Unmatched Vulnerabilities.affects.ref when scanning CycloneDX sbom with duplicate Purls

[scott-boost]

Description

When scanning a cyclone dx sbom with 2 components that have the exact same purls (but different bom-refs), the resulting vulnerability.affects.ref has a seemingly random ref

NOTE: that this bug does not occur if the format is json instead

Desired Behavior

vulnerability.affects.ref points to a Component.bom-ref in the same sbom

Actual Behavior

vulnerability.affects.ref DOES NOT point to a Component.bom-ref in the same sbom

Reproduction Steps

1. wget https://pastebin.com/raw/iD0PiatU
2. trivy sbom --format cyclonedx --scanners vuln iD0PiatU

Target

SBOM

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

2024-08-12T14:16:23-04:00	DEBUG	Cache dir	dir="/Users/scottluu/Library/Caches/trivy"
2024-08-12T14:16:23-04:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-12T14:16:23-04:00	DEBUG	Ignore statuses	statuses=[]
2024-08-12T14:16:23-04:00	DEBUG	DB update was skipped because the local DB is the latest
2024-08-12T14:16:23-04:00	DEBUG	DB info	schema=2 updated_at=2024-08-12T18:12:51.291637899Z next_update=2024-08-13T00:12:51.291637608Z downloaded_at=2024-08-12T18:15:47.484472Z
2024-08-12T14:16:23-04:00	INFO	Vulnerability scanning is enabled
2024-08-12T14:16:23-04:00	DEBUG	Vulnerability type	type=[os library]
2024-08-12T14:16:23-04:00	DEBUG	Enabling misconfiguration scanners	scanners=[]
2024-08-12T14:16:23-04:00	DEBUG	Initializing scan cache...	type="memory"
2024-08-12T14:16:23-04:00	INFO	Detected SBOM format	format="cyclonedx-json"
2024-08-12T14:16:23-04:00	DEBUG	Unmarshalling CycloneDX JSON...
2024-08-12T14:16:23-04:00	DEBUG	Skipping a component with an unsupported type	name="." version="" type=""
2024-08-12T14:16:23-04:00	DEBUG	OS is not detected.
2024-08-12T14:16:23-04:00	DEBUG	Detected OS: unknown
2024-08-12T14:16:23-04:00	INFO	Number of language-specific files	num=1
2024-08-12T14:16:23-04:00	INFO	[poetry] Detecting vulnerabilities...
2024-08-12T14:16:23-04:00	DEBUG	[poetry] Scanning packages for vulnerabilities	file_path="poetry.lock"

Operating System

macOS Sonoma 14.6.1

Version

Version: 0.54.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @scott-boost
Thanks for your report!

Created #7337 for this bug.

Regards, Dmitriy