Unsupported CycloneDX Framework Component Type #7418

NyanKiyoshi · 2024-08-29T11:07:13Z

NyanKiyoshi
Aug 29, 2024

Description

When scanning a CycloneDX JSON BOM file generated by cdxgen, Trivy skips components that have the type framework instead of handling them as a library.

Desired Behavior

Trivy could potentially handle the cdx.ComponentTypeFramework component type with the exact same behavior as cdx.ComponentTypeLibrary

Actual Behavior

Trivy skips the package with the following warning:

Skipping the component with the unsupported type	bom-ref="pkg:pypi/django@5.1" type="framework"

This is caused by BOM.unmarshalType not handling the cdx.ComponentTypeFramework type:

trivy/pkg/sbom/cyclonedx/unmarshal.go

Lines 162 to 179 in 6a72dd4

    
           func (b *BOM) unmarshalType(t cdx.ComponentType) (core.ComponentType, error) { 
        
           	var ctype core.ComponentType 
        
           	switch t { 
        
           	case cdx.ComponentTypeContainer: 
        
           		ctype = core.TypeContainerImage 
        
           	case cdx.ComponentTypeApplication: 
        
           		ctype = core.TypeApplication 
        
           	case cdx.ComponentTypeLibrary: 
        
           		ctype = core.TypeLibrary 
        
           	case cdx.ComponentTypeOS: 
        
           		ctype = core.TypeOS 
        
           	case cdx.ComponentTypePlatform: 
        
           		ctype = core.TypePlatform 
        
           	default: 
        
           		return "", ErrUnsupportedType 
        
           	} 
        
           	return ctype, nil 
        
           }

Reproduction Steps

Define a Python framework dependency (happens in NPM as well):
```
echo 'django>=4.1.0' > requirements.txt
```

Generate a JSON SBOM using cdxgen:

docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw --env FETCH_LICENSE=true -t ghcr.io/cyclonedx/cdxgen:v10.9.5 -r /app -o /app/bom.json --profile license-compliance

Analyze the SBOM:

docker run --rm -ti -v $(pwd):/app:ro ghcr.io/aquasecurity/trivy:0.54.1 sbom /app/bom.json --scanners license

You should get the following output (notice Django is missing in the license list):

 $ docker run --rm -ti -v $(pwd):/app:ro ghcr.io/aquasecurity/trivy:0.54.1 sbom /app/bom.json --scanners license
 Unable to find image 'ghcr.io/aquasecurity/trivy:0.54.1' locally
 0.54.1: Pulling from aquasecurity/trivy
 Digest: sha256:e654e95e0753d2daeb4d5b1c2791eee6a1262c7e002770511d773c02a898c73b
 Status: Downloaded newer image for ghcr.io/aquasecurity/trivy:0.54.1
 2024-08-29T11:03:58Z	INFO	[license] License scanning is enabled
 2024-08-29T11:03:58Z	INFO	Detected SBOM format	format="cyclonedx-json"
 2024-08-29T11:03:58Z	WARN	Third-party SBOM may lead to inaccurate vulnerability detection
 2024-08-29T11:03:58Z	WARN	Recommend using Trivy to generate SBOMs
 2024-08-29T11:03:58Z	INFO	Skipping the component with the unsupported type	bom-ref="pkg:pypi/django@5.1" type="framework"
 
 Python (license)
 
 Total: 3 (UNKNOWN: 0, LOW: 3, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 
 ┌──────────┬──────────────┬────────────────┬──────────┐
 │ Package  │   License    │ Classification │ Severity │
 ├──────────┼──────────────┼────────────────┼──────────┤
 │ asgiref  │ 0BSD         │ Unencumbered   │ LOW      │
 │          ├──────────────┼────────────────┤          │
 │          │ BSD-3-Clause │ Notice         │          │
 ├──────────┼──────────────┼────────────────┤          │
 │ sqlparse │ 0BSD         │ Unencumbered   │          │
 └──────────┴──────────────┴────────────────┴──────────┘

