We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I originally posted this on the trivy repo, but figured it should actually be posted here. Original post: aquasecurity/trivy#5208
Trivy doesn't generate a correct .NET dependency tree in CycloneDX. Please see this gist for the reference .deps.json file im using https://gist.github.com/noqcks/49089249820126cbaabe59b70ba12ae4
See the desired and actual behaviour section
Dependencies are listed for this package
{ "ref": "pkg:nuget/Microsoft.Extensions.Options@2.2.0", "dependsOn": [ "pkg:nuget/Microsoft.Extensions.DependencyInjection.Abstractions@2.2.0", "pkg:nuget/Microsoft.Extensions.Primitives@2.2.0", "pkg:nuget/System.ComponentModel.Annotations@4.5.0" ] }
The dependencies are empty.
{ "ref": "pkg:nuget/Microsoft.Extensions.Options@2.2.0", "dependsOn": [] },
Copy the .deps.json file from here https://gist.github.com/noqcks/49089249820126cbaabe59b70ba12ae4 Run trivy fs MyWebApp.deps.json --format cyclonedx
### Target Filesystem ### Scanner None ### Output Format CycloneDX ### Mode Standalone ### Debug Output ```bash `` trivy fs MyWebApp.deps.json --format cyclonedx --debug 2023-09-18T09:13:42.744-0700 DEBUG ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'. 2023-09-18T09:13:42.745-0700 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"] 2023-09-18T09:13:42.745-0700 DEBUG Ignore statuses {"statuses": null} 2023-09-18T09:13:42.746-0700 INFO "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report. 2023-09-18T09:13:42.759-0700 DEBUG cache dir: /Users/noqcks/Library/Caches/trivy 2023-09-18T09:13:42.762-0700 DEBUG Walk the file tree rooted at 'MyWebApp.deps.json' in parallel 2023-09-18T09:13:42.783-0700 DEBUG OS is not detected. { "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:6e5fc8cb-f23a-4d7d-aae9-9d8b60335e40", "version": 1, "metadata": { "timestamp": "2023-09-18T16:13:42+00:00", "tools": [ { "vendor": "aquasecurity", "name": "trivy", "version": "0.45.0" } ], "component": { "bom-ref": "658f88d9-f9eb-4fdd-be0b-a1c4772fd1fe", "type": "application", "name": "MyWebApp.deps.json", "properties": [ { "name": "aquasecurity:trivy:SchemaVersion", "value": "2" } ] } }, "components": [ { "bom-ref": "073fa28b-e147-4c07-8bec-046dadbc456e", "type": "application", "name": "MyWebApp.deps.json", "properties": [ { "name": "aquasecurity:trivy:Class", "value": "lang-pkgs" }, { "name": "aquasecurity:trivy:Type", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.AspNetCore.Authentication.Abstractions@2.2.0", "type": "library", "name": "Microsoft.AspNetCore.Authentication.Abstractions", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.AspNetCore.Authentication.Abstractions@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.AspNetCore.Authentication.Core@2.2.0", "type": "library", "name": "Microsoft.AspNetCore.Authentication.Core", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.AspNetCore.Authentication.Core@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.AspNetCore.Connections.Abstractions@2.2.0", "type": "library", "name": "Microsoft.AspNetCore.Connections.Abstractions", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.AspNetCore.Connections.Abstractions@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.AspNetCore.Hosting.Abstractions@2.2.0", "type": "library", "name": "Microsoft.AspNetCore.Hosting.Abstractions", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.AspNetCore.Hosting.Abstractions@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.AspNetCore.Hosting.Server.Abstractions@2.2.0", "type": "library", "name": "Microsoft.AspNetCore.Hosting.Server.Abstractions", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.AspNetCore.Hosting.Server.Abstractions@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.AspNetCore.Http.Abstractions@2.2.0", "type": "library", "name": "Microsoft.AspNetCore.Http.Abstractions", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.AspNetCore.Http.Abstractions@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.AspNetCore.Http.Extensions@2.2.0", "type": "library", "name": "Microsoft.AspNetCore.Http.Extensions", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.AspNetCore.Http