Skip to content

fix(sbom): preserve OS packages from multiple SBOMs #8325

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 31, 2025
Merged

fix(sbom): preserve OS packages from multiple SBOMs #8325

merged 2 commits into from
Jan 31, 2025

Conversation

knqyf263
Copy link
Collaborator

Overview

This PR fixes a bug in the SBOM analyzer where OS packages from multiple SBOM files were being overwritten during the merge process.

Usage

No changes in usage. This is a bug fix in how Trivy handles OS packages from multiple SBOM files.

Description

When scanning container images with multiple SBOM files containing OS packages, only the packages from the last processed SBOM remained in the final result. This was because OS packages didn't have a file path set, causing them to be overwritten during the merge process.

This PR fixes the issue by:

  1. Setting the SBOM file path as the package file path for OS packages
  2. This ensures packages from different SBOMs are preserved as distinct entries

For example, when scanning an image with these SBOM files:

  • /opt/bitnami/debian/.spdx-ca-certificates.spdx
  • /opt/bitnami/debian/.spdx-tzdata.spdx
  • /opt/bitnami/debian/.spdx-netbase.spdx

All OS packages will now be correctly preserved in the final result.

Related Issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263 knqyf263 self-assigned this Jan 31, 2025
@knqyf263 knqyf263 marked this pull request as ready for review January 31, 2025 11:17
DmitriyLewen
DmitriyLewen approved these changes Jan 31, 2025
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@DmitriyLewen DmitriyLewen disabled auto-merge January 31, 2025 11:43
@DmitriyLewen DmitriyLewen added this pull request to the merge queue Jan 31, 2025
Merged via the queue into aquasecurity:main with commit bd5baaf Jan 31, 2025
12 checks passed
@aqua-bot aqua-bot mentioned this pull request Jan 31, 2025
Merged
@knqyf263 knqyf263 deleted the fix/multiple_sboms branch February 3, 2025 05:07
@DmitriyLewen
Copy link
Contributor

@aqua-bot backport release/v0.59

github-actions bot pushed a commit that referenced this pull request Feb 3, 2025
@knqyf263 @DmitriyLewen @actions-user
fix(sbom): preserve OS packages from multiple SBOMs (#8325)
e706da4 
Co-authored-by: DmitriyLewen <[email protected]>
@aqua-bot aqua-bot mentioned this pull request Feb 3, 2025
Merged
@aqua-bot
Copy link
Contributor

aqua-bot commented Feb 3, 2025

Backport PR created: #8333

@DmitriyLewen DmitriyLewen mentioned this pull request Feb 3, 2025
Closed
RingoDev pushed a commit to RingoDev/trivy that referenced this pull request Feb 26, 2025
@knqyf263 @DmitriyLewen @RingoDev
fix(sbom): preserve OS packages from multiple SBOMs (aquasecurity#8325)
8ccff11 
Co-authored-by: DmitriyLewen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

Assignees

@knqyf263 knqyf263

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@knqyf263 @DmitriyLewen @aqua-bot