in "package-lock.json", "npm install" needs to be performed beforehand
2023-11-06T12:25:49.055+0200	WARN	Cannot resolve the version: inherits@^2.0.3
2023-11-06T12:25:49.055+0200	WARN	Cannot resolve the version: util-deprecate@^1.0.1
2023-11-06T12:25:49.055+0200	WARN	Cannot resolve the version: stream-iterate@^1.1.0
2023-11-06T12:25:49.055+0200	WARN	Cannot resolve the version: inherits@~2.0.1
2023-11-06T12:25:49.055+0200	WARN	Cannot resolve the version: inherits@~2.0.1
2023-11-06T12:25:49.055+0200	WARN	Cannot resolve the version: core-util-is@~1.0.0
2023-11-06T12:25:49.062+0200	DEBUG	OS is not detected.
{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:0da5a52d-74ed-41a5-9e7e-dd865bc6ab74",
  "version": 1,
  "metadata": {
    "timestamp": "2023-11-06T10:25:49+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "0.44.1"
      }
    ],
    "component": {
      "bom-ref": "a9f6856e-a0b0-439f-9825-e64ede1ba7d8",
      "type": "application",
      "name": "package-lock.json",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ]
    }
  },
  "components": [],
  "dependencies": [
    {
      "ref": "a9f6856e-a0b0-439f-9825-e64ede1ba7d8",
      "dependsOn": []
    }
  ],
  "vulnerabilities": []
}

Operating System

macOS 13.6

Version

trivy --version
Version: 0.44.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-01 06:23:05.358944701 +0000 UTC
  NextUpdate: 2023-11-01 12:23:05.358944401 +0000 UTC
  DownloadedAt: 2023-11-01 10:33:08.688297 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-11-05 01:04:21.6435653 +0000 UTC
  NextUpdate: 2023-11-08 01:04:21.6435647 +0000 UTC
  DownloadedAt: 2023-11-05 10:39:11.828838 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @OfirSandak
Thanks for your report and great investigation!

I created #5532 for this issue.

Regards, Dmitriy