Dart: Trivy incorrectly generates SBOM with version 0.0.0 for SDK dependencies

[bjoernbg]

Description

We are using trivy to generate SBOMs for our Dart/Flutter project.
Trivy incorrectly generates a dependency for flutter@0.0.0, ignoring the sdk setting.

Corresponding part of the pubspec.lock:

…
flutter:
    dependency: "direct main"
    description: flutter
    source: sdk
    version: "0.0.0"
…

As you can see it specifies source as sdk.

Further down in the pubspec.lock file there is more information on the sdk version:

sdks:
  dart: ">=2.15.1 <3.0.0"
  flutter: ">=2.8.0"

Desired Behavior

The generated SBOM should not contain the incorrect (but unfortunately valid) version 0.0.0.

Actual Behavior

The generated SBOM contains various sdk dependencies with version 0.0.0.

For context: We import these into our dependency tracking tool (DependencyTrack by OWASP). There we get matches for a critical CVE (CVE-2022-3095 (NVD)).

Reproduction Steps

Our project code is private, but the problem exists in any Flutter project.

You can reproduce the problem easily by running `trivy fs --format cyclonedx --output cyclonedx-sbom.json .` on this project: https://github.com/KhoaSuperman/findseat/blob/master/pubspec.lock

Target

None

Scanner

None

Output Format

CycloneDX

Mode

Standalone

Debug Output

➜ trivy fs --format cyclonedx --output cyclonedx-sbom.json . --debug
2024-01-22T16:18:47.383+0100	DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2024-01-22T16:18:47.383+0100	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-01-22T16:18:47.384+0100	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2024-01-22T16:18:47.396+0100	DEBUG	cache dir:  /Users/***redacted***/Library/Caches/trivy
2024-01-22T16:18:47.397+0100	DEBUG	Walk the file tree rooted at '.' in parallel
2024-01-22T16:18:47.411+0100	DEBUG	OS is not detected.

Operating System

macOS Sonoma, but also Linux Debian

Version

Version: 0.41.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-01-22 12:14:08.52989507 +0000 UTC
  NextUpdate: 2024-01-22 18:14:08.52989482 +0000 UTC
  DownloadedAt: 2024-01-22 14:38:03.56555 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-05-23 01:03:48.102319248 +0000 UTC
  NextUpdate: 2023-05-26 01:03:48.102318948 +0000 UTC
  DownloadedAt: 2023-05-23 14:01:30.5794 +0000 UTC
Policy Bundle:
  Digest: sha256:97988c6fc189faa28aa7fc2fc93fb2605c46d2f6ae4092a70e03697ba1d6e620
  DownloadedAt: 2023-05-09 14:38:22.449445 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @bjoernbg
Thanks for your report!

There doesn't seem to be any information in the dart project about using the flutter version (the pubspec.lock and pubspec.yaml files only use the required range).
I thought about searching for flutter version from filesystem, but looks like flutter is not using env with path to flutter folder (if i understand correctly flutter saves version in version file from git folder).

Therefore we can't correctly detect flutter version to overwrite sdk version.

If you have any ideas to detect flutter version - let us know and we will try to implement it.

In your case you can try to write module to use flutter version.
https://github.com/aquasecurity/trivy/tree/main/examples/module/spring4shell example is similar to your case (this example checks java version).

Regards, Dmitriy

[bjoernbg]

I absolutely agree. I think maybe the sdk versions should be excluded from the sbom alltogether, since it's not a perfectly pinned version (but neither is 0.0.0!). In Node projects the sbom (generated from package-lock.json) does not contain anything on the Nodejs version either.

We are just looking for a solution for the false positive we get for flutter@0.0.0 in the sbom generated by trivy. I thought it might be something that is of interest for you and maybe you did not notice this behavior. If there is no good fix we will probably just have to suppress the vulnerability findings.

Thanks for looking into this!!

[DmitriyLewen]

If you generate pub.spec, is the version range written?

new pubspec.yaml file (dart create command) contains version range:

root@6c3b2788c311:/app# cat app/pubspec.yaml 
name: app
description: A sample command-line application.
version: 1.0.0
# repository: https://github.com/my_org/my_repo

environment:
  sdk: ^3.2.5

# Add regular dependencies here.
dependencies:
  # path: ^1.8.0

dev_dependencies:
  lints: ^2.1.0
  test: ^1.24.0

Also i found that environment.sdk is required field - Omitting the SDK constraint is an error. When the pubspec has no SDK constraint, dart pub get fails with a message like the following: - https://dart.dev/tools/pub/pubspec#sdk-constraints

[knqyf263]

Sorry I wanted to say pubspec.lock, not pubspec.yaml. It makes sense pubspec.yaml has ranges as it is not a lock file.

[DmitriyLewen]

Both files are created by default for dart create command:

root@ab533c1cc0d4:/app/my_app# cat pubspec.yaml | grep sdk -A 1
  sdk: ^3.2.5

root@ab533c1cc0d4:/app/my_app# cat pubspec.lock | grep sdk -A 1
sdks:
  dart: ">=3.2.5 <4.0.0"

[knqyf263]

Interesting. Even pubspec.lock includes version ranges. I'm ok with showing the minimum version, as @bjoernbg suggested. We should show log messages about it.

[DmitriyLewen]

Created #6017 for this task.