trivy fills CycloneDX "dependsOn" sets with duplicates in CycloneDX SBOMs

[stohrendorf]

Description

When importing some CycloneDX SBOMs generated by trivy into DependencyTrack, the validation of DependencyTrack fails sometimes, reporting duplicates in the dependsOn elements. According to the CycloneDX spec, this should not be the case.

However, from a glance at the SBOM, it seems as if trivy tries to de-duplicate some components, leading to duplicate graph edges in the dependency graph. Indicator for this theory is that some transitive (and duplicate) dependencies are not referenced at all within the dependency graph.

Desired Behavior

Items in the dependsOn element are unique.

Actual Behavior

Items in the dependsOn element are not unique, which violates the spec. This affects at least fs and image scans.

Reproduction Steps

Unknown.

Target

None

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Client/Server

Debug Output

Cannot provide. However, looking at the debug outputs myself from different failing scans, it was not different from scans that work properly.

Operating System

Multiple Linux flavours

Version

Any version produces invalid output. However, 0.50.1 seems to have the least problems providing a valid SBOM with a complete dependency graph, yet it does at times produce an invalid SBOM.

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @stohrendorf
We are aware of duplicates when scanning pom.xml files - #7802
Are you having problems with other files?

[stohrendorf]

Seems I gracefully overlooked that issue when searching for issues regarding this problem. Thanks for providing the issue link.

[DmitriyLewen]

duplicate of #7802