Inconsistent results between SBOM generated by syft and direct trivy image scan

[Sinderella]

Description

I've perform some experiments to ensure that all vulnerabilities are properly covered. I tried the following approaches and for some reason the results do not match.

1. SBOM generation using syft scan docker:... -> trivy sbom ...

• syft scan docker:mcr.microsoft.com/dotnet/runtime:6.0-alpine -o cyclonedx-json > runtime-alpine.json
• trivy sbom runtime-alpine.json

2. Use trivy image

• trivy image mcr.microsoft.com/dotnet/runtime:6.0-alpine

3. Use grype docker:...

• grype docker:mcr.microsoft.com/dotnet/runtime:6.0-alpine

Desired Behavior

All of the approaches should give me the same results.

Actual Behavior

Scanning generated SBOM showed no vulnerability was found.

 ❯ trivy sbom runtime-alpine.json
2024-11-01T13:35:46+07:00       INFO    [vuln] Vulnerability scanning is enabled
2024-11-01T13:35:46+07:00       INFO    Detected SBOM format    format="cyclonedx-json"
2024-11-01T13:35:46+07:00       WARN    Third-party SBOM may lead to inaccurate vulnerability detection
2024-11-01T13:35:46+07:00       WARN    Recommend using Trivy to generate SBOMs
2024-11-01T13:35:46+07:00       INFO    Detected OS     family="alpine" version="3.20.3"
2024-11-01T13:35:46+07:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.20" repository="" pkg_num=23
2024-11-01T13:35:46+07:00       INFO    Number of language-specific files       num=1
2024-11-01T13:35:46+07:00       INFO    [nuget] Detecting vulnerabilities...

runtime-alpine.json (alpine 3.20.3)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Scanning it directly does show the vulneraibilities.

 ❯ trivy image mcr.microsoft.com/dotnet/runtime:6.0-alpine
2024-11-01T13:17:06+07:00       INFO    [vuln] Vulnerability scanning is enabled
2024-11-01T13:17:06+07:00       INFO    [secret] Secret scanning is enabled
2024-11-01T13:17:06+07:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-01T13:17:06+07:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-11-01T13:17:06+07:00       INFO    Detected OS     family="alpine" version="3.20.3"
2024-11-01T13:17:06+07:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.20" repository="3.20" pkg_num=23
2024-11-01T13:17:06+07:00       INFO    Number of language-specific files       num=1
2024-11-01T13:17:06+07:00       INFO    [dotnet-core] Detecting vulnerabilities...
2024-11-01T13:17:06+07:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.55/docs/scanner/vulnerability#severity-selection for details.

mcr.microsoft.com/dotnet/runtime:6.0-alpine (alpine 3.20.3)

Total: 2 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-9143 │ LOW      │ fixed  │ 3.3.2-r0          │ 3.3.2-r1      │ openssl: Low-level invalid GF(2^m) parameters lead to OOB │
│            │               │          │        │                   │               │ memory access                                             │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-9143                 │
├────────────┤               │          │        │                   │               │                                                           │
│ libssl3    │               │          │        │                   │               │                                                           │
│            │               │          │        │                   │               │                                                           │
│            │               │          │        │                   │               │                                                           │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

SBOM does contain the component as shown below:

 ❯ jq . runtime-alpine.json | grep libcrypto3
      "bom-ref": "pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.20.3&package-id=a8de5452db2ff4fe&upstream=openssl",
      "name": "libcrypto3",
      "cpe": "cpe:2.3:a:libcrypto3:libcrypto3:3.3.2-r0:*:*:*:*:*:*:*",
      "purl": "pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.20.3&upstream=openssl",
          "value": "cpe:2.3:a:libcrypto3:libcrypto:3.3.2-r0:*:*:*:*:*:*:*"
          "value": "cpe:2.3:a:libcrypto:libcrypto3:3.3.2-r0:*:*:*:*:*:*:*"
          "value": "libcrypto3=3.3.2-r0"
        "pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.20.3&package-id=a8de5452db2ff4fe&upstream=openssl",
        "pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.20.3&package-id=a8de5452db2ff4fe&upstream=openssl",
        "pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.20.3&package-id=a8de5452db2ff4fe&upstream=openssl",
      "ref": "pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.20.3&package-id=a8de5452db2ff4fe&upstream=openssl",
        "pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.20.3&package-id=a8de5452db2ff4fe&upstream=openssl",
        "pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.20.3&package-id=a8de5452db2ff4fe&upstream=openssl",

