CycloneDX SBOM files generated by trivy are not compliant with corresponding CycloneDX schema

[LesSyner]

Discussed in #4899

^{Originally posted by LesSyner July 31, 2023}

Description

I discovered that Cyclonedx-JSON SBOM files generated by trivy are not compliant with corresponding CycloneDX schema. I discovered it while trying to work with licenses and external tools which support it (Dependency-track). So in particular the issue is with license, where trivy-generated SBOM has following structure:

      "bom-ref": "pkg:deb/ubuntu/[email protected]?arch=all\u0026distro=ubuntu-22.04",
      "type": "library",
      "name": "adduser",
      "version": "3.118ubuntu5",
      "licenses": [
        {
          "expression": "GPL-2.0"
        }
      ],

and compliant structure looks like this (generated by syft):

      "bom-ref": "pkg:deb/ubuntu/[email protected]?arch=all&distro=ubuntu-22.04&package-id=00a3e975e84427e2",
      "type": "library",
      "name": "adduser",
      "version": "3.118ubuntu5",
      "licenses": [
        {
          "license": {
            "id": "GPL-2.0-only"
          }
        }
      ],

Desired Behavior

trivy produces SBOM files compliant with CycloneDX-JSON schema

Actual Behavior

trivy generates invalid SBOM JSON files

Reproduction Steps

1. trivy image -f cyclonedx --scanners license ubuntu:22.04 > ubuntu22.04.trivy.json

2. cyclonedx validate --input-file ubuntu22.04.trivy.json --input-format json --input-version v1_4
Validating JSON BOM...
Validation failed: 
#/properties/dependencies/items
BOM is not valid.

3. syft packages -o cyclonedx-json ubuntu:22.04 > ubuntu22.04.syft.json

4. cyclonedx validate --input-file ubuntu22.04.syft.json --input-format json --input-version v1_4
Validating JSON BOM...
BOM validated successfully.

Trivy used above is v0.42.1 since 0.43 introduced CycloneDX schema 1.5
with no option for fallback to v1.4 and currently cyclonedx tool doesn't 
suppport yet v1.5.

Target

Container Image

Scanner

License

Output Format

CycloneDX

Mode

Standalone

Debug Output

DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
DEBUG	cache dir:  .
INFO	License scanning is enabled
DEBUG	Image ID: sha256:37f74891464b2067aacbde60d9e2888e002af047a0d5dfc0b06b701928e0b473
DEBUG	Diff IDs: [sha256:c5ca84f245d30117a9a2720cb4297cedf3642816471d4d699f4d77e39e13a39c]
DEBUG	Base Layers: []
DEBUG	Missing image ID in cache: sha256:37f74891464b2067aacbde60d9e2888e002af047a0d5dfc0b06b701928e0b473
DEBUG	Missing diff ID in cache: sha256:c5ca84f245d30117a9a2720cb4297cedf3642816471d4d699f4d77e39e13a39c
DEBUG	Skipping directory: dev
DEBUG	Skipping directory: proc
DEBUG	Skipping directory: sys
DEBUG	No secrets found in container image config

Operating System

macOS Ventura 13.5

Version

Version: 0.42.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-07-26 06:08:40.049602013 +0000 UTC
  NextUpdate: 2023-07-26 12:08:40.049601613 +0000 UTC
  DownloadedAt: 2023-07-26 10:10:28.217628 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-07-31 00:51:48.861488562 +0000 UTC
  NextUpdate: 2023-08-03 00:51:48.861488162 +0000 UTC
  DownloadedAt: 2023-07-31 15:11:35.839586 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[nscuro]

The CycloneDX schema allows for both variants: https://cyclonedx.org/docs/1.5/json/#tab-pane_components_items_licenses_oneOf_i1

Licenses can be either an object (like Syft does it), or an SPDX expression (as done by Trivy). Both variants are valid, however expressions make it harder for consuming systems (like Dependency-Track, see DependencyTrack/dependency-track#170) to evaluate. We have a pending PR (DependencyTrack/dependency-track#2400) that we hope to include in the next DT release.

