Vulnerabilities detected when scanning an SBOM are not detected when targeting an SBOM attestation

[sohtsuka]

Description

Vulnerabilities detected when scanning an SBOM are not detected when targeting an SBOM attestation.

What did you expect to happen?

Scanning the SBOM generated against an image finds some vulnerabilities.

$ trivy image --format cyclonedx --output sbom.cdx.json sohtsuka/distroless-java17-debian11@sha256:3ff5d060e4a742dfa94169fc99e60f94e5e8bf450803bf2c3cbec79b7966d3c9
2023-03-11T15:59:16.992+0900    INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.

$ trivy sbom sbom.cdx.json
2023-03-11T16:00:32.239+0900    INFO    Vulnerability scanning is enabled
2023-03-11T16:00:32.242+0900    INFO    Detected SBOM format: cyclonedx-json
2023-03-11T16:00:32.251+0900    INFO    Detected OS: debian
2023-03-11T16:00:32.251+0900    INFO    Detecting Debian vulnerabilities...
2023-03-11T16:00:32.266+0900    INFO    Number of language-specific files: 0

sbom.cdx.json (debian 11.4)

Total: 50 (UNKNOWN: 0, LOW: 26, MEDIUM: 12, HIGH: 11, CRITICAL: 1)

┌─────────────────────────┬──────────────────┬──────────┬─────────────────────────┬─────────────────────────┬──────────────────────────────────────────────────────────────┐
│         Library         │  Vulnerability   │ Severity │    Installed Version    │      Fixed Version      │                            Title                             │
├─────────────────────────┼──────────────────┼──────────┼─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6                   │ CVE-2021-3999    │ HIGH     │ 2.31-13+deb11u3         │ 2.31-13+deb11u4         │ glibc: Off-by-one buffer overflow/underflow in getcwd()      │
│                         │                  │          │                         │                         │ https://avd.aquasec.com/nvd/cve-2021-3999                    │
...

I was expecting that targeting the SBOM attestation would also find the same vulnerabilities.

What happened instead?

Targeting the SBOM attestation, following the documentation at https://aquasecurity.github.io/trivy/v0.38/docs/attestation/sbom/#scanning, does not detect the vulnerabilities.

$ cosign attest --key cosign.key --type cyclonedx --predicate sbom.cdx.json --tlog-upload=false sohtsuka/distroless-java17-debian11@sha256:3ff5d060e4a742dfa94169fc99e60f94e5e8bf450803bf2c3cbec79b7966d3c9
Enter password for private key:
Using payload from: sbom.cdx.json

$ cosign verify-attestation --key cosign.pub --type cyclonedx --insecure-ignore-tlog sohtsuka/distroless-java17-debian11@sha256:3ff5d060e4a742dfa94169fc99e60f94e5e8bf450803bf2c3cbec79b7966d3c9 > sbom.cdx.intoto.jsonl

Verification for sohtsuka/distroless-java17-debian11@sha256:3ff5d060e4a742dfa94169fc99e60f94e5e8bf450803bf2c3cbec79b7966d3c9 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

$ trivy sbom ./sbom.cdx.intoto.jsonl
2023-03-11T16:42:50.030+0900    INFO    Vulnerability scanning is enabled
2023-03-11T16:42:50.038+0900    INFO    Detected SBOM format: attest-cyclonedx-json
2023-03-11T16:42:50.043+0900    INFO    Number of language-specific files: 0

Output of run with -debug:

$ trivy sbom --debug ./sbom.cdx.intoto.jsonl
2023-03-11T16:49:50.633+0900    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-03-11T16:49:50.635+0900    DEBUG   cache dir:  /home/satoshi/.cache/trivy
2023-03-11T16:49:50.635+0900    DEBUG   DB update was skipped because the local DB is the latest
2023-03-11T16:49:50.635+0900    DEBUG   DB Schema: 2, UpdatedAt: 2023-03-11 06:06:51.932755483 +0000 UTC, NextUpdate: 2023-03-11 12:06:51.932754983 +0000 UTC, DownloadedAt: 2023-03-11 06:44:29.607314186 +0000 UTC
2023-03-11T16:49:50.635+0900    INFO    Vulnerability scanning is enabled
2023-03-11T16:49:50.635+0900    DEBUG   Vulnerability type:  [os library]
2023-03-11T16:49:50.642+0900    INFO    Detected SBOM format: attest-cyclonedx-json
2023-03-11T16:49:50.645+0900    DEBUG   OS is not detected.
2023-03-11T16:49:50.645+0900    DEBUG   Detected OS: unknown
2023-03-11T16:49:50.645+0900    INFO    Number of language-specific files: 0