.Extensions@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.AspNetCore.Http.Features@2.2.0", "type": "library", "name": "Microsoft.AspNetCore.Http.Features", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.AspNetCore.Http.Features@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.AspNetCore.Http@2.2.0", "type": "library", "name": "Microsoft.AspNetCore.Http", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.AspNetCore.Http@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.AspNetCore.Server.IIS@2.2.6", "type": "library", "name": "Microsoft.AspNetCore.Server.IIS", "version": "2.2.6", "purl": "pkg:nuget/Microsoft.AspNetCore.Server.IIS@2.2.6", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.AspNetCore.WebUtilities@2.2.0", "type": "library", "name": "Microsoft.AspNetCore.WebUtilities", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.AspNetCore.WebUtilities@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.Extensions.Configuration.Abstractions@2.2.0", "type": "library", "name": "Microsoft.Extensions.Configuration.Abstractions", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.Extensions.Configuration.Abstractions@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.Extensions.DependencyInjection.Abstractions@2.2.0", "type": "library", "name": "Microsoft.Extensions.DependencyInjection.Abstractions", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.Extensions.DependencyInjection.Abstractions@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.Extensions.FileProviders.Abstractions@2.2.0", "type": "library", "name": "Microsoft.Extensions.FileProviders.Abstractions", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.Extensions.FileProviders.Abstractions@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.Extensions.Hosting.Abstractions@2.2.0", "type": "library", "name": "Microsoft.Extensions.Hosting.Abstractions", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.Extensions.Hosting.Abstractions@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.Extensions.Logging.Abstractions@2.2.0", "type": "library", "name": "Microsoft.Extensions.Logging.Abstractions", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.Extensions.Logging.Abstractions@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.Extensions.ObjectPool@2.2.0", "type": "library", "name": "Microsoft.Extensions.ObjectPool", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.Extensions.ObjectPool@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.Extensions.Options@2.2.0", "type": "library", "name": "Microsoft.Extensions.Options", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.Extensions.Options@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.Extensions.Primitives@2.2.0", "type": "library", "name": "Microsoft.Extensions.Primitives", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.Extensions.Primitives@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.NETCore.Platforms@2.0.0", "type": "library", "name": "Microsoft.NETCore.Platforms", "version": "2.0.0", "purl": "pkg:nuget/Microsoft.NETCore.Platforms@2.0.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/Microsoft.Net.Http.Headers@2.2.0", "type": "library", "name": "Microsoft.Net.Http.Headers", "version": "2.2.0", "purl": "pkg:nuget/Microsoft.Net.Http.Headers@2.2.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/System.Buffers@4.5.0", "type": "library", "name": "System.Buffers", "version": "4.5.0", "purl": "pkg:nuget/System.Buffers@4.5.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/System.ComponentModel.Annotations@4.5.0", "type": "library", "name": "System.ComponentModel.Annotations", "version": "4.5.0", "purl": "pkg:nuget/System.ComponentModel.Annotations@4.5.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/System.IO.Pipelines@4.5.3", "type": "library", "name": "System.IO.Pipelines", "version": "4.5.3", "purl": "pkg:nuget/System.IO.Pipelines@4.5.3", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/System.Memory@4.5.1", "type": "library", "name": "System.Memory", "version": "4.5.1", "purl": "pkg:nuget/System.Memory@4.5.1", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/System.Runtime.CompilerServices.Unsafe@4.5.1", "type": "library", "name": "System.Runtime.CompilerServices.Unsafe", "version": "4.5.1", "purl": "pkg:nuget/System.Runtime.CompilerServices.Unsafe@4.5.1", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/System.Security.Principal.Windows@4.5.0", "type": "library", "name": "System.Security.Principal.Windows", "version": "4.5.0", "purl": "pkg:nuget/System.Security.Principal.Windows@4.5.