Trivy SBOM versionInfo is Missing

[berke581]

Question

While generating a SBOM with spdx-json format (with the following command):
trivy image --format spdx-json --output result.json arangodb/arangodb:3.12.0

I've realised that some of the packages listed in the json does not have "versionInfo" property in them.

One of them is arangodb/arangodb:3.12.0 and its primaryPackagePurpose is CONTAINER, is this expected behavior?
(or the package named usr/bin/arangodb also doesn't have a version in it, its primaryPackagePurpose is APPLICATION)

Target

Container Image

Scanner

None

Output Format

JSON

Mode

Standalone

Operating System

Windows 10

Version

Version: 0.50.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-02 12:13:13.846333543 +0000 UTC
  NextUpdate: 2024-04-02 18:13:13.846332622 +0000 UTC
  DownloadedAt: 2024-04-02 13:57:28.7905175 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-04-03 00:49:16.22690439 +0000 UTC
  NextUpdate: 2024-04-06 00:49:16.226903949 +0000 UTC
  DownloadedAt: 2024-04-03 12:15:48.6544267 +0000 UTC

[berke581]

Also there are some packages that come with versionInfo as "(devel)", what could be the reason behind that?

[DmitriyLewen]

Go has go mod edit replace command. With this command you can replace any package to local package/fork/another repo.
For replaced packages Go shows (devel) version (./api- local directory,(devel)` -version):

➜ go version -m ./vault | grep github.com/hashicorp/vault/api -A 1
	dep	github.com/hashicorp/vault/api	v1.12.0
	=>	./api	(devel)	

(I've also noticed that some of these packages are installed with wget in Dockerfile RUN command)

It looks like that these RUN commands simply download Go binary.
Can you send me example of this?

Also, you said "Also (devel) is used for Go binary module name"
In your example, is Trivy a go binary module? What is the difference between go binary and go binary module?

go version -m shows info about binary and contains the following info:

• main package - e.g. Trivy (i names this as go binary module)
• used dependencies

Some info about check Go binaries itself - #1837

[berke581]

So we have a Dockerfile that looks something like this:

FROM internal_base_image

RUN
    # install Vault, K8S and AWS CLI
    && apt-get install -y curl unzip awscli jq \
    && wget https://github.com/minamijoyo/hcledit/releases/download/v${HCLEDIT}/hcledit_${HCLEDIT}_linux_amd64.tar.gz \
    && tar -xvzf hcledit_${HCLEDIT}_linux_amd64.tar.gz hcledit && mv ./hcledit ${BIN_FOLDER} && rm hcledit_${HCLEDIT}_linux_amd64.tar.gz \
    && wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/${YQ_BINARY} -O /usr/bin/yq && chmod +x /usr/bin/yq \
    # Install Vault CLI
    && curl "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" -o "vault.zip" \
    && unzip vault.zip \
    && mv vault /usr/bin && rm vault.zip \
    && vault version \
    # Install K8S CLI
    && wget https://dl.k8s.io/release/${K8S_CLIENT_VERSION}/bin/linux/amd64/kubectl -O $BIN_FOLDER/kubectl 

...

So there are packages that are like:
./api/auth/kubernetes
./staging/src/k8s.io/apimachinery

etc. And they have the version (devel), do you have an idea what might be the reason?

[DmitriyLewen]

I get error when trying to build an image from this Dockerfile.
Please create a test image(or correct Dockerfile) and send it to me - I will test these binaries.

Regards, Dmitriy

[berke581]

Sorry, that was just an example for showing what it looks like inside Dockerfile. The Dockerfile below should work and can be built, and (devel) versions can be seen when SBOM is generated.

FROM ubuntu:latest

USER root
# Variables 
ENV K8S_CLIENT_VERSION=v1.27.0
ENV BIN_FOLDER=/bin

RUN apt-get update
RUN apt-get install -y wget
RUN wget https://dl.k8s.io/release/${K8S_CLIENT_VERSION}/bin/linux/amd64/kubectl -O $BIN_FOLDER/kubectl \
    && chmod +x $BIN_FOLDER/kubectl && mkdir -p /.kube &&  chmod -R 0777 /.kube```

