Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TrivyAnalysisTaskIntegrationTest#test fails with Trivy v0.51.2 #3737

Closed
2 tasks done
nscuro opened this issue May 20, 2024 · 2 comments · Fixed by #3738
Closed
2 tasks done

TrivyAnalysisTaskIntegrationTest#test fails with Trivy v0.51.2 #3737

nscuro opened this issue May 20, 2024 · 2 comments · Fixed by #3738
Labels
defect Something isn't working integration/trivy Related to the Trivy integration p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Milestone
4.11.2

Comments

@nscuro
Copy link
Member

nscuro commented May 20, 2024

Current Behavior

Trivy v0.51.2 was released today, and since our integration tests run against Trivy's latest tag, they picked up the new release.

The test asserting for vulnerabilities in woodstox-core are failing. Trivy no longer reports vulnerabilities for it.

dependency-track/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskIntegrationTest.java

Lines 92 to 127 in e87c5cc

@Test
public void test() {
final var project = new Project();
project.setName("acme-app");
qm.persist(project);
final var componentA = new Component();
componentA.setProject(project);
componentA.setGroup("com.fasterxml.woodstox");
componentA.setName("woodstox-core");
componentA.setVersion("5.0.0");
componentA.setClassifier(Classifier.LIBRARY);
componentA.setPurl("pkg:maven/com.fasterxml.woodstox/[email protected]");
qm.persist(componentA);
final var analysisEvent = new TrivyAnalysisEvent(List.of(componentA));
new TrivyAnalysisTask().inform(analysisEvent);
assertThat(qm.getAllVulnerabilities(componentA)).anySatisfy(vuln -> {
assertThat(vuln.getVulnId()).isEqualTo("CVE-2022-40152");
assertThat(vuln.getSource()).isEqualTo(Vulnerability.Source.NVD.name());
// NB: Can't assert specific values here, as we're testing against
// a moving target. These values may change over time. We do proper
// assertions in TrivyAnalyzerTaskTest.
assertThat(vuln.getTitle()).isNotBlank();
assertThat(vuln.getDescription()).isNotBlank();
assertThat(vuln.getCreated()).isNotNull();
assertThat(vuln.getPublished()).isNotNull();
assertThat(vuln.getUpdated()).isNotNull();
assertThat(vuln.getCvssV3BaseScore()).isNotZero();
assertThat(vuln.getCvssV3Vector()).isNotBlank();
assertThat(vuln.getSeverity()).isNotNull();
assertThat(vuln.getReferences()).isNotBlank();
});
}

The test succeeds when pinning Trivy to v0.51.1. Looks like a regression in Trivy.

Steps to Reproduce

  1. Execute TrivyAnalysisTaskIntegrationTest#test

Expected Behavior

The test should not fail.

Dependency-Track Version

4.12.0-SNAPSHOT

Dependency-Track Distribution

Container Image, Executable WAR

Database Server

N/A

Database Server Version

No response

Browser

N/A

Checklist
@nscuro nscuro added defect Something isn't working integration/trivy Related to the Trivy integration labels May 20, 2024
@nscuro
Copy link
Member Author

nscuro commented May 20, 2024

Not a regression, but an API change: aquasecurity/trivy#6633

Application.libraries was renamed to Application.packages: https://github.com/aquasecurity/trivy/pull/6633/files#diff-6e749acacaaabfff86d6fd4081426955f2ec744bff55dd5e9def2a2a020d62d1

Following this rename in our code here:

dependency-track/src/main/java/org/dependencytrack/parser/trivy/model/Application.java

Lines 23 to 25 in e87c5cc

public class Application {
private String type;
private ArrayList<Library> libraries;

Makes the test pass again.

Question is how do we deal with this. Updating to 0.51.2 behavior will break things for users with older Trivy versions.

@nscuro nscuro added p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort labels May 20, 2024
nscuro added a commit to nscuro/dependency-track that referenced this issue May 20, 2024
@nscuro
Handle breaking change in Trivy server API
f3a37b9 
`Application#libraries` has been renamed to `Application#packages` in Trivy 0.51.2. The `Library` type no longer exists.

It's not possible to tell the Trivy version based on its API. To work around this, we now send both the `packages` and `libraries` fields with redundant information.

Fields that the API does not expect are silently ignored.

Fixes DependencyTrack#3737

Signed-off-by: nscuro <[email protected]>
@nscuro nscuro mentioned this issue May 20, 2024
Merged
2 tasks
nscuro added a commit to nscuro/dependency-track that referenced this issue May 20, 2024
@nscuro
Handle breaking change in Trivy server API
08dfb0a 
`Application#libraries` has been renamed to `Application#packages` in Trivy 0.51.2. The `Library` type no longer exists.

It's not possible to tell the Trivy version based on its API. To work around this, we now send both the `packages` and `libraries` fields with redundant information.

Fields that the API does not expect are silently ignored.

Fixes DependencyTrack#3737

Signed-off-by: nscuro <[email protected]>
@nscuro nscuro added this to the 4.12 milestone May 20, 2024
@nscuro nscuro mentioned this issue May 20, 2024
Merged
5 tasks
@nscuro nscuro modified the milestones: 4.12, 4.11.2 Jun 1, 2024
nscuro added a commit to nscuro/dependency-track that referenced this issue Jun 1, 2024
@nscuro
Handle breaking change in Trivy server API
4902a34 
`Application#libraries` has been renamed to `Application#packages` in Trivy 0.51.2. The `Library` type no longer exists.

It's not possible to tell the Trivy version based on its API. To work around this, we now send both the `packages` and `libraries` fields with redundant information.

Fields that the API does not expect are silently ignored.

Fixes DependencyTrack#3737

Signed-off-by: nscuro <[email protected]>
@nscuro nscuro mentioned this issue Jun 1, 2024
Merged
2 tasks
MM-msr pushed a commit to MM-msr/dependency-track that referenced this issue Jun 18, 2024
@nscuro @MM-msr
Handle breaking change in Trivy server API
8b6a89c 
`Application#libraries` has been renamed to `Application#packages` in Trivy 0.51.2. The `Library` type no longer exists.

It's not possible to tell the Trivy version based on its API. To work around this, we now send both the `packages` and `libraries` fields with redundant information.

Fields that the API does not expect are silently ignored.

Fixes DependencyTrack#3737

Signed-off-by: nscuro <[email protected]>
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 1, 2024

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 1, 2024
netomi pushed a commit to netomi/dependency-track that referenced this issue Aug 8, 2024
@nscuro @netomi
Handle breaking change in Trivy server API
ccaaab3 
`Application#libraries` has been renamed to `Application#packages` in Trivy 0.51.2. The `Library` type no longer exists.

It's not possible to tell the Trivy version based on its API. To work around this, we now send both the `packages` and `libraries` fields with redundant information.

Fields that the API does not expect are silently ignored.

Fixes DependencyTrack#3737

Signed-off-by: nscuro <[email protected]>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
defect Something isn't working integration/trivy Related to the Trivy integration p2 Non-critical bugs, and features that help organizations to identify and reduce risk size/S Small effort
Projects
None yet
Milestone
4.11.2
Development

Successfully merging a pull request may close this issue.

Handle breaking change in Trivy server API nscuro/dependency-track
1 participant
@nscuro