There's no result if SBOM file doesn't contain fields "group" and "name" in package info of JAVA projects

[jet-pentest]

Description

If another SCA generates CycloneDX file, it may does not have fields like "group" and "name" in SBOM file. As example, an Dependency Track. There's problem in handling SBOM files, where Trivy trying to get data from specific SBOM fields, but not from "purl" field of SBOM (CycloneDX-json) file.

Desired Behavior

Handle CycloneDX file by Trivy and get results from Trivy DB

Actual Behavior

There's no data in output

Reproduction Steps

1. Export SBOM file from Dependency-Track of any JAVA project
2. use command: trivy sbom /path/to/sbom
3. There's no result from Trivy

Target

SBOM

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

trivy sbom ~/Downloads/46459183-159f-44ab-aa61-76e9bf357475-inventory.cdx.json --debug
2023-09-08T12:28:13.972+0300	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-09-08T12:28:13.973+0300	DEBUG	Ignore statuses	{"statuses": null}
2023-09-08T12:28:13.988+0300	DEBUG	cache dir:  /Users/mrd0x1/Library/Caches/trivy
2023-09-08T12:28:13.989+0300	DEBUG	DB update was skipped because the local DB is the latest
2023-09-08T12:28:13.989+0300	DEBUG	DB Schema: 2, UpdatedAt: 2023-09-08 06:13:44.569861282 +0000 UTC, NextUpdate: 2023-09-08 12:13:44.569860682 +0000 UTC, DownloadedAt: 2023-09-08 08:46:38.199129 +0000 UTC
2023-09-08T12:28:13.989+0300	INFO	Vulnerability scanning is enabled
2023-09-08T12:28:13.989+0300	DEBUG	Vulnerability type:  [os library]
2023-09-08T12:28:13.990+0300	INFO	Detected SBOM format: cyclonedx-json
2023-09-08T12:28:13.991+0300	DEBUG	Unmarshaling CycloneDX JSON...
2023-09-08T12:28:13.992+0300	WARN	Third-party SBOM may lead to inaccurate vulnerability detection
2023-09-08T12:28:13.992+0300	WARN	Recommend using Trivy to generate SBOMs
2023-09-08T12:28:13.992+0300	WARN	Ignore the OS package as no OS information is found.
2023-09-08T12:28:14.009+0300	DEBUG	OS is not detected.
2023-09-08T12:28:14.009+0300	DEBUG	Detected OS: unknown
2023-09-08T12:28:14.009+0300	INFO	Number of language-specific files: 1
2023-09-08T12:28:14.009+0300	INFO	Detecting jar vulnerabilities...
2023-09-08T12:28:14.009+0300	DEBUG	Detecting library vulnerabilities, type: jar, path:

Operating System

macOS Ventura 13.2.1

Version

trivy --version                                                               
Version: 0.44.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-09-08 06:13:44.569861282 +0000 UTC
  NextUpdate: 2023-09-08 12:13:44.569860682 +0000 UTC
  DownloadedAt: 2023-09-08 08:46:38.199129 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-09-05 00:51:11.124364807 +0000 UTC
  NextUpdate: 2023-09-08 00:51:11.124364307 +0000 UTC
  DownloadedAt: 2023-09-05 10:43:55.329515 +0000 UTC
Policy Bundle:
  Digest: sha256:acf1cb62a4ade75773ec3d265cc4d90160d285bbacaa7b6947a34830c1e45c5c
  DownloadedAt: 2023-08-07 14:28:23.20857 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[j1nka]

Is it possible to use and parse PURL in Java packages while unmarshalling istead onf Name and Group fields in BOM files?

[nikpivkin]

Hi @jet-pentest !

Have you manually added components to the Dependency Track or imported BOM and then exported?

[DmitriyLewen]

Fix has been added - #5154