feat(cyclonedx): preserve SBOM structure when scanning SBOM files with vulnerability updates (aquasecurity#9439)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>

Author: knqyf263

integration/testdata/conda-spdx.json.golden

@@ -3,7 +3,7 @@
   "dataLicense": "CC0-1.0",
   "SPDXID": "SPDXRef-DOCUMENT",
   "name": "testdata/fixtures/repo/conda",
-  "documentNamespace": "http://trivy.dev/filesystem/testdata/fixtures/repo/conda-3ff14136-e09f-4df9-80ea-000000000004",
+  "documentNamespace": "http://trivy.dev/filesystem/testdata/fixtures/repo/conda-3ff14136-e09f-4df9-80ea-000000000005",
   "creationInfo": {
     "creators": [
       "Organization: aquasecurity",
@@ -14,7 +14,7 @@
   "packages": [
     {
       "name": "openssl",
-      "SPDXID": "SPDXRef-Package-22a178da112ac20a",
+      "SPDXID": "SPDXRef-Package-cb268df467bc826c",
       "versionInfo": "1.1.1q",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -43,7 +43,7 @@
     },
     {
       "name": "pip",
-      "SPDXID": "SPDXRef-Package-c22b9ee9a601ba6",
+      "SPDXID": "SPDXRef-Package-1378bb10fcebba63",
       "versionInfo": "22.2.2",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -118,22 +118,22 @@
     },
     {
       "spdxElementId": "SPDXRef-Filesystem-2e2426fd0f2580ef",
-      "relatedSpdxElement": "SPDXRef-Package-22a178da112ac20a",
+      "relatedSpdxElement": "SPDXRef-Package-1378bb10fcebba63",
       "relationshipType": "CONTAINS"
     },
     {
       "spdxElementId": "SPDXRef-Filesystem-2e2426fd0f2580ef",
-      "relatedSpdxElement": "SPDXRef-Package-c22b9ee9a601ba6",
+      "relatedSpdxElement": "SPDXRef-Package-cb268df467bc826c",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Package-22a178da112ac20a",
-      "relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
+      "spdxElementId": "SPDXRef-Package-1378bb10fcebba63",
+      "relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Package-c22b9ee9a601ba6",
-      "relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
+      "spdxElementId": "SPDXRef-Package-cb268df467bc826c",
+      "relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
       "relationshipType": "CONTAINS"
     }
   ]

integration/testdata/fluentd-multiple-lockfiles-short.cdx.json.golden

@@ -2,7 +2,7 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000010",
+  "serialNumber": "urn:uuid:3ff14136-e09f-4df9-80ea-000000000006",
   "version": 1,
   "metadata": {
     "timestamp": "2021-08-25T12:20:30+00:00",
@@ -91,14 +91,6 @@
           "name": "aquasecurity:trivy:LayerDigest",
           "value": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c"
         },
-        {
-          "name": "aquasecurity:trivy:PkgID",
-          "value": "[email protected]"
-        },
-        {
-          "name": "aquasecurity:trivy:PkgType",
-          "value": "debian"
-        },
         {
           "name": "aquasecurity:trivy:SrcName",
           "value": "bash"
@@ -124,14 +116,6 @@
           "name": "aquasecurity:trivy:LayerDigest",
           "value": "sha256:000eee12ec04cc914bf96e8f5dee7767510c2aca3816af6078bd9fbe3150920c"
         },
-        {
-          "name": "aquasecurity:trivy:PkgID",
-          "value": "[email protected]"
-        },
-        {
-          "name": "aquasecurity:trivy:PkgType",
-          "value": "debian"
-        },
         {
           "name": "aquasecurity:trivy:SrcName",
           "value": "libidn2"
@@ -169,11 +153,7 @@
           "value": "sha256:a8877cad19f14a7044524a145ce33170085441a7922458017db1631dcd5f7602"
         },
         {
-          "name": "aquasecurity:trivy:PkgID",
-          "value": "[email protected]"
-        },
-        {
-          "name": "aquasecurity:trivy:PkgType",
+          "name": "aquasecurity:trivy:Type",
           "value": "gemspec"
         }
       ]
@@ -193,18 +173,6 @@
         "353f2470-9c8b-4647-9d0d-96d893838dc8",
         "pkg:gem/[email protected]?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec"
       ]
-    },
-    {
-      "ref": "pkg:deb/debian/[email protected]?distro=debian-10.2",
-      "dependsOn": []
-    },
-    {
-      "ref": "pkg:deb/debian/[email protected]?distro=debian-10.2",
-      "dependsOn": []
-    },
-    {
-      "ref": "pkg:gem/[email protected]?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec",
-      "dependsOn": []
     }
   ],
   "vulnerabilities": [

