question: sbom generated by apko is not detected by trivy

[tuananh]

using the following command to scan

if sbom is found, trivy will use sbom instead. https://github.com/aquasecurity/trivy/blob/main/docs/docs/target/container_image.md#sbom

trivy image <myimage> --sbom-sources oci

output

2024-02-21T03:36:59.853Z        INFO    Vulnerability scanning is enabled
2024-02-21T03:36:59.853Z        INFO    Secret scanning is enabled
2024-02-21T03:36:59.853Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-21T03:36:59.853Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-02-21T03:37:01.150Z        INFO    Detected OS: alpine
2024-02-21T03:37:01.150Z        WARN    This OS version is not on the EOL list: alpine 3.20
2024-02-21T03:37:01.150Z        INFO    Detecting Alpine vulnerabilities...
2024-02-21T03:37:01.153Z        INFO    Number of language-specific files: 0

I was expecting to see trivy able to find sbom and use that instead. however, it's still pulling image. if sbom is found, it will look sth like this

$ trivy image --sbom-sources oci ghcr.io/knqyf263/oci-referrers
2023-03-05T17:36:55.278+0200    INFO    Vulnerability scanning is enabled
2023-03-05T17:36:58.103+0200    INFO    Detected SBOM format: cyclonedx-json
2023-03-05T17:36:58.129+0200    INFO    Found SBOM (cyclonedx) in the OCI referrers
...

ghcr.io/knqyf263/oci-referrers (alpine 3.16.2)
==============================================
Total: 17 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 9, CRITICAL: 3)

is there any thing specific about sbom generated by apko?

[tuananh]

cc @imjasonh

[tuananh]

i compared sbom generated by trivy and by apko.

turns out, trivy was expecting the container image artifact to contain a package (alpine os).
and relationship of apko image , contain the said OS.

i tried adding os package and 1 relationship and it seems to work.

// packages
{
      "name": "alpine",
      "SPDXID": "SPDXRef-OperatingSystem-b234ff30fe4ada0f",
      "versionInfo": "3.20.0_alpha20231219",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "primaryPackagePurpose": "OPERATING-SYSTEM"
    },
...
// relationship
{
      "spdxElementId": "SPDXRef-Package-sha256-e13d8a4cf521332118ed60c661913f2f083790d8aa598b14f7617427996d631d",
      "relatedSpdxElement": "SPDXRef-OperatingSystem-b234ff30fe4ada0f",
      "relationshipType": "CONTAINS"
    },

[tuananh]

@imjasonh should we fix this in apko or in trivy? I'm leaning toward trivy but wdyt?

[tuananh]

also posted to trivy for discussion aquasecurity/trivy#6172

[tuananh]

@imjasonh @jonjohnsonjr friendly ping :)

trivy maintainer suggest that we implement the fix in here. to add a new element type (operating-system) like this

https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field

right now, for spdx we have container image contains package.

should we update it to

• container image contains os
• os contains package

what do you think? if it's ok, i will send a PR over.

[shresthaujjwal]

Hi @tuananh were you able to find solution for this ?