[boomaker]

Does --license-full have any impact here or is it just for the table display? (see: #4434)

[LesSyner]

@nscuro Thank you for info, if so I'm waiting impatiently for next DT release ;)
Anyway if license object is OK there are other issues making whole SBOM file invalid for cyclonedx tool. Maybe it's worth to investigate it?

@boomaker I haven't checked --license-full but my report was for SBOM in JSON format (trivy image -f cyclonedx). In table format, being trivy internal one, everything is reported ok.

[LesSyner]

@nscuro In table format trivy has ability to report multiple licenses per component. Do you have plans for similar output in cyclonedx format using license array? It's supported currently with expression option:

"licenses": [
        {
          "expression": "BSD-3-Clause"
        },
        {
          "expression": "FSFULLR"
        },
        {
          "expression": "FSFUL"
        },
        {
          "expression": "Expat"
        },
        {
          "expression": "GPL-2.0"
        },
        {
          "expression": "public-domain"
        }
      ],

[knqyf263]

As @nscuro explained, the license expression is also valid. I'd close the issue. If you see something non-compliant, please let us know.

Also, the maintainers open GitHub issues as documented here (I'll make it clearer). We can have a discussion on GitHub Discussions next time.
https://aquasecurity.github.io/trivy/v0.44/community/contribute/discussion/

[LesSyner]

@nscuro I investigated multiple licenses a bit more and I see that example above with expressions is ok for 1.4 schema but is invalid with 1.5 schema, which states that it has to be a tuple of exactly one SPDX License Expression and multiple licenses are allowed only with array of license objects. Currently trivy 0.44 produces cyclonedx based on 1.5 schema but with invalid array of expression objects.

[LesSyner]

@knqyf263 I want to re-opem this issue since core topic was that CycloneDX SBOM files generated by trivy are not compliant with corresponding CycloneDX schema. I provided small example which showed up to be valid but anyway whole case is still valid - current SBOM output is invalid with cyclonedx 1.5 schema and older SBOM outputs were invalid with cyclonedx 1.4 schema. Just take a look at my Reproduction Steps and they still show current situation and problem I reported.

[knqyf263]

I tested the 1.5 JSON schema against our SBOM, but it passed.
https://cyclonedx.org/schema/bom-1.5.schema.json

@LesSyner Are you sure the license is invalid? Also, cyclonedx validate passed since it is valid in v1.4 as you pointed out.

$ trivy image --format cyclonedx --output ubuntu2204.cdx.json ubuntu:22.04
$ sed -i '.bak' 's/bom-1.5/bom-1.4/g' ubuntu2204.cdx.json
$ sed -i '.bak' 's/"1.5"/"1.4"/g' ubuntu2204.cdx.json
$ cyclonedx validate --input-file ubuntu2204.cdx.json --input-format json --input-version v1_4
Validating JSON BOM...
BOM validated successfully.

Can't the JSON schema validate the licenseChoice properly?

{
  "title": "SPDX License Expression",
  "description": "A tuple of exactly one SPDX License Expression.",
  "type": "array",
  "additionalItems": false,
  "minItems": 1,
  "maxItems": 1,
  "items": [
    {
      "type": "object",
      "additionalProperties": false,
      "required": [
        "expression"
      ],
      "properties": {
        "expression": {
          "type": "string",
          "title": "SPDX License Expression",
          "examples": [
            "Apache-2.0 AND (MIT OR GPL-2.0-only)",
            "GPL-3.0-only WITH Classpath-exception-2.0"
          ]
        },
        "bom-ref": {
          "$ref": "#/definitions/refType",
          "title": "BOM Reference",
          "description": "An optional identifier which can be used to reference the license elsewhere in the BOM. Every bom-ref MUST be unique within the BOM."
        }
      }
    }
  ]
}

[knqyf263]

It failed in @DmitriyLewen's environment. I might have done something wrong. I'll give it another shot.

[LesSyner]

Yes, please give it another try, it failed also in my environment:

$ trivy image --format cyclonedx --output ubuntu2204.cdx.json ubuntu:22.04
$ sed -i '.bak' 's/bom-1.5/bom-1.4/g' ubuntu2204.cdx.json
$ sed -i '.bak' 's/"1.5"/"1.4"/g' ubuntu2204.cdx.json
$ cyclonedx validate --input-file ubuntu2204.cdx.json --input-format json --input-version v1_4
Validating JSON BOM...
Validation failed: 
#/properties/dependencies/items
BOM is not valid.

