Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy integration does not report vulnerabilities for Golang components #4376

Closed
2 tasks done
mawl opened this issue Nov 14, 2024 · 3 comments · Fixed by #4394
Closed
2 tasks done

Trivy integration does not report vulnerabilities for Golang components #4376

mawl opened this issue Nov 14, 2024 · 3 comments · Fixed by #4394
Labels
defect Something isn't working integration/trivy Related to the Trivy integration p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Milestone
4.12.2

Comments

@mawl
Copy link

mawl commented Nov 14, 2024

Current Behavior

First of all, we are excited to see that Trivy has made its way into Dependency-Track - so that developers get the same vulnerabilities in their CI pipelines and in Dependency-Track.

But currently, it doesn't show vulnerabilities for Golang dependencies like pkg:golang/github.com/nats-io/nkeys@0.4.4.
Image

Sonatype OSS Index finds the vulnerability:
Image

But It seems, that the Trivy integration currently works only for other package managers like npm or nuget:
Image

Steps to Reproduce

  1. Add Trivy as a service to docker-compose file
  2. Enable Trivy in Dependency-Track
  3. Create a new project
  4. Import following SBOM:
{
  "bomFormat" : "CycloneDX",
  "specVersion" : "1.5",
  "serialNumber" : "urn:uuid:250397f0-20bd-476d-b411-6147a52427fb",
  "version" : 1,
  "metadata" : {
    "timestamp" : "2024-11-14T11:09:02Z",
    "tools" : [
      {
        "vendor" : "OWASP",
        "name" : "Dependency-Track",
        "version" : "4.12.1"
      }
    ],
    "component" : {
      "type" : "application",
      "bom-ref" : "2d4a12eb-32d4-41e7-99c9-8201d8150aae",
      "name" : "nkeys",
      "version" : ""
    }
  },
  "components" : [
    {
      "type" : "library",
      "bom-ref" : "509cecee-5f04-4f56-a9fd-47f36d37fbc5",
      "name" : "github.com/nats-io/nkeys",
      "version" : "0.4.4",
      "purl" : "pkg:golang/github.com/nats-io/nkeys@0.4.4"
    }
  ],
  "dependencies" : [
    {
      "ref" : "2d4a12eb-32d4-41e7-99c9-8201d8150aae",
      "dependsOn" : [ ]
    },
    {
      "ref" : "509cecee-5f04-4f56-a9fd-47f36d37fbc5",
      "dependsOn" : [ ]
    }
  ]
}

trivy.log

trivy-1  | 2024-11-14T11:11:34Z DEBUG   OS is not detected.
trivy-1  | 2024-11-14T11:11:34Z DEBUG   Detected OS: unknown
trivy-1  | 2024-11-14T11:11:34Z INFO    Number of language-specific files       num=1
trivy-1  | 2024-11-14T11:11:34Z INFO    [gobinary] Detecting vulnerabilities...
trivy-1  | 2024-11-14T11:11:34Z DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path=""

Expected Behavior

Golang vulnerabilities, that the trivy cli has found, should also be part of the results in Dependency-Track.

% trivy sbom nkeys.json
2024-11-14T12:22:55.489+0100	INFO	Vulnerability scanning is enabled
2024-11-14T12:22:55.489+0100	INFO	Detected SBOM format: cyclonedx-json
2024-11-14T12:22:55.490+0100	WARN	Third-party SBOM may lead to inaccurate vulnerability detection
2024-11-14T12:22:55.490+0100	WARN	Recommend using Trivy to generate SBOMs
2024-11-14T12:22:55.490+0100	WARN	Ignore the OS package as no OS information is found.
2024-11-14T12:22:55.496+0100	INFO	Number of language-specific files: 1
2024-11-14T12:22:55.496+0100	INFO	Detecting gobinary vulnerabilities...

 (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌──────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────┐
│         Library          │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                        Title                        │
├──────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────┤
│ github.com/nats-io/nkeys │ CVE-2023-46129 │ HIGH     │ fixed  │ 0.4.4             │ 0.4.6         │ nkeys: xkeys Seal encryption used fixed key for all │
│                          │                │          │        │                   │               │ encryption                                          │
│                          │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-46129          │
└──────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────┘

Dependency-Track Version

4.12.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Apple Safari

Checklist
@mawl mawl added defect Something isn't working in triage labels Nov 14, 2024
@mawl mawl changed the title trivy does not report vulnerabilities for golang components Trivy integration does not report vulnerabilities for Golang components Nov 14, 2024
@nscuro
Copy link
Member

nscuro commented Nov 19, 2024

What version of Trivy are you using?

@nscuro nscuro added pending more information integration/trivy Related to the Trivy integration and removed in triage labels Nov 19, 2024
@mawl
Copy link
Author

mawl commented Nov 20, 2024
edited
Loading

@nscuro: It's trivy v0.57.0:

  trivy:
    image: aquasec/trivy:0.57.0
    command:
    - server
    - --listen
    - :9090
    - --token
    - my_token
    - --db-repository
    - public.ecr.aws/aquasecurity/trivy-db
    - --debug
    volumes:
    - "trivy-cache:/root/.cache/trivy"
    restart: unless-stopped

https://docs.dependencytrack.org/datasources/trivy/

@nscuro nscuro added p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort and removed pending more information labels Nov 20, 2024
@nscuro nscuro mentioned this issue Nov 20, 2024
Merged
2 tasks
nscuro added a commit to nscuro/dependency-track that referenced this issue Nov 20, 2024
@nscuro
Fix Trivy analyzer vulnerability matching for Go packages
36b202b 
Fixes DependencyTrack#4376

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro nscuro mentioned this issue Nov 20, 2024
Merged
2 tasks
@nscuro nscuro added this to the 4.12.2 milestone Nov 20, 2024
@nscuro nscuro closed this as completed in 46bcdfa Nov 20, 2024
@github-actions GitHub Actions
Copy link
Contributor

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
defect Something isn't working integration/trivy Related to the Trivy integration p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Milestone
4.12.2
Development

Successfully merging a pull request may close this issue.

Fix Trivy analyzer vulnerability matching for Go packages nscuro/dependency-track
2 participants
@mawl @nscuro