CycloneDX SBOM Contents

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:899c0a28-ec64-4b6f-a0b1-f807d3669373",
  "version": 1,
  "metadata": {
    "timestamp": "2024-08-29T10:51:56Z",
    "tools": {
      "components": [
        {
          "group": "@cyclonedx",
          "name": "cdxgen",
          "version": "10.9.5",
          "purl": "pkg:npm/%40cyclonedx/cdxgen@10.9.5",
          "type": "application",
          "bom-ref": "pkg:npm/@cyclonedx/cdxgen@10.9.5",
          "author": "OWASP Foundation",
          "publisher": "OWASP Foundation"
        }
      ]
    },
    "authors": [
      {
        "name": "OWASP Foundation"
      }
    ],
    "lifecycles": [
      {
        "phase": "build"
      }
    ],
    "component": {
      "group": "",
      "name": "app",
      "version": "latest",
      "type": "application",
      "bom-ref": "pkg:gem/app@latest",
      "purl": "pkg:gem/app@latest"
    },
    "properties": [
      {
        "name": "cdx:bom:componentTypes",
        "value": "pypi"
      }
    ]
  },
  "components": [
    {
      "author": "Django Software Foundation <foundation@djangoproject.com>",
      "group": "",
      "name": "Django",
      "version": "5.1",
      "description": "A high-level Python web framework that encourages rapid development and clean, pragmatic design.",
      "hashes": [
        {
          "alg": "SHA-256",
          "content": "d3b811bf5371a26def053d7ee42a9df1267ef7622323fe70a601936725aa4557"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "0BSD",
            "url": "https://opensource.org/licenses/0BSD"
          }
        },
        {
          "license": {
            "id": "BSD-3-Clause",
            "url": "https://opensource.org/licenses/BSD-3-Clause"
          }
        }
      ],
      "purl": "pkg:pypi/django@5.1",
      "type": "framework",
      "bom-ref": "pkg:pypi/django@5.1",
      "evidence": {
        "identity": {
          "field": "purl",
          "confidence": 1,
          "methods": [
            {
              "technique": "instrumentation",
              "confidence": 1,
              "value": "/tmp/cdxgen-venv-vvW1gd"
            }
          ]
        }
      },
      "properties": [
        {
          "name": "SrcFile",
          "value": "/app/requirements.txt"
        }
      ]
    },
    {
      "author": "Django Software Foundation <foundation@djangoproject.com>",
      "group": "",
      "name": "asgiref",
      "version": "3.8.1",
      "description": "ASGI specs, helper code, and adapters",
      "hashes": [
        {
          "alg": "SHA-256",
          "content": "3e1e3ecc849832fe52ccf2cb6686b7a55f82bb1d6aee72a58826471390335e47"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "0BSD",
            "url": "https://opensource.org/licenses/0BSD"
          }
        },
        {
          "license": {
            "id": "BSD-3-Clause",
            "url": "https://opensource.org/licenses/BSD-3-Clause"
          }
        }
      ],
      "purl": "pkg:pypi/asgiref@3.8.1",
      "externalReferences": [
        {
          "type": "vcs",
          "url": "https://github.com/django/asgiref/"
        }
      ],
      "type": "library",
      "bom-ref": "pkg:pypi/asgiref@3.8.1",
      "evidence": {
        "identity": {
          "field": "purl",
          "confidence": 0.8,
          "methods": [
            {
              "technique": "manifest-analysis",
              "confidence": 0.8,
              "value": "/app/requirements.txt"
            }
          ]
        }
      },
      "properties": [
        {
          "name": "SrcFile",
          "value": "/app/requirements.txt"
        }
      ]
    },
    {
      "author": "Andi Albrecht <albrecht.andi@gmail.com>",
      "group": "",
      "name": "sqlparse",
      "version": "0.5.1",
      "description": "A non-validating SQL parser.",
      "hashes": [
        {
          "alg": "SHA-256",
          "content": "773dcbf9a5ab44a090f3441e2180efe2560220203dc2f8c0b0fa141e18b505e4"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "0BSD",
            "url": "https://opensource.org/licenses/0BSD"
          }
        }
      ],
      "purl": "pkg:pypi/sqlparse@0.5.1",
      "type": "library",
      "bom-ref": "pkg:pypi/sqlparse@0.5.1",
      "evidence": {
        "identity": {
          "field": "purl",
          "confidence": 0.8,
          "methods": [
            {
              "technique": "manifest-analysis",
              "confidence": 0.8,
              "value": "/app/requirements.txt"
            }
          ]
        }
      },
      "properties": [
        {
          "name": "SrcFile",
          "value": "/app/requirements.txt"
        }
      ]
    }
  ],
  "services": [],
  "dependencies": [
    {
      "ref": "pkg:pypi/app@latest",
      "dependsOn": []
    },
    {
      "ref": "pkg:pypi/asgiref@3.8.1",
      "dependsOn": []
    },
    {
      "ref": "pkg:pypi/sqlparse@0.5.1",
      "dependsOn": []
    },
    {
      "ref": "pkg:pypi/django@5.1",
      "dependsOn": [
        "pkg:pypi/asgiref@3.8.1",
        "pkg:pypi/sqlparse@0.5.1"
      ]
    }
  ]
}

