Seeing different behavior with Trivy sbom processing b/n v0.50.2 vs 0.51.1 #6670

ssai12 · 2024-05-10T17:06:43Z

ssai12
May 10, 2024

Question

We have a kafka-burrow docker image, which we are scanning through trivy and generate json and cyclonedx reports.
The generated sbom with v0.50.2 is giving for version for one of the oem_sw of kafka-burrow ("bom-ref": "pkg:golang/github.com/linkedin/burrow")

{
      "bom-ref": "pkg:golang/github.com/linkedin/burrow@%28devel%29",
      "type": "library",
      "name": "github.com/linkedin/Burrow",
"version": "(devel)"
,
      "purl": "pkg:golang/github.com/linkedin/burrow@%28devel%29",
      "properties": [
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:dd6649f01445227d33b1285fa788667abf2a7f215216225c9b67dbc9f936c817"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:a7656be347ba7710fd9ccd57ca3fc46a81e7ea9779cbc1b07a1d9a164c7d2643"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "gobinary"
        }
      ]
    }

And, same image when we try to scan with v0.51.1 and check the sbom,
we don't see the version.

{
      "bom-ref": "pkg:golang/github.com/linkedin/burrow",
      "type": "library",
      "name": "github.com/linkedin/Burrow",
      "purl": "pkg:golang/github.com/linkedin/burrow",
      "properties": [
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:dd6649f01445227d33b1285fa788667abf2a7f215216225c9b67dbc9f936c817"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "gobinary"
        }
      ]
    }

could you please help us with brief explanation about the above behavior we are seeing with different version of trivy.
And, is this an issue with Trivy latest?

Target

SBOM

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Operating System

rockylinux

Version

No response

knqyf263 · 2024-05-13T02:49:37Z

knqyf263
May 13, 2024
Maintainer

When Go doesn't determine the version, it uses (devel). It means unknown, not actually a version. A new version of Trivy replaces (devel) with empty string.

2 replies

ssai12 May 14, 2024
Author

Ok thanks for the reply,
So, is there a way to avoid setting empty?
Thanks for the help.

knqyf263 May 14, 2024
Maintainer

No, SBOM allows empty versions in the spec.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Seeing different behavior with Trivy sbom processing b/n v0.50.2 vs 0.51.1 #6670

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Seeing different behavior with Trivy sbom processing b/n v0.50.2 vs 0.51.1 #6670

ssai12 May 10, 2024

Question

Target

Scanner

Output Format

Mode

Operating System

Version

Replies: 1 comment · 2 replies

knqyf263 May 13, 2024 Maintainer

ssai12 May 14, 2024 Author

knqyf263 May 14, 2024 Maintainer

ssai12
May 10, 2024

Replies: 1 comment 2 replies

knqyf263
May 13, 2024
Maintainer

ssai12 May 14, 2024
Author

knqyf263 May 14, 2024
Maintainer