SBOM scan fails on ":" package name

[Bah-bah]

Description

Hello!
I scan images in two steps. First, I create SBOM by running

OUTPUT=$(docker run -v /dir/app aquasec/trivy rootfs app/my-image-fs/ --format cyclonedx --scanners vuln -q)
echo "$OUTPUT" > my-image.cyclonedx

Next I scan this SBOM for vulnerabilities with

OUTPUT=$(docker run -v /dir:/app aquasec/trivy sbom app/my-image.cyclonedx --format json -q)
echo "$OUTPUT" > my-image-rootfs.json

All works great except for the case when image contains jar with empty groupId and artifactId in pom.properties like this:

#Created by Apache Maven 3.8.1
version=2.10.13
groupId=
artifactId=

In this case rootfs command creates such entry in SBOM:

    {
      "bom-ref": "pkg:maven/@2.10.13?file_path=app%2Flibs%2Fsome%2Fart%2F2.10.13%2Fart-2.10.13.jar",
      "type": "library",
      "name": ":",
      "version": "2.10.13",
      "purl": "pkg:maven/@2.10.13",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "jar"
        },
        {
          "name": "aquasecurity:trivy:FilePath",
          "value": "app/libs/some/art/2.10.13/art-2.10.13.jar"
        }
      ]
    }

And the second command fails with

FATAL	sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: failed to parse sbom: failed to aggregate packages: failed to parse the component: failed to parse purl: failed to parse purl(pkg:maven/@2.10.13): name is required

Desired Behavior

Trivy scanning ignores such malformed packages.

Actual Behavior

Trivy fails scan process

Reproduction Steps

1. Create image with jar omitting groupId and artifactId in pom.properties
2. Create SBOM of this image
3. Scan it with "trivy sbom"

OR if creating SBOM of such images is correct and problem is in scanning, just use this minimal SBOM to reproduce:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:c3e5c41d-06bc-4909-804a-a9455fcadbdf",
  "version": 1,
  "metadata": {
    "timestamp": "2024-02-09T07:48:15+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "0.41.0"
      }
    ],
    "component": {
      "bom-ref": "fee5ab0b-e4a7-4e54-baa9-8ba039c6ed3e",
      "type": "application",
      "name": "/crpir9r3b0d6d6ma8u56",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ]
    }
  },
  "components": [
    {
      "bom-ref": "067a4dea-306f-4d05-8bf5-bc650305592b",
      "type": "operating-system",
      "name": "amazon",
      "version": "2 (Karoo)",
      "properties": [
        {
          "name": "aquasecurity:trivy:Type",
          "value": "amazon"
        },
        {
          "name": "aquasecurity:trivy:Class",
          "value": "os-pkgs"
        }
      ]
    },
    {
      "bom-ref": "pkg:maven/?file_path=usr%2Flocal%2Ftomcat%2Fwebapps%2Fleaf%2FWEB-INF%2Flib%2Fsshj.jar",
      "type": "library",
      "name": ":",
      "purl": "pkg:maven/",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "jar"
        },
        {
          "name": "aquasecurity:trivy:FilePath",
          "value": "usr/local/tomcat/webapps/leaf/WEB-INF/lib/sshj.jar"
        }
      ]
    }
  ],
  "vulnerabilities": []
}

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

$ docker run -v /Users/viktorlapin/IdeaProjects/registry:/app aquasec/trivy sbom app/fail.cyclonedx --format json -q -d
2024-02-16T09:48:53.419Z	FATAL	sbom scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:441
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:269
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.scan
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:706
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:148
  - SBOM decode error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom.Artifact.Inspect
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/sbom/sbom.go:55
  - failed to decode:
    github.com/aquasecurity/trivy/pkg/sbom.Decode
        /home/runner/work/trivy/trivy/pkg/sbom/sbom.go:225
  - failed to parse sbom:
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*BOM).UnmarshalJSON
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:60
  - failed to aggregate packages:
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*BOM).parseSBOM
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:147
  - failed to parse the component:
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.aggregatePkgs
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:290
  - failed to parse purl:
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.toPackage
        /home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:347
  - failed to parse purl(pkg:maven/):
    github.com/aquasecurity/trivy/pkg/purl.FromString
        /home/runner/work/trivy/trivy/pkg/purl/purl.go:54
  - purl is missing name

Operating System

macOS

Version

$ docker run aquasec/trivy --version
Version: 0.49.1

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @Bah-bah
Thanks for your report!

Can you share your app/libs/some/art/2.10.13/art-2.10.13.jar file.
It looks like this file uses incorrect pom.properties or MANIFEST.MF file.

Regards, Dmitriy

[Bah-bah]

In terms of correct jar-file, yes, it shouldn't exist. Nonetheless, I can create such jar and build an image with it (and I did it). And it is strange when SBOM of this image can be built but scanning of the SBOM fails with error. I'd expect scan to ignore malformed packages.

[DmitriyLewen]

And it is strange when SBOM of this image can be built but scanning of the SBOM fails with error

I believe this is the correct behavior.
CycloneDX docs say: The purl number, if specified, MUST be valid - https://cyclonedx.org/docs/1.5/json/#comComponents_items_purl.
Therefore we can say that this SBOM file is invalid and return an error.

I think the correct solution is to skip the information from the pom.properties file (if there are empty fields) when parsing the jar file.

[Bah-bah]

I agree. This solution looks fine.
Can it be achieved by Trivy's options? Or will this functionality be available in the next release?

[DmitriyLewen]

Can it be achieved by Trivy's options

unfortunately there is no such possibility

Or will this functionality be available in the next release?

#6164 has been merged.
Next release will include this fix.

[Bah-bah]

Awesome! Thanks a lot!

[DmitriyLewen]

fixed in #6164