[knqyf263]

It doesn't make sense. It should pass since it should be compliant with cyclonedx 1.4, right?

[knqyf263]

@LesSyner I guess your failure comes from something else, not licenses.
#4943

[LesSyner]

@knqyf263 Maybe, error message above is very generic when it says problem is with #/properties/dependencies/items.
I even tested it with trivy v0.42.1 (last with cyclonedx 1.4 support) to be sure that sed doesn't introduce any unneeded changes. Still the same error.

[LesSyner]

@knqyf263 But this issue is about non-compliance with schema, not only about licenses object. Maybe this example was not the best one from my side to show non-compliance but anyway - main topic is that SBOM files should be valid with corresponding schema.

[DmitriyLewen]

Hello @LesSyner

I updated Trivy and cyclonedx format should be valid with v1.5 schema.
We have canary binaries. Can you check changes?
I am getting no errors for ubuntu:22.04 with these changes:

➜ ./trivy image --format cyclonedx --output ubuntu2204.cdx.json ubuntu:22.04
2023-08-07T15:23:33.694+0600	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
➜ sbom-utility validate -i ./ubuntu2204.cdx.json 
Welcome to the sbom-utility! Version `v0.12.0` (sbom-utility) (darwin/arm64)
============================================================================
[INFO] Loading license policy config file: `/Users/work/go/sbom-utility/license.json`...
[INFO] Attempting to load and unmarshal file `./ubuntu2204.cdx.json`...
[INFO] Successfully unmarshalled data from: `./ubuntu2204.cdx.json`
[INFO] Determining file's SBOM format and version...
[INFO] Determined SBOM format, version (variant): `CycloneDX`, `1.5` (latest)
[INFO] Matching SBOM schema (for validation): schema/cyclonedx/1.5/bom-1.5.schema.json
[INFO] Loading schema `schema/cyclonedx/1.5/bom-1.5.schema.json`...
[INFO] Schema `schema/cyclonedx/1.5/bom-1.5.schema.json` loaded.
[INFO] Validating `./ubuntu2204.cdx.json`...
[INFO] SBOM valid against JSON schema: `true`

[LesSyner]

I used trivy v0.42.1 since cyclonedx-cli tool used to validate so far supports only 1.4 schema. Haven't found sbom-utility earlier, I'll try to check canary trivy with sbom-utility.

[LesSyner]

Still errors with above setup:

$ ./trivy image --format cyclonedx --output ubuntu2204.cdx.json ubuntu:22.04
2023-08-07T11:55:06.181+0200	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
$ sbom-utility/sbom-utility validate -i ./ubuntu2204.cdx.json
Welcome to the sbom-utility! Version `v0.12.0` (sbom-utility) (darwin/arm64)
============================================================================
[INFO] Loading license policy config file: `/Users/work/sbom-utility/license.json`...
[INFO] Attempting to load and unmarshal file `./ubuntu2204.cdx.json`...
[INFO] Successfully unmarshalled data from: `./ubuntu2204.cdx.json`
[INFO] Determining file's SBOM format and version...
[INFO] Determined SBOM format, version (variant): `CycloneDX`, `1.5` (latest)
[INFO] Matching SBOM schema (for validation): schema/cyclonedx/1.5/bom-1.5.schema.json
[INFO] Loading schema `schema/cyclonedx/1.5/bom-1.5.schema.json`...
[INFO] Schema `schema/cyclonedx/1.5/bom-1.5.schema.json` loaded.
[INFO] Validating `./ubuntu2204.cdx.json`...
[INFO] SBOM valid against JSON schema: `false`
[INFO] (2) schema errors detected.
[INFO] Formatting error results (`txt` format)...
1. {
        "type": "unique",
        "field": "dependencies.28.dependsOn",
        "context": "(root).dependencies.28.dependsOn",
        "description": "array items[0,1] must be unique",
        "value": {
            "type": "array",
            "index": 0,
            "item": "pkg:deb/ubuntu/[email protected]?arch=amd64\u0026distro=ubuntu-22.04"
        }
    }
2. {
        "type": "unique",
        "field": "dependencies.60.dependsOn",
        "context": "(root).dependencies.60.dependsOn",
        "description": "array items[0,1] must be unique",
        "value": {
            "type": "array",
            "index": 0,
            "item": "pkg:deb/ubuntu/[email protected]?arch=all\u0026distro=ubuntu-22.04"
        }
    }
[ERROR] invalid SBOM: schema errors found (./ubuntu2204.cdx.json)
[INFO] document `./ubuntu2204.cdx.json`: valid=[false]

