Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Multiple types of OS packages in SBOM are not supported (["rpm" "deb"])" #6581

Closed
1 of 2 tasks
erinmcgill opened this issue Apr 29, 2024 Discussed in #6489 · 1 comment
Closed
1 of 2 tasks

"Multiple types of OS packages in SBOM are not supported (["rpm" "deb"])" #6581

erinmcgill opened this issue Apr 29, 2024 Discussed in #6489 · 1 comment

Comments

@erinmcgill
Copy link

Discussed in #6489

Originally posted by erinmcgill April 12, 2024

Description

We are using cyclonedx cdxgen to generate our SBOMs - this is including our code package and any Dockerfiles included there - and using trivy to scan for vulnerabilities using the command:
trivy sbom -f json --output software-dependency-findings.json bom.json

Trivy is failing with the error:
2024-04-12T16:39:06.688Z FATAL sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: failed to parse sbom: failed to aggregate packages: multiple types of OS packages in SBOM are not supported (["rpm" "deb"])

Our package includes a Dockerfile that uses "postgres:14.1-alpine" who's layers contain a lot of bom-ref references to "bom-ref": "pkg:rpm and another container who's bom-ref references "purl": "pkg:deb.

Our tool supports many different teams and code bases so it needs to be flexible.

Are there any suggestions on how to go about supporting this package and others like it with trivy? I'm just looking for some guidance on how to navigate this issue.

Desired Behavior

Trivy will work as expected without error

Actual Behavior

Trivy is failing with the error:
2024-04-12T16:39:06.688Z FATAL sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: failed to parse sbom: failed to aggregate packages: multiple types of OS packages in SBOM are not supported (["rpm" "deb"])

Reproduction Steps

1. Run cdxgen to generate an SBOM on a package that includes multiple different container images
2. Run `trivy sbom -f json --output software-dependency-findings.json bom.json` on the generated SBOM file

Target

SBOM

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

2024-04-12T17:41:18.539-0400	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-04-12T17:41:18.539-0400	DEBUG	Ignore statuses	{"statuses": null}
2024-04-12T17:41:18.546-0400	DEBUG	cache dir:  /Users/erinmc/Library/Caches/trivy
2024-04-12T17:41:18.546-0400	DEBUG	DB update was skipped because the local DB is the latest
2024-04-12T17:41:18.546-0400	DEBUG	DB Schema: 2, UpdatedAt: 2024-04-12 18:10:50.275607572 +0000 UTC, NextUpdate: 2024-04-13 00:10:50.275607411 +0000 UTC, DownloadedAt: 2024-04-12 21:19:19.260021 +0000 UTC
2024-04-12T17:41:18.547-0400	INFO	Vulnerability scanning is enabled
2024-04-12T17:41:18.547-0400	DEBUG	Vulnerability type:  [os library]
2024-04-12T17:41:18.547-0400	DEBUG	Enabling misconfiguration scanners: []
2024-04-12T17:41:18.574-0400	INFO	Detected SBOM format: cyclonedx-json
2024-04-12T17:41:18.598-0400	DEBUG	Unmarshaling CycloneDX JSON...
2024-04-12T17:41:18.640-0400	WARN	Third-party SBOM may lead to inaccurate vulnerability detection
2024-04-12T17:41:18.640-0400	WARN	Recommend using Trivy to generate SBOMs
2024-04-12T17:41:18.649-0400	FATAL	sbom scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:441
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:269
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:706
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:148
  - SBOM decode error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/sbom/sbom.go:55
  - failed to decode:
    github.com/aquasecurity/trivy/pkg/sbom.Decode
        /home/runner/work/trivy/trivy/pkg/sbom/sbom.go:225
  - failed to parse sbom:
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*BOM).UnmarshalJSON
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:60
  - failed to aggregate packages:
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*BOM).parseSBOM
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:147
  - multiple types of OS packages in SBOM are not supported (["rpm" "deb"]):
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.aggregatePkgs
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:303

Operating System

Codebuild Ubuntu standard:7.0

Version

v0.49.0

Checklist
@github-actions GitHub Actions
Copy link

Please see https://aquasecurity.github.io/trivy/latest/community/contribute/issue/

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Apr 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@erinmcgill