[DmitriyLewen]

kubectl uses replace in go.mod file:
bin from test image:

root@a28e52e90583:/# go version -m usr/bin/kubectl | grep "(devel)"
	mod	k8s.io/kubernetes	(devel)	
	=>	./staging/src/k8s.io/api	(devel)	
	=>	./staging/src/k8s.io/apimachinery	(devel)	
	=>	./staging/src/k8s.io/cli-runtime	(devel)	
	=>	./staging/src/k8s.io/client-go	(devel)	
	=>	./staging/src/k8s.io/component-base	(devel)	
	=>	./staging/src/k8s.io/component-helpers	(devel)	
	=>	./staging/src/k8s.io/kubectl	(devel)	
	=>	./staging/src/k8s.io/metrics	(devel)	

go mod file - https://github.com/kubernetes/kubectl/blob/2fb221ac99d54acc6a8654921d16f83f919782b7/go.mod#L96-L105

[kovacs-levent]

Could this be the same issue I reported yesterday? #6457

[kovacs-levent]

I did not... I found this on the release page of trivy, probably the entire root cause.
https://aquasecurity.github.io/trivy/v0.50/docs/scanner/vulnerability/

"Trivy doesn't support third-party/self-compiled packages/binaries, but official packages provided by vendors such as Red Hat and Debian." Could be related. We are thinking of moving away from trivy because of this.

[DmitriyLewen]

Could be related. For some packages I get versionInfo like "0.0.0". (But there is no 0.0.0 version of that package)

I have seen versions 0.0.0 in flutter packages (when the SDK version is used for the dependency).
We have #6239 for this task.

Let me know if you have any other issue.

[DmitriyLewen]

"Trivy doesn't support third-party/self-compiled packages/binaries, but official packages provided by vendors such as Red Hat and Debian.

Trivy supports Go binaries and Rust binaries built with cargo-auditable - https://aquasecurity.github.io/trivy/v0.50/docs/coverage/language/

[berke581]

So, I've just checked and some of our "0.0.0" versioned packages come from some base image:

pelias/pip-service:v2.5.0 has multiple packages that has versionInfo as "0.0.0", these packages are:

• @my-scope/package-a
• @my-scope/package-b
• github-from-package
• ljharb-monorepo-symlink-test
• mylib

Have you seen this before, what could be the reason?

[DmitriyLewen]

package.json files use 0.0.0 versions:

➜  6456 docker run -it --rm pelias/pip-service:v2.5.0 cat /code/pelias/pip-service/node_modules/resolve/test/resolver/nested_symlinks/mylib/package.json
{
  "name": "mylib",
  "version": "0.0.0",
  "description": "",
  "private": true,
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "dependencies": {
    "buffer": "*"
  }
}
➜  6456 docker run -it --rm pelias/pip-service:v2.5.0 cat /code/pelias/pip-service/node_modules/resolve/test/resolver/multirepo/package.json
{
  "name": "ljharb-monorepo-symlink-test",
  "private": true,
  "version": "0.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "postinstall": "lerna bootstrap",
    "test": "node packages/package-a"
  },
  "author": "",
  "license": "MIT",
  "dependencies": {
    "jquery": "^3.3.1",
    "resolve": "../../../"
  },
  "devDependencies": {
    "lerna": "^3.4.3"
  }
}

[DmitriyLewen]

Hello @berke581
Thanks for your report!

(or the package named usr/bin/arangodb also doesn't have a version in it, its primaryPackagePurpose is APPLICATION)

usr/bin/arangodb is Go binary.
Go binary doesn't contain module name:

➜  go version -m ./trivy                                           
./trivy: go1.22.1
        path    github.com/aquasecurity/trivy/cmd/trivy
        mod     github.com/aquasecurity/trivy   (devel) 

So we can't detect correct version. That is why versionInfo field is empty.

One of them is arangodb/arangodb:3.12.0 and its primaryPackagePurpose is CONTAINER, is this expected behavior?

The image tag' can be used for more than just versioning. This is why we don't include a tag in versionInfoand use the image name + tag in thename` field.

If you have other questions - please send component from your SBOM file with description of problem.

Best Regards, Dmitriy

[berke581]

As far as I understood, trivy uses go version command under the hood.

What did you mean by Go binary doesn't contain a module name?
Is it because "go version -m" command doesn't return it? (I'm not certain how Go Binaries work and what are their purpose)

[DmitriyLewen]

As far as I understood, trivy uses go version command under the hood.

right.

Sorry, it was a mistake. What I meant was that the Go binary does not contain a version of the Go binary.
take a looks #1837