[DmitriyLewen]

hm... i fixed this error - #4943

[DmitriyLewen]

@LesSyner
Oh... i understood - run trivy image --reset command, please and rescan image.

[LesSyner]

This trick fixed error 👍

$ sbom-utility/sbom-utility validate -i ./ubuntu2204.cdx.json
Welcome to the sbom-utility! Version `v0.12.0` (sbom-utility) (darwin/arm64)
============================================================================
[INFO] Loading license policy config file: `/Users/work/sbom-utility/license.json`...
[INFO] Attempting to load and unmarshal file `./ubuntu2204.cdx.json`...
[INFO] Successfully unmarshalled data from: `./ubuntu2204.cdx.json`
[INFO] Determining file's SBOM format and version...
[INFO] Determined SBOM format, version (variant): `CycloneDX`, `1.5` (latest)
[INFO] Matching SBOM schema (for validation): schema/cyclonedx/1.5/bom-1.5.schema.json
[INFO] Loading schema `schema/cyclonedx/1.5/bom-1.5.schema.json`...
[INFO] Schema `schema/cyclonedx/1.5/bom-1.5.schema.json` loaded.
[INFO] Validating `./ubuntu2204.cdx.json`...
[INFO] SBOM valid against JSON schema: `true`

[DmitriyLewen]

This happened because your cache contained duplicates in DependsOn from v0.42.1.

[Kankarollo]

Hi,

I'm experiencing still the issues with creation of sbom when adding vulnerabilities results to sbom --scanners vuln. Is this supported for cyclonedx 1.5 standard?

Following previous comments I've repeated steps done there:

image: node@sha256:8d9887b3b05d2e65598a18616c37cfc271346d12248dfcbeadd7b7bf4da1e827

