bug(report): Trivy duplicates packages if the image contains a package and an SBOM file with that package

[DmitriyLewen]

Discussed in #6204

^{Originally posted by juan131 February 26, 2024}

Description

Scanning to report SBOM (trivy image --format spdx-json ...) include duplicated app libraries when they're detected during analysis twice (e.g. it was both detected with "jar" analyzer and "sbom" analyzer).

Desired Behavior

Libraries shouldn't be included twice in the SPDX output.

Actual Behavior

Libraries are duplicated when scanning certain images.

Reproduction Steps

1. Run trivy image --format spdx-json --output sbom.json bitnami/postgresql:15.5.0-debian-11-r21
2. Inspect sbom.json (e.g. execute: cat sbom.json | jq -r '.packages[] | select(.name == "org.postgresql:pljava")') to find duplicates

The library is detected twice due to the "jar" analyzer + the "bitnami" analyzer based on the .spdx-postgresql.spdx included in the container image.

Target

Container Image

Scanner

None

Output Format

SPDX

Mode

Standalone

Debug Output

It adds no value

Operating System

macOS sonoma

Version

$ trivy --version
Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-01-09 12:13:28.274214364 +0000 UTC
  NextUpdate: 2024-01-09 18:13:28.274214053 +0000 UTC
  DownloadedAt: 2024-01-09 15:56:37.96018 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-02-26 05:38:21.591482531 +0000 UTC
  NextUpdate: 2024-02-29 05:38:21.591482331 +0000 UTC
  DownloadedAt: 2024-02-26 11:17:18.334661 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[itaysk]

@DmitriyLewen what was the conclusion here?

[DmitriyLewen]

I hastened to open the issue and closed it almost immediately.

These were not duplicates.
Packages use different file paths - #6208 (comment)