Reproduction Steps

- `syft scan docker:mcr.microsoft.com/dotnet/runtime:6.0-alpine -o cyclonedx-json > runtime-alpine.json`
- `trivy sbom runtime-alpine.json`

Target

SBOM

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

❯ trivy sbom runtime-alpine.json  --debug
2024-11-01T13:38:13+07:00       DEBUG   No plugins loaded
2024-11-01T13:38:13+07:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-01T13:38:13+07:00       DEBUG   Cache dir       dir="/Users/redacted/Library/Caches/trivy"
2024-11-01T13:38:13+07:00       DEBUG   Cache dir       dir="/Users/redacted/Library/Caches/trivy"
2024-11-01T13:38:13+07:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-11-01T13:38:13+07:00       DEBUG   Ignore statuses statuses=[]
2024-11-01T13:38:13+07:00       DEBUG   DB update was skipped because the local DB is the latest
2024-11-01T13:38:13+07:00       DEBUG   DB info schema=2 updated_at=2024-11-01T00:24:31.687600665Z next_update=2024-11-02T00:24:31.687600535Z downloaded_at=2024-11-01T06:05:21.34086Z
2024-11-01T13:38:13+07:00       DEBUG   [pkg] Package types     types=[os library]
2024-11-01T13:38:13+07:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-11-01T13:38:13+07:00       INFO    [vuln] Vulnerability scanning is enabled
2024-11-01T13:38:13+07:00       DEBUG   Enabling misconfiguration scanners      scanners=[]
2024-11-01T13:38:13+07:00       DEBUG   Initializing scan cache...      type="memory"
2024-11-01T13:38:13+07:00       INFO    Detected SBOM format    format="cyclonedx-json"
2024-11-01T13:38:13+07:00       DEBUG   Unmarshalling CycloneDX JSON...
2024-11-01T13:38:13+07:00       WARN    Third-party SBOM may lead to inaccurate vulnerability detection
2024-11-01T13:38:13+07:00       WARN    Recommend using Trivy to generate SBOMs
2024-11-01T13:38:13+07:00       DEBUG   [sbom] Skipping a component with an unsupported type    file_path="runtime-alpine.json" name="mcr.microsoft.com/dotnet/runtime" version="6.0-alpine" type=""
2024-11-01T13:38:13+07:00       INFO    Detected OS     family="alpine" version="3.20.3"
2024-11-01T13:38:13+07:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.20" repository="" pkg_num=23
2024-11-01T13:38:13+07:00       INFO    Number of language-specific files       num=1
2024-11-01T13:38:13+07:00       INFO    [nuget] Detecting vulnerabilities...
2024-11-01T13:38:13+07:00       DEBUG   [nuget] Scanning packages for vulnerabilities   file_path=""
2024-11-01T13:38:13+07:00       DEBUG   [vex] VEX filtering is disabled

runtime-alpine.json (alpine 3.20.3)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Operating System

macOS Sequoia 15.0.1

Version

❯ trivy version
Version: 0.55.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-01 00:24:31.687600665 +0000 UTC
  NextUpdate: 2024-11-02 00:24:31.687600535 +0000 UTC
  DownloadedAt: 2024-11-01 06:05:21.34086 +0000 UTC
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-10-01 07:36:52.475785 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @Sinderella
Thanks for your report!

alpine uses source package name for CVEs - see https://security.alpinelinux.org/vuln/CVE-2024-9143

In this case source package name for libcrypto3 is openssl.

For CycloneDX format - Trivy keeps srcPkg into properties:

      "purl": "pkg:apk/alpine/[email protected]?arch=aarch64&distro=3.20.3",
      "properties": [
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:16113d51b7181f20135f51e8ffbaead20a7671cd783017601f198748ce8a8ebf"
        },
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "[email protected]"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "alpine"
        },
        {
          "name": "aquasecurity:trivy:SrcName",
          "value": "openssl"
        },
        {
          "name": "aquasecurity:trivy:SrcVersion",
          "value": "3.3.2-r0"
        }

Same logic when Trivy decodes CycloneDX file.
Trivy finds srcPkg from properties. If properties doesn't contain srcPkg - Trivy uses pkg name.

UUIC syft saves srcPkg in purl (upstream qualifier).

So Trivy can't find srcPkg for syft report and use libcrypto3 for vulnerability detection.