Scanning an SBOM doesn't include container layer information, even if the SBOM specifies a type of container

[aegarbutt-stripe]

Description

When performing a vulnerability scan of a container image, there is additional metadata in the scan results that identifies which layer contributed the vulnerability.

This is a shame since the SBOM itself has this layer information inside of it:

    ...
    {
      "bom-ref": "pkg:deb/ubuntu/[email protected]?arch=amd64&distro=ubuntu-20.04",
      "type": "library",
      "supplier": {
        "name": "Ubuntu Developers <[email protected]>"
      },
      "name": "binutils",
      "version": "2.34-6ubuntu1.7",
      "licenses": [
        {
          "license": {
            "name": "GPL-3.0"
          }
        },
        {
          "license": {
            "name": "LGPL-3.0"
          }
        },
        {
          "license": {
            "name": "GFDL"
          }
        }
      ],
      "purl": "pkg:deb/ubuntu/[email protected]?arch=amd64&distro=ubuntu-20.04",
      "properties": [
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:9c068cd5c1358320f93a972f7a6deb4398fdeebec988b29a9e6b796a97b24e89"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:ea9825d69eb0a0cc696ebfef271b86f385928aa4e5cda46230b5bc37ce272fe6"
        },
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "[email protected]"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "ubuntu"
        },
        {
          "name": "aquasecurity:trivy:SrcName",
          "value": "binutils"
        },
        {
          "name": "aquasecurity:trivy:SrcRelease",
          "value": "6ubuntu1.7"
        },
        {
          "name": "aquasecurity:trivy:SrcVersion",
          "value": "2.34"
        }
      ]
    },
    ...

Desired Behavior

When scanning an SBOM created from a container image, continue to report the layer information.

The layer information is intentionally being discarded: https://github.com/aquasecurity/trivy/blob/main/pkg/scanner/scan.go#L171-L174

If I comment out those lines (not necessarily appropriate for general use), the layer information is not discarded.

Actual Behavior

Results from a vulnerability scan of an image:

     ...
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2022-44840",
          "PkgID": "[email protected]",
          "PkgName": "binutils",
          "PkgIdentifier": {
            "PURL": "pkg:deb/ubuntu/[email protected]?arch=amd64\u0026distro=ubuntu-20.04"
          },
          "InstalledVersion": "2.34-6ubuntu1.7",
          "FixedVersion": "2.34-6ubuntu1.8",
          "Status": "fixed",
          "Layer": {
            "Digest": "sha256:ea9825d69eb0a0cc696ebfef271b86f385928aa4e5cda46230b5bc37ce272fe6",
            "DiffID": "sha256:9c068cd5c1358320f93a972f7a6deb4398fdeebec988b29a9e6b796a97b24e89"
          },
          "SeveritySource": "ubuntu",
          ...
        },
        ...
      ]
      ...

Results from a vulnerability scan of an SBOM generated from a container image, the layer information is lost.

      ...
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2022-44840",
          "PkgID": "[email protected]",
          "PkgName": "binutils",
          "PkgIdentifier": {
            "PURL": "pkg:deb/ubuntu/[email protected]?arch=amd64\u0026distro=ubuntu-20.04",
            "BOMRef": "pkg:deb/ubuntu/[email protected]?arch=amd64\u0026distro=ubuntu-20.04"
          },
          "InstalledVersion": "2.34-6ubuntu1.7",
          "FixedVersion": "2.34-6ubuntu1.8",
          "Status": "fixed",
          "Layer": {},
          "SeveritySource": "ubuntu",
          ...
        },
        ...
      ]
      ...

Reproduction Steps

Generate an SBOM and then scan it. Observe no layer information is present in the scan results, but layer information is found in the SBOM itself.

Target

SBOM

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

$

Operating System

Linux

Version

$ trivy--version
Version: 0.50.1

Checklist

• Run trivy image --reset
• Read the troubleshooting