Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicate entries in the affects field of vulnerabilities when outputting CycloneDX #3492

Closed
mathieu-lemay opened this issue Jan 27, 2023 · 1 comment · Fixed by #4776
Closed

Duplicate entries in the affects field of vulnerabilities when outputting CycloneDX #3492

mathieu-lemay opened this issue Jan 27, 2023 · 1 comment · Fixed by #4776
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence.
Milestone
v0.43.1

Comments

@mathieu-lemay
Copy link

mathieu-lemay commented Jan 27, 2023
edited
Loading

Description

SBOM scanning sometimes outputs the same package multiple times in the affects field of the vulnerabilities that were found. This goes against the CycloneDX, which specifies the entries in that array must be unique. For reference: CycloneDX Spec

The issue can be reproduced easily with this input data:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "version": 1,
  "components": [
    {
      "type": "library",
      "bom-ref": "pkg:golang/github.com/aws/aws-sdk-go@v1.44.171",
      "name": "github.com/aws/aws-sdk-go",
      "version": "v1.44.171",
      "scope": "required",
      "purl": "pkg:golang/github.com/aws/aws-sdk-go@v1.44.171"
    },
    {
      "type": "library",
      "bom-ref": "pkg:cargo/windows_x86_64_gnullvm@0.42.0",
      "name": "windows_x86_64_gnullvm",
      "version": "0.42.0",
      "scope": "required",
      "purl": "pkg:cargo/windows_x86_64_gnullvm@0.42.0"
    }
  ]
}

Interestingly, if I remove the pkg:cargo/windows_x86_64_gnullvm@0.42.0 package, the issue is not present anymore.

What did you expect to happen?

The list of packages affected by a vulnerability to contain unique items.

What happened instead?

The list of packages affected by a vulnerability contained duplicate entries.

Output of run with -debug:

2023-01-27T17:55:24.796-0500	DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2023-01-27T17:55:24.796-0500	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-01-27T17:55:24.796-0500	INFO	"--format cyclonedx" disables security checks. Specify "--security-checks vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2023-01-27T17:55:24.801-0500	DEBUG	cache dir:  /home/mathieu/.cache/trivy
2023-01-27T17:55:24.801-0500	DEBUG	DB update was skipped because the local DB is the latest
2023-01-27T17:55:24.801-0500	DEBUG	DB Schema: 2, UpdatedAt: 2023-01-27 18:08:53.106315009 +0000 UTC, NextUpdate: 2023-01-28 00:08:53.106314709 +0000 UTC, DownloadedAt: 2023-01-27 21:27:06.509780413 +0000 UTC
2023-01-27T17:55:24.801-0500	INFO	Vulnerability scanning is enabled
2023-01-27T17:55:24.801-0500	DEBUG	Vulnerability type:  [os library]
2023-01-27T17:55:24.801-0500	INFO	Detected SBOM format: cyclonedx-json
2023-01-27T17:55:24.801-0500	DEBUG	Unmarshaling CycloneDX JSON...
2023-01-27T17:55:24.802-0500	WARN	Third-party SBOM may lead to inaccurate vulnerability detection
2023-01-27T17:55:24.802-0500	WARN	Recommend using Trivy to generate SBOMs
2023-01-27T17:55:24.802-0500	WARN	Ignore the OS package as no OS information is found.
2023-01-27T17:55:24.806-0500	DEBUG	OS is not detected.
2023-01-27T17:55:24.806-0500	DEBUG	Detected OS: unknown
2023-01-27T17:55:24.806-0500	INFO	Number of language-specific files: 2
2023-01-27T17:55:24.806-0500	INFO	Detecting cargo vulnerabilities...
2023-01-27T17:55:24.806-0500	DEBUG	Detecting library vulnerabilities, type: cargo, path: 
2023-01-27T17:55:24.806-0500	INFO	Detecting gobinary vulnerabilities...
2023-01-27T17:55:24.806-0500	DEBUG	Detecting library vulnerabilities, type: gobinary, path: 
2023-01-27T17:55:24.811-0500	INFO	Components will not be exported in the CycloneDX report as the input is CycloneDX
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "version": 1,
  "metadata": {
    "timestamp": "2023-01-27T22:55:24+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "0.36.1"
      }
    ],
    "component": {
      "type": "",
      "name": ""
    }
  },
  "vulnerabilities": [
    {
      "id": "CVE-2020-8912",
      "source": {
        "name": "go-vulndb",
        "url": "https://github.com/golang/vulndb"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 2.5,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 2.1,
          "severity": "info",
          "method": "CVSSv2",
          "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 2.5,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 2.5,
          "severity": "low",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
        }
      ],
      "cwes": [
        327
      ],
      "description": "A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.",
      "advisories": [
        {
          "url": "https://access.redhat.com/security/cve/CVE-2020-8912"
        },
        {
          "url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869801"
        },
        {
          "url": "https://github.com/advisories/GHSA-7f33-f4f5-xwgw"
        },
        {
          "url": "https://github.com/aws/aws-sdk-go/commit/1e84382fa1c0086362b5a4b68e068d4f8518d40e"
        },
        {
          "url": "https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4"
        },
        {
          "url": "https://github.com/aws/aws-sdk-go/pull/3403"
        },
        {
          "url": "https://github.com/google/security-research/security/advisories/GHSA-7f33-f4f5-xwgw"
        },
        {
          "url": "https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8912"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2022-0646"
        }
      ],
      "published": "2020-08-11T20:15:00+00:00",
      "updated": "2020-08-17T19:31:00+00:00",
      "affects": [
        {
          "ref": "pkg:golang/github.com/aws/aws-sdk-go@v1.44.171",
          "versions": [
            {
              "version": "v1.44.171",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:golang/github.com/aws/aws-sdk-go@v1.44.171",
          "versions": [
            {
              "version": "v1.44.171",
              "status": "affected"
            }
          ]
        }
      ]
    },
    {
      "id": "CVE-2020-8911",
      "source": {
        "name": "go-vulndb",
        "url": "https://github.com/golang/vulndb"
      },
      "ratings": [
        {
          "source": {
            "name": "ghsa"
          },
          "score": 5.6,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 2.1,
          "severity": "info",
          "method": "CVSSv2",
          "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 5.6,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.6,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"
        }
      ],
      "cwes": [
        327
      ],
      "description": "A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.",
      "advisories": [
        {
          "url": "https://access.redhat.com/security/cve/CVE-2020-8911"
        },
        {
          "url": "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869800"
        },
        {
          "url": "https://github.com/advisories/GHSA-f5pg-7wfw-84q9"
        },
        {
          "url": "https://github.com/aws/aws-sdk-go/commit/1e84382fa1c0086362b5a4b68e068d4f8518d40e"
        },
        {
          "url": "https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4"
        },
        {
          "url": "https://github.com/aws/aws-sdk-go/pull/3403"
        },
        {
          "url": "https://github.com/google/security-research/security/advisories/GHSA-f5pg-7wfw-84q9"
        },
        {
          "url": "https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8911"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2022-0646"
        }
      ],
      "published": "2020-08-11T20:15:00+00:00",
      "updated": "2020-08-18T13:37:00+00:00",
      "affects": [
        {
          "ref": "pkg:golang/github.com/aws/aws-sdk-go@v1.44.171",
          "versions": [
            {
              "version": "v1.44.171",
              "status": "affected"
            }
          ]
        },
        {
          "ref": "pkg:golang/github.com/aws/aws-sdk-go@v1.44.171",
          "versions": [
            {
              "version": "v1.44.171",
              "status": "affected"
            }
          ]
        }
      ]
    }
  ]
}

