Trivy produces CycloneDX SBOMs with duplicate components

[oatovar]

Description

If you generate an CycloneDX SBOM for the golang:1.22 image, you'll receive a lot of duplicate stdlib components instead of a single component.

Desired Behavior

As specified in the CycloneDX specification, all items must be unique. In this case the stdlib for Go 1.22.3 is the same regardless of the binary location, so it should only appear once with the same bom-ref.

Actual Behavior

The resulting CycloneDX SBOM will contain multiple entries for stdlib version 1.22.3.

Reproduction Steps

1. Scan the base Go 1.22 image with Trivy and output in `cyclonedx` format.


$ trivy image --format cyclonedx --output sbom.cdx.json golang:1.22
2024-05-15T12:22:57-04:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2024-05-15T12:23:00-04:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="mercurial" version="6.3.2"


2. Inspect the resulting SBOM and verify that there are multiple entries like the following:


    {
      "bom-ref": "08df9fa0-cbf2-408f-859c-9a023a0b3ca4",
      "type": "library",
      "name": "stdlib",
      "version": "1.22.3",
      "purl": "pkg:golang/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:dbc78f895659e011c02f7b63ab5c93f33c34880fdc3175f9b9a3f2a0bfb0dd6b"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:5ca4369267475245bb0e6217f0fdba040890f26fdef9b65cac11a545ab2db160"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "gobinary"
        }
      ]
    }

Target

Container Image

Scanner

None

Output Format

CycloneDX

Mode

Standalone

Debug Output

$ trivy image --format cyclonedx --output sbom.cdx.json --debug golang:1.22
2024-05-15T12:43:59-04:00       DEBUG   ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
2024-05-15T12:43:59-04:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-15T12:43:59-04:00       DEBUG   Ignore statuses statuses=[]
2024-05-15T12:43:59-04:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2024-05-15T12:43:59-04:00       DEBUG   Cache dir       dir="/Users/hacks4oats/Library/Caches/trivy"
2024-05-15T12:43:59-04:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-15T12:44:00-04:00       DEBUG   [nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-15T12:44:00-04:00       DEBUG   [image] Detected image ID       image_id="sha256:5905f95343e84d1f8f14aff8f8b83747fb39ea0e0fad52a9d14cf41860295fff"
2024-05-15T12:44:00-04:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:bbe1a212f7e9f1baaef62491a51254f3adda514c22632ea719f62713fad80f77 sha256:d7d4c2f9d26b2dad32b86ed9739919f76ae423f16aa103924c183048810290de sha256:8845ab872c1ce04cf64c4755aa585386c7ebe1b7633d977d275d6f2d2146000d sha256:ed5bf86b995984a5211f5e018e201ed3146923e82a385b0542db04ea4b152076 sha256:dbc78f895659e011c02f7b63ab5c93f33c34880fdc3175f9b9a3f2a0bfb0dd6b sha256:a8a2007b3a9651cb25203b522b09f261118ec4215a80318a231150732d43422b sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef]
2024-05-15T12:44:00-04:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:bbe1a212f7e9f1baaef62491a51254f3adda514c22632ea719f62713fad80f77]
2024-05-15T12:44:00-04:00       DEBUG   [image] Missing image ID in cache       image_id="sha256:5905f95343e84d1f8f14aff8f8b83747fb39ea0e0fad52a9d14cf41860295fff"
2024-05-15T12:44:00-04:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:d7d4c2f9d26b2dad32b86ed9739919f76ae423f16aa103924c183048810290de"
2024-05-15T12:44:00-04:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:bbe1a212f7e9f1baaef62491a51254f3adda514c22632ea719f62713fad80f77"
2024-05-15T12:44:00-04:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:dbc78f895659e011c02f7b63ab5c93f33c34880fdc3175f9b9a3f2a0bfb0dd6b"
2024-05-15T12:44:00-04:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:8845ab872c1ce04cf64c4755aa585386c7ebe1b7633d977d275d6f2d2146000d"
2024-05-15T12:44:00-04:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:ed5bf86b995984a5211f5e018e201ed3146923e82a385b0542db04ea4b152076"
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [dpkg] Unable to parse the available file       file="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:a8a2007b3a9651cb25203b522b09f261118ec4215a80318a231150732d43422b"
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:01-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:01-04:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Parsing dependency's build info settings     dependency="" -ldflags=[]
2024-05-15T12:44:02-04:00       DEBUG   [gobinary] Unable to detect dependency version used in `-ldflags` build info settings. Empty version used.   dependency=""
2024-05-15T12:44:03-04:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="mercurial" version="6.3.2"
2024-05-15T12:44:03-04:00       DEBUG   [dpkg] Unable to parse the available file       file="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-05-15T12:44:03-04:00       DEBUG   [dpkg] Unable to parse the available file       file="var/lib/dpkg/available" err="file open error: open var/lib/dpkg/available: file does not exist"
2024-05-15T12:44:03-04:00       DEBUG   No secrets found in container image config