$ trivy --version
Version: 0.44.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-08-24 06:08:49.320860551 +0000 UTC
  NextUpdate: 2023-08-24 12:08:49.320859751 +0000 UTC
  DownloadedAt: 2023-08-24 11:18:28.493031516 +0000 UTC
$ trivy image --reset
2023-08-24T13:21:13.251+0200	INFO	Removing DB file...
2023-08-24T13:21:13.292+0200	INFO	Removing artifact caches...
$ trivy image --format cyclonedx --output node.cdx.json registry.hub.docker.com/library/node:latest 
2023-08-24T13:21:25.983+0200	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
$ ./sbom-utility validate -i node.cdx.json 
Welcome to the sbom-utility! Version `v0.13.0` (sbom-utility) (linux/amd64)
===========================================================================
[INFO] Loading (embedded) default schema config file: `config.json`...
[INFO] Loading (embedded) default license policy file: `license.json`...
[INFO] Attempting to load and unmarshal data from: `node.cdx.json`...
[INFO] Successfully unmarshalled data from: `node.cdx.json`
[INFO] Determining file's BOM format and version...
[INFO] Determined BOM format, version (variant): `CycloneDX`, `1.5` (latest)
[INFO] Matching BOM schema (for validation): schema/cyclonedx/1.5/bom-1.5.schema.json
[INFO] Loading schema `schema/cyclonedx/1.5/bom-1.5.schema.json`...
[INFO] Schema `schema/cyclonedx/1.5/bom-1.5.schema.json` loaded.
[INFO] Validating `node.cdx.json`...
[INFO] BOM valid against JSON schema: `true`
$ trivy image --format cyclonedx --output node-vuln.cdx.json registry.hub.docker.com/library/node:latest --scanners vuln
2023-08-24T13:22:51.524+0200	INFO	Need to update DB
2023-08-24T13:22:51.524+0200	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-08-24T13:22:51.524+0200	INFO	Downloading DB...
39.13 MiB / 39.13 MiB [--------------------------------------------] 100.00% 9.21 MiB p/s 4.4s
2023-08-24T13:22:57.008+0200	INFO	Vulnerability scanning is enabled
2023-08-24T13:22:58.921+0200	INFO	Detected OS: debian
2023-08-24T13:22:58.921+0200	INFO	Detecting Debian vulnerabilities...
2023-08-24T13:22:59.033+0200	INFO	Number of language-specific files: 1
2023-08-24T13:22:59.033+0200	INFO	Detecting node-pkg vulnerabilities...
$ ./sbom-utility validate -i node-vuln.cdx.json 
Welcome to the sbom-utility! Version `v0.13.0` (sbom-utility) (linux/amd64)
===========================================================================
[INFO] Loading (embedded) default schema config file: `config.json`...
[INFO] Loading (embedded) default license policy file: `license.json`...
[INFO] Attempting to load and unmarshal data from: `node-vuln.cdx.json`...
[INFO] Successfully unmarshalled data from: `node-vuln.cdx.json`
[INFO] Determining file's BOM format and version...
[INFO] Determined BOM format, version (variant): `CycloneDX`, `1.5` (latest)
[INFO] Matching BOM schema (for validation): schema/cyclonedx/1.5/bom-1.5.schema.json
[INFO] Loading schema `schema/cyclonedx/1.5/bom-1.5.schema.json`...
[INFO] Schema `schema/cyclonedx/1.5/bom-1.5.schema.json` loaded.
[INFO] Validating `node-vuln.cdx.json`...
[INFO] BOM valid against JSON schema: `false`
[INFO] (1) schema errors detected.
[INFO] Formatting error results (`txt` format)...
1. {
        "type": "invalid_type",
        "field": "vulnerabilities.237.advisories",
        "context": "(root).vulnerabilities.237.advisories",
        "description": "Invalid type. Expected: array, given: null",
        "value": null
    }
[ERROR] invalid SBOM: schema errors found (node-vuln.cdx.json)
[INFO] document `node-vuln.cdx.json`: valid=[false]

What's interesting that this issue only occurs for some images. Testing on another image:

trivy image --format cyclonedx --output ubuntu-vuln.cdx.json registry.hub.docker.com/library/ubuntu:22.04 --scanners vuln 
2023-08-24T13:25:44.922+0200	INFO	Vulnerability scanning is enabled
2023-08-24T13:25:48.763+0200	INFO	Detected OS: ubuntu
2023-08-24T13:25:48.763+0200	INFO	Detecting Ubuntu vulnerabilities...
2023-08-24T13:25:48.764+0200	INFO	Number of language-specific files: 0
$ ./sbom-utility validate -i ubuntu-vuln.cdx.json 
Welcome to the sbom-utility! Version `v0.13.0` (sbom-utility) (linux/amd64)
===========================================================================
[INFO] Loading (embedded) default schema config file: `config.json`...
[INFO] Loading (embedded) default license policy file: `license.json`...
[INFO] Attempting to load and unmarshal data from: `ubuntu-vuln.cdx.json`...
[INFO] Successfully unmarshalled data from: `ubuntu-vuln.cdx.json`
[INFO] Determining file's BOM format and version...
[INFO] Determined BOM format, version (variant): `CycloneDX`, `1.5` (latest)
[INFO] Matching BOM schema (for validation): schema/cyclonedx/1.5/bom-1.5.schema.json
[INFO] Loading schema `schema/cyclonedx/1.5/bom-1.5.schema.json`...
[INFO] Schema `schema/cyclonedx/1.5/bom-1.5.schema.json` loaded.
[INFO] Validating `ubuntu-vuln.cdx.json`...
[INFO] BOM valid against JSON schema: `true`

[DmitriyLewen]

Hello @Kankarollo
Thanks for your report!

I will check this and write to you.

[DmitriyLewen]

@Kankarollo you are right. Created #5039.