Target

SBOM

Scanner

License

Output Format

Table

Mode

Standalone

Debug Output

2024-08-29T11:05:34Z	DEBUG	Cache dir	dir="/root/.cache/trivy"
2024-08-29T11:05:34Z	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-29T11:05:34Z	DEBUG	Ignore statuses	statuses=[]
2024-08-29T11:05:34Z	INFO	[license] License scanning is enabled
2024-08-29T11:05:34Z	DEBUG	Enabling misconfiguration scanners	scanners=[]
2024-08-29T11:05:34Z	DEBUG	Initializing scan cache...	type="memory"
2024-08-29T11:05:34Z	INFO	Detected SBOM format	format="cyclonedx-json"
2024-08-29T11:05:34Z	DEBUG	Unmarshalling CycloneDX JSON...
2024-08-29T11:05:34Z	WARN	Third-party SBOM may lead to inaccurate vulnerability detection
2024-08-29T11:05:34Z	WARN	Recommend using Trivy to generate SBOMs
2024-08-29T11:05:34Z	INFO	Skipping the component with the unsupported type	bom-ref="pkg:pypi/django@5.1" type="framework"
2024-08-29T11:05:34Z	DEBUG	OS is not detected.
2024-08-29T11:05:34Z	DEBUG	[vex] VEX filtering is disabled

Python (license)

Total: 3 (UNKNOWN: 0, LOW: 3, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌──────────┬──────────────┬────────────────┬──────────┐
│ Package  │   License    │ Classification │ Severity │
├──────────┼──────────────┼────────────────┼──────────┤
│ asgiref  │ 0BSD         │ Unencumbered   │ LOW      │
│          ├──────────────┼────────────────┤          │
│          │ BSD-3-Clause │ Notice         │          │
├──────────┼──────────────┼────────────────┤          │
│ sqlparse │ 0BSD         │ Unencumbered   │          │
└──────────┴──────────────┴────────────────┴──────────┘

Operating System

MacOS Sonoma (14.6.1)

Version

0.54.1

Checklist

Run trivy clean --all
Read the troubleshooting

DmitriyLewen · 2024-08-30T08:06:39Z

DmitriyLewen
Aug 30, 2024
Maintainer

Hello @NyanKiyoshi
Thanks for your report!

Looks like you are right and we can use framework as library in Trivy.
There are not many differences between a library and a framework and sometimes it is difficult to choose the right type.
Even CycloneDX docs say: If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED..

I think we can check framework as library
@knqyf263 wdyt?

1 reply

knqyf263 Sep 2, 2024
Maintainer

It sounds reasonable.

DmitriyLewen · 2024-09-02T07:30:01Z

DmitriyLewen
Sep 2, 2024
Maintainer

Created #7432 for this task.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unsupported CycloneDX Framework Component Type #7418

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 1 reply

{{title}}

{{title}}

{{title}}

Select a reply

Unsupported CycloneDX Framework Component Type #7418

NyanKiyoshi Aug 29, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 2 comments · 1 reply

DmitriyLewen Aug 30, 2024 Maintainer

knqyf263 Sep 2, 2024 Maintainer

DmitriyLewen Sep 2, 2024 Maintainer

NyanKiyoshi
Aug 29, 2024

Replies: 2 comments 1 reply

DmitriyLewen
Aug 30, 2024
Maintainer

knqyf263 Sep 2, 2024
Maintainer

DmitriyLewen
Sep 2, 2024
Maintainer