integration/testdata/julia-spdx.json.golden

@@ -14,7 +14,7 @@
   "packages": [
     {
       "name": "Manifest.toml",
-      "SPDXID": "SPDXRef-Application-18fc3597717a3e56",
+      "SPDXID": "SPDXRef-Application-c39d15beb6bdf085",
       "downloadLocation": "NONE",
       "filesAnalyzed": false,
       "primaryPackagePurpose": "APPLICATION",
@@ -35,7 +35,7 @@
     },
     {
       "name": "A",
-      "SPDXID": "SPDXRef-Package-761ce79b41d8f121",
+      "SPDXID": "SPDXRef-Package-3aea0b160c3af98d",
       "versionInfo": "1.9.0",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -68,7 +68,7 @@
     },
     {
       "name": "B",
-      "SPDXID": "SPDXRef-Package-28f04edc422602a",
+      "SPDXID": "SPDXRef-Package-2264d5c424c073e7",
       "versionInfo": "1.9.0",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -101,7 +101,7 @@
     },
     {
       "name": "B",
-      "SPDXID": "SPDXRef-Package-6e0b0d1825d8c02c",
+      "SPDXID": "SPDXRef-Package-e29bcba688483642",
       "versionInfo": "1.9.0",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -150,13 +150,13 @@
   ],
   "relationships": [
     {
-      "spdxElementId": "SPDXRef-Application-18fc3597717a3e56",
-      "relatedSpdxElement": "SPDXRef-Package-6e0b0d1825d8c02c",
+      "spdxElementId": "SPDXRef-Application-c39d15beb6bdf085",
+      "relatedSpdxElement": "SPDXRef-Package-3aea0b160c3af98d",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Application-18fc3597717a3e56",
-      "relatedSpdxElement": "SPDXRef-Package-761ce79b41d8f121",
+      "spdxElementId": "SPDXRef-Application-c39d15beb6bdf085",
+      "relatedSpdxElement": "SPDXRef-Package-e29bcba688483642",
       "relationshipType": "CONTAINS"
     },
     {
@@ -166,12 +166,12 @@
     },
     {
       "spdxElementId": "SPDXRef-Filesystem-1be792dd0077c431",
-      "relatedSpdxElement": "SPDXRef-Application-18fc3597717a3e56",
+      "relatedSpdxElement": "SPDXRef-Application-c39d15beb6bdf085",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Package-761ce79b41d8f121",
-      "relatedSpdxElement": "SPDXRef-Package-28f04edc422602a",
+      "spdxElementId": "SPDXRef-Package-3aea0b160c3af98d",
+      "relatedSpdxElement": "SPDXRef-Package-2264d5c424c073e7",
       "relationshipType": "DEPENDS_ON"
     }
   ]

pkg/commands/artifact/run.go

@@ -374,15 +374,6 @@ func Run(ctx context.Context, opts flag.Options, targetKind TargetKind) (err err
 		}
 	}()
 
-	if opts.ServerAddr != "" && opts.Scanners.AnyEnabled(types.MisconfigScanner, types.SecretScanner) {
-		log.WarnContext(ctx,
-			fmt.Sprintf(
-				"Trivy runs in client/server mode, but misconfiguration and license scanning will be done on the client side, see %s",
-				doc.URL("/docs/references/modes/client-server", ""),
-			),
-		)
-	}
-
 	if opts.GenerateDefaultConfig {
 		log.Info("Writing the default config to trivy-default.yaml...")
 
@@ -423,6 +414,9 @@ func Run(ctx context.Context, opts flag.Options, targetKind TargetKind) (err err
 }
 
 func run(ctx context.Context, opts flag.Options, targetKind TargetKind) (types.Report, error) {
+	// Perform validation checks
+	checkOptions(ctx, opts, targetKind)
+
 	r, err := NewRunner(ctx, opts, targetKind)
 	if err != nil {
 		if errors.Is(err, SkipScan) {
@@ -466,6 +460,27 @@ func run(ctx context.Context, opts flag.Options, targetKind TargetKind) (types.R
 	return report, nil
 }
 