Operating System

macOS 14.4.1

Version

$ trivy --version
Version: 0.51.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-15 12:14:30.807678727 +0000 UTC
  NextUpdate: 2024-05-15 18:14:30.807678587 +0000 UTC
  DownloadedAt: 2024-05-15 16:22:11.754738 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @oatovar
Thanks for your report!

We currently show stdlib (version of Go that was used to build) for each Gobinary file.
It looks like we can say that same Go file was used to build these gobinaries, so we can remove duplicates and use same library for all stdlibs (with the same version of Go).
@knqyf263 wdyt?

[knqyf263]

This form keeps the top level "unique" and keeps track of individual occurrences of the component found. What are your thoughts on this?

I don't think it can represent the graph with assemblies. See my example of Module Root Z. Module C appears twice. How can we represent it with assemblies? I saw the following example on page 46. It works only when a nested component has a single parent. If a component has multiple parents, it would be duplicated.

"components": [
   {
     "type": "application",
     "name": "Acme Commerce Suite",
     "version": "2.0.0",
     "components": [
       {
         "type": "application",
         "name": "Acme Storefront Server",
         "version": "3.7.0",
       },
       {
         "type": "application",
         "name": "Acme Payment Processor",
         "version": "3.1.1",
       }
    ]
 }

[oatovar]

It works only when a nested component has a single parent. If a component has multiple parents, it would be duplicated.

Yes, but it wouldn't be duplicated at the top level as it is now. With assemblies, the components structure would look like this.

"components": [
  {
    "name": "Module A",
    "version": "v1.0.0",
    "components": [
      {
        "name": "Module B",
        "version": "v1.0.0",
      },
      {
        "name": "Module D",
        "version": "v1.0.0",
        "components": [
          {
            "name": "Module C",
            "version": "v1.2.3",
          },
        ]
      },
    ],
  },
  {
    "name": "Module Z",
    "version": "v1.0.0",
    "components": [
      {
        "name": "Module B",
        "version": "v1.0.0",
        "components": [
          {
            "name": "Module C",
            "version": "v1.0.0",
          },
        ]
      },
      {
        "name": "Module D",
        "version": "v1.0.0",
        "components": [
          {
            "name": "Module C",
            "version": "v1.0.0",
          },
        ]
      },
    ],
  },
]

I've omitted fields for brevity in the example above, but it encapsulates the case mentioned. It keeps the different occurrences of Module C, provides a clear distinction on why there are more than one occurrences in the SBOM, and allows independent graphs to be documented in the dependencies field.

[knqyf263]

Your example SBOM doesn't describe Module D under Module Z. In many cases, components have several parents, which means we need to put them in the top-level components and use the dependencies

[oatovar]

😄 Sorry, I was typing this by hand and made an error there, but it's been corrected and does include the module now.

which means we need to put them in the top-level components and use the dependencies

You don't need to do this, and you can still use the dependencies section.

[knqyf263]

😄 Sorry, I was typing this by hand and made an error there, but it's been corrected and does include the module now.

No problem. Yes, then Module C appears many times. The popular libraries that are often used have so many parents, and using assemblies makes them considerably harder to see and creates more confusion when completely identical components (instances) appear multiple times. In the case of using dependencies, the identical instances only need to appear once, so it is simpler. SBOM still has the same components with the same name, version, etc, though.

However, this is our view and we are open if the CycloneDX team thinks that assemblies should be used even in the case of multiple parents.

[oatovar]

I'm going to close out this discussion since it's not really a bug, and regardless of the decision to use assemblies or not, separate instances of the components will always be needed to produce an accurate representation of the dependency graph. I appreciate the insightful discussion very much!

[knqyf263]

Thank you, too. It has given us the opportunity to think again about how SBOM should be structured.