$ trivy sbom --debug ./sbom.cdx.json
2023-03-11T16:49:56.940+0900    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-03-11T16:49:56.948+0900    DEBUG   cache dir:  /home/satoshi/.cache/trivy
2023-03-11T16:49:56.948+0900    DEBUG   DB update was skipped because the local DB is the latest
2023-03-11T16:49:56.948+0900    DEBUG   DB Schema: 2, UpdatedAt: 2023-03-11 06:06:51.932755483 +0000 UTC, NextUpdate: 2023-03-11 12:06:51.932754983 +0000 UTC, DownloadedAt: 2023-03-11 06:44:29.607314186 +0000 UTC
2023-03-11T16:49:56.948+0900    INFO    Vulnerability scanning is enabled
2023-03-11T16:49:56.948+0900    DEBUG   Vulnerability type:  [os library]
2023-03-11T16:49:56.950+0900    INFO    Detected SBOM format: cyclonedx-json
2023-03-11T16:49:56.952+0900    DEBUG   Unmarshaling CycloneDX JSON...
2023-03-11T16:49:56.955+0900    INFO    Detected OS: debian
2023-03-11T16:49:56.955+0900    INFO    Detecting Debian vulnerabilities...
2023-03-11T16:49:56.955+0900    DEBUG   debian: os version: 11
2023-03-11T16:49:56.955+0900    DEBUG   debian: the number of packages: 26
2023-03-11T16:49:56.965+0900    INFO    Number of language-specific files: 0

sbom.cdx.json (debian 11.4)

Total: 50 (UNKNOWN: 0, LOW: 26, MEDIUM: 12, HIGH: 11, CRITICAL: 1)

┌─────────────────────────┬──────────────────┬──────────┬─────────────────────────┬─────────────────────────┬──────────────────────────────────────────────────────────────┐
│         Library         │  Vulnerability   │ Severity │    Installed Version    │      Fixed Version      │                            Title                             │
├─────────────────────────┼──────────────────┼──────────┼─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6                   │ CVE-2021-3999    │ HIGH     │ 2.31-13+deb11u3         │ 2.31-13+deb11u4         │ glibc: Off-by-one buffer overflow/underflow in getcwd()      │
│                         │                  │          │                         │                         │ https://avd.aquasec.com/nvd/cve-2021-3999                    │
...

Output of trivy -v:

Version: 0.38.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-03-11 06:06:51.932755483 +0000 UTC
  NextUpdate: 2023-03-11 12:06:51.932754983 +0000 UTC
  DownloadedAt: 2023-03-11 06:44:29.607314186 +0000 UTC

Additional details (base image name, container registry info...):

The attestation extracted by cosign is of this format:

$ cat sbom.cdx.intoto.jsonl | jq
{
  "payloadType": "application/vnd.in-toto+json",
  "payload": "<base64 encoded payload>",
  "signatures": [
    {
      "keyid": "",
      "sig": "MEUCIH...0ezWw="
    }
  ]
}

Extracting the raw SBOM from payload gives the same result as the original SBOM.

$ cat sbom.cdx.intoto.jsonl | jq -r '.payload' | base64 -d | jq -r '.predicate' > sbom.cdx.intoto.predicate.json
$ trivy sbom sbom.cdx.intoto.predicate.json
2023-03-11T16:53:16.851+0900    INFO    Vulnerability scanning is enabled
2023-03-11T16:53:16.853+0900    INFO    Detected SBOM format: cyclonedx-json
2023-03-11T16:53:16.858+0900    INFO    Detected OS: debian
2023-03-11T16:53:16.858+0900    INFO    Detecting Debian vulnerabilities...
2023-03-11T16:53:16.862+0900    INFO    Number of language-specific files: 0

sbom.cdx.intoto.predicate.json (debian 11.4)

Total: 50 (UNKNOWN: 0, LOW: 26, MEDIUM: 12, HIGH: 11, CRITICAL: 1)

┌─────────────────────────┬──────────────────┬──────────┬─────────────────────────┬─────────────────────────┬──────────────────────────────────────────────────────────────┐
│         Library         │  Vulnerability   │ Severity │    Installed Version    │      Fixed Version      │                            Title                             │
├─────────────────────────┼──────────────────┼──────────┼─────────────────────────┼─────────────────────────┼──────────────────────────────────────────────────────────────┤
│ libc6                   │ CVE-2021-3999    │ HIGH     │ 2.31-13+deb11u3         │ 2.31-13+deb11u4         │ glibc: Off-by-one buffer overflow/underflow in getcwd()      │
│                         │                  │          │                         │                         │ https://avd.aquasec.com/nvd/cve-2021-3999                    │
...

[knqyf263]

@otms61 Would you take a look?

[otms61]

@knqyf263 All right. I'll check it out.

[otms61]

@sohtsuka Thank you for your report!
There is a breaking change in the CycloneDX attestation format between version 1 and version 2 of the Cosign. You seem to be using version 2 of the Cosign. Trivy is only compatible with the version 1 format, which is causing this issue to occur.
We still need time to consider how to deal with it, but we will let you know a decision is made.

[sohtsuka]

@otms61 Thank you for fixing this!