+// checkOptions performs various checks on scan options and shows warnings
+func checkOptions(ctx context.Context, opts flag.Options, targetKind TargetKind) {
+	// Check client/server mode with misconfiguration and secret scanning
+	if opts.ServerAddr != "" && opts.Scanners.AnyEnabled(types.MisconfigScanner, types.SecretScanner) {
+		log.WarnContext(ctx,
+			fmt.Sprintf(
+				"Trivy runs in client/server mode, but misconfiguration and license scanning will be done on the client side, see %s",
+				doc.URL("/docs/references/modes/client-server", ""),
+			),
+		)
+	}
+
+	// Check SBOM to SBOM scanning with package filtering flags
+	// For SBOM-to-SBOM scanning (for example, to add vulnerabilities to the SBOM file), we should not modify the scanned file.
+	// cf. https://github.com/aquasecurity/trivy/pull/9439#issuecomment-3295533665
+	if targetKind == TargetSBOM && slices.Contains(types.SupportedSBOMFormats, opts.Format) &&
+		(!slices.Equal(opts.PkgTypes, types.PkgTypes) || !slices.Equal(opts.PkgRelationships, ftypes.Relationships)) {
+		log.Warn("'--pkg-types' and '--pkg-relationships' options will be ignored when scanning SBOM and outputting SBOM format.")
+	}
+}
+
 func disabledAnalyzers(opts flag.Options) []analyzer.Type {
 	// Specified analyzers to be disabled depending on scanning modes
 	// e.g. The 'image' subcommand should disable the lock file scanning.

pkg/fanal/artifact/sbom/sbom_test.go

@@ -367,6 +367,89 @@ func TestArtifact_Inspect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:     "components with missing BOM-REF",
+			filePath: filepath.Join("testdata", "bom-missing-refs.json"),
+			wantBlobs: []cachetest.WantBlob{
+				{
+					ID: "sha256:512b9e999c9d7b4880c63ce55c2c74ea5c22b05cdbcb486097a16ec692c746a0",
+					BlobInfo: types.BlobInfo{
+						SchemaVersion: types.BlobJSONSchemaVersion,
+						OS: types.OS{
+							Family: "alpine",
+							Name:   "3.16.0",
+						},
+						PackageInfos: []types.PackageInfo{
+							{
+								Packages: types.Packages{
+									{
+										ID:         "[email protected]",
+										Name:       "musl",
+										Version:    "1.2.3-r0",
+										SrcName:    "musl",
+										SrcVersion: "1.2.3-r0",
+										Licenses:   []string{"MIT"},
+										Layer: types.Layer{
+											DiffID: "sha256:dd565ff850e7003356e2b252758f9bdc1ff2803f61e995e24c7844f6297f8fc3",
+										},
+										Identifier: types.PkgIdentifier{
+											PURL: &packageurl.PackageURL{
+												Type:      packageurl.TypeApk,
+												Namespace: "alpine",
+												Name:      "musl",
+												Version:   "1.2.3-r0",
+												Qualifiers: packageurl.Qualifiers{
+													{
+														Key:   "distro",
+														Value: "3.16.0",
+													},
+												},
+											},
+											// BOM-Ref should be auto-generated from PURL
+											BOMRef: "pkg:apk/alpine/[email protected]?distro=3.16.0",
+										},
+									},
+								},
+							},
+						},
+						Applications: []types.Application{
+							{
+								Type:     "composer",
+								FilePath: "",
+								Packages: types.Packages{
+									{
+										ID:      "pear/[email protected]",
+										Name:    "pear/log",
+										Version: "1.13.1",
+										Layer: types.Layer{
+											DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
+										},
+										Identifier: types.PkgIdentifier{
+											PURL: &packageurl.PackageURL{
+												Type:      packageurl.TypeComposer,
+												Namespace: "pear",
+												Name:      "log",
+												Version:   "1.13.1",
+											},
+											// BOM-Ref should be auto-generated from PURL
+											BOMRef: "pkg:composer/pear/[email protected]",
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			want: artifact.Reference{
+				Name: filepath.Join("testdata", "bom-missing-refs.json"),
+				Type: types.TypeCycloneDX,
+				ID:   "sha256:512b9e999c9d7b4880c63ce55c2c74ea5c22b05cdbcb486097a16ec692c746a0",
+				BlobIDs: []string{
+					"sha256:512b9e999c9d7b4880c63ce55c2c74ea5c22b05cdbcb486097a16ec692c746a0",
+				},
+			},
+		},
 		{
 			name:     "sad path with no such directory",
 			filePath: filepath.Join("testdata", "unknown.json"),