Support scanning SBOMs generated with CycloneDX Maven Plugin #4635

xyloman · 2023-06-14T17:05:01Z

xyloman
Jun 14, 2023

Description

The CycloneDX Maven Plugin can generate an extremely rich SBOM including accurate depends on information as well as licensing. I have created a test project that includes the maven plugin. After generating the bom.json I attempted to scan with trivy sbom and no vulnerabilities were detected. Upon further inspection, the reason the vulnerabilities where not detected is the name on the component did not include the groupId.

      "publisher" : "Spring IO",
      "group" : "org.springframework",
      "name" : "spring-web",
      "version" : "5.3.22",
      "description" : "Spring Web",
      "scope" : "required",

Would turn up no vulnerabilities however, modifying the name key to org.springframework:spring-web would result in vulnerability detection in trivy. Is this expected behavior?

Reproduction steps:

git clone https://github.com/xyloman/tanzu-java-web-app.git
./mvnw clean package
docker run -v $PWD:/workspace aquasec/trivy sbom workspace/target/bom.json

output:

2023-06-14T16:58:37.582Z        INFO    Detected SBOM format: cyclonedx-json
2023-06-14T16:58:37.594Z        WARN    Third-party SBOM may lead to inaccurate vulnerability detection
2023-06-14T16:58:37.594Z        WARN    Recommend using Trivy to generate SBOMs
2023-06-14T16:58:37.595Z        WARN    Ignore the OS package as no OS information is found.
2023-06-14T16:58:37.662Z        INFO    Number of language-specific files: 1
2023-06-14T16:58:37.662Z        INFO    Detecting jar vulnerabilities...

If I open the bom.json file and modify the name to org.springframework:spring-web the expected vulnerability is detected:

2023-06-14T17:02:58.540Z        INFO    Detected SBOM format: cyclonedx-json
2023-06-14T17:02:58.559Z        WARN    Third-party SBOM may lead to inaccurate vulnerability detection
2023-06-14T17:02:58.559Z        WARN    Recommend using Trivy to generate SBOMs
2023-06-14T17:02:58.560Z        WARN    Ignore the OS package as no OS information is found.
2023-06-14T17:02:58.606Z        INFO    Number of language-specific files: 1
2023-06-14T17:02:58.606Z        INFO    Detecting jar vulnerabilities...

Java (jar)
==========
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

┌────────────────────────────────┬──────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│            Library             │  Vulnerability   │ Severity │ Installed Version │ Fixed Version │                          Title                          │
├────────────────────────────────┼──────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ org.springframework:spring-web │ CVE-2016-1000027 │ CRITICAL │ 5.3.22            │ 6.0.0         │ spring: HttpInvokerServiceExporter readRemoteInvocation │
│                                │                  │          │                   │               │ method untrusted java deserialization                   │
│                                │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2016-1000027            │
└────────────────────────────────┴──────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

It appears that the maven plugin places the group information in a field called group instead of combining it in the name.

Target

Filesystem

Scanner

Vulnerability

knqyf263 · 2023-06-15T03:09:37Z

knqyf263
Jun 15, 2023
Maintainer

Isn't PURL included in the SBOM?

3 replies

xyloman Jun 15, 2023
Author

Yes the component section for spring-web is the following:

    {
      "publisher" : "Spring IO",
      "group" : "org.springframework",
      "name" : "spring-web",
      "version" : "5.3.22",
      "description" : "Spring Web",
      "scope" : "required",
      "hashes" : [
        {
          "alg" : "MD5",
          "content" : "6096e895ba3cd63edbf3aa2ee21b84a9"
        },
        {
          "alg" : "SHA-1",
          "content" : "fdab9b8d8df2e6a8fb90f2481c361bcf2c129567"
        },
        {
          "alg" : "SHA-256",
          "content" : "d201925a5f619a5f51107ed07043a847c645773165c954bc34fa5983fa043f1f"
        },
        {
          "alg" : "SHA-512",
          "content" : "c56a00c97d3b5c432cea48d3e794eb0d3999d6c6439d70b13365db623c41c7ab9ce065bb58388bd38572a6ba54bbf357793e520de0a07dcb42967e4e167e5b4c"
        },
        {
          "alg" : "SHA-384",
          "content" : "d47ed3e83dea9006de8940cae1b440597a7cd869532e057f19e75e4bdca5653f10b9de0213665bdeb6286cac64a7c852"
        },
        {
          "alg" : "SHA3-384",
          "content" : "ed323b4a5de35d92ed413d86a4eded4f133dbff4da548e2e34e98f6abd56c53141887c50ed024c0f45b5e48d7937621a"
        },
        {
          "alg" : "SHA3-256",
          "content" : "1b45711721eec8e6a3ba4b208652837db29ffa95eca667b94c9e07a48694607c"
        },
        {
          "alg" : "SHA3-512",
          "content" : "f25311622862d97104aa8839d369bdf9066890e514412ea03865674559a4e1081a652606c786d44a4cd4645d5fba4022d3f10afdddc4607164cfd579165c303a"
        }
      ],
      "licenses" : [
        {
          "license" : {
            "id" : "Apache-2.0"
          }
        }
      ],
      "purl" : "pkg:maven/org.springframework/spring-web@5.3.22?type=jar",
      "externalReferences" : [
        {
          "type" : "website",
          "url" : "https://github.com/spring-projects/spring-framework"
        },
        {
          "type" : "issue-tracker",
          "url" : "https://github.com/spring-projects/spring-framework/issues"
        },
        {
          "type" : "vcs",
          "url" : "https://github.com/spring-projects/spring-framework"
        }
      ],
      "type" : "library",
      "bom-ref" : "pkg:maven/org.springframework/spring-web@5.3.22?type=jar"
    },

In this section, if I change the name to org.springframework:spring-web then vulnerabilities for that dependency are picked up.

Link to gist of a bom.json I generated earlier today.

knqyf263 Jun 19, 2023
Maintainer

Hmm. No idea why it doesn't work. @DmitriyLewen Can you please look into it?

DmitriyLewen Jun 19, 2023
Maintainer

Give me some time. I will check why this is happening.

DmitriyLewen · 2023-06-20T06:14:35Z

DmitriyLewen
Jun 20, 2023
Maintainer

I created #4675 for this task.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support scanning SBOMs generated with CycloneDX Maven Plugin #4635

{{title}}

Replies: 2 comments 3 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

Support scanning SBOMs generated with CycloneDX Maven Plugin #4635

xyloman Jun 14, 2023

Description

Target

Scanner

Replies: 2 comments · 3 replies

knqyf263 Jun 15, 2023 Maintainer

xyloman Jun 15, 2023 Author

knqyf263 Jun 19, 2023 Maintainer

DmitriyLewen Jun 19, 2023 Maintainer

DmitriyLewen Jun 20, 2023 Maintainer

xyloman
Jun 14, 2023

Replies: 2 comments 3 replies

knqyf263
Jun 15, 2023
Maintainer

xyloman Jun 15, 2023
Author

knqyf263 Jun 19, 2023
Maintainer

DmitriyLewen Jun 19, 2023
Maintainer

DmitriyLewen
Jun 20, 2023
Maintainer