Output of trivy -v:

Version: 0.36.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-01-27 18:08:53.106315009 +0000 UTC
  NextUpdate: 2023-01-28 00:08:53.106314709 +0000 UTC
  DownloadedAt: 2023-01-27 21:27:06.509780413 +0000 UTC

Additional details (base image name, container registry info...):

Edit: It seems that something is wrong when there are cargo packages involved. If I replace pkg:cargo/windows_x86_64_gnullvm@0.42.0 by pkg:cargo/ncurses@5.101.0 in the input, not only the affects field still has duplicates, but now the vulnerabilities of pkg:golang/github.com/aws/aws-sdk-go@v1.44.171 are not being reported anymore. Please note that all of this only happens when the format is set to CycloneDX. When using the json format, all vulnerabilities are reported as expected.
@mathieu-lemay mathieu-lemay added the kind/bug Categorizes issue or PR as related to a bug. label Jan 27, 2023
@masahiro331 masahiro331 self-assigned this Feb 26, 2023
@masahiro331 masahiro331 mentioned this issue Feb 26, 2023
Closed
6 tasks
@github-actions
Copy link

github-actions bot commented May 1, 2023

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label May 1, 2023
@itaysk itaysk removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label May 1, 2023
@knqyf263 knqyf263 added the priority/backlog Higher priority than priority/awaiting-more-evidence. label May 8, 2023
@knqyf263 knqyf263 assigned DmitriyLewen and unassigned masahiro331 Jul 3, 2023
@knqyf263 knqyf263 added this to the v0.43.1 milestone Jul 3, 2023
@DmitriyLewen DmitriyLewen mentioned this issue Jul 5, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence.
Projects
Trivy Roadmap
Archived in project
Milestone
v0.43.1
5 participants
@itaysk @knqyf263 @masahiro331 @mathieu-lemay @DmitriyLewen