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] }, { "bom-ref": "pkg:nuget/System.Text.Encodings.Web@4.5.0", "type": "library", "name": "System.Text.Encodings.Web", "version": "4.5.0", "purl": "pkg:nuget/System.Text.Encodings.Web@4.5.0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "dotnet-core" } ] } ], "dependencies": [ { "ref": "073fa28b-e147-4c07-8bec-046dadbc456e", "dependsOn": [ "pkg:nuget/Microsoft.AspNetCore.Authentication.Abstractions@2.2.0", "pkg:nuget/Microsoft.AspNetCore.Authentication.Core@2.2.0", "pkg:nuget/Microsoft.AspNetCore.Connections.Abstractions@2.2.0", "pkg:nuget/Microsoft.AspNetCore.Hosting.Abstractions@2.2.0", "pkg:nuget/Microsoft.AspNetCore.Hosting.Server.Abstractions@2.2.0", "pkg:nuget/Microsoft.AspNetCore.Http.Abstractions@2.2.0", "pkg:nuget/Microsoft.AspNetCore.Http.Extensions@2.2.0", "pkg:nuget/Microsoft.AspNetCore.Http.Features@2.2.0", "pkg:nuget/Microsoft.AspNetCore.Http@2.2.0", "pkg:nuget/Microsoft.AspNetCore.Server.IIS@2.2.6", "pkg:nuget/Microsoft.AspNetCore.WebUtilities@2.2.0", "pkg:nuget/Microsoft.Extensions.Configuration.Abstractions@2.2.0", "pkg:nuget/Microsoft.Extensions.DependencyInjection.Abstractions@2.2.0", "pkg:nuget/Microsoft.Extensions.FileProviders.Abstractions@2.2.0", "pkg:nuget/Microsoft.Extensions.Hosting.Abstractions@2.2.0", "pkg:nuget/Microsoft.Extensions.Logging.Abstractions@2.2.0", "pkg:nuget/Microsoft.Extensions.ObjectPool@2.2.0", "pkg:nuget/Microsoft.Extensions.Options@2.2.0", "pkg:nuget/Microsoft.Extensions.Primitives@2.2.0", "pkg:nuget/Microsoft.NETCore.Platforms@2.0.0", "pkg:nuget/Microsoft.Net.Http.Headers@2.2.0", "pkg:nuget/System.Buffers@4.5.0", "pkg:nuget/System.ComponentModel.Annotations@4.5.0", "pkg:nuget/System.IO.Pipelines@4.5.3", "pkg:nuget/System.Memory@4.5.1", "pkg:nuget/System.Runtime.CompilerServices.Unsafe@4.5.1", "pkg:nuget/System.Security.Principal.Windows@4.5.0", "pkg:nuget/System.Text.Encodings.Web@4.5.0" ] }, { "ref": "658f88d9-f9eb-4fdd-be0b-a1c4772fd1fe", "dependsOn": [ "073fa28b-e147-4c07-8bec-046dadbc456e" ] }, { "ref": "pkg:nuget/Microsoft.AspNetCore.Authentication.Abstractions@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.AspNetCore.Authentication.Core@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.AspNetCore.Connections.Abstractions@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.AspNetCore.Hosting.Abstractions@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.AspNetCore.Hosting.Server.Abstractions@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.AspNetCore.Http.Abstractions@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.AspNetCore.Http.Extensions@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.AspNetCore.Http.Features@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.AspNetCore.Http@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.AspNetCore.Server.IIS@2.2.6", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.AspNetCore.WebUtilities@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.Extensions.Configuration.Abstractions@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.Extensions.DependencyInjection.Abstractions@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.Extensions.FileProviders.Abstractions@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.Extensions.Hosting.Abstractions@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.Extensions.Logging.Abstractions@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.Extensions.ObjectPool@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.Extensions.Options@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.Extensions.Primitives@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.NETCore.Platforms@2.0.0", "dependsOn": [] }, { "ref": "pkg:nuget/Microsoft.Net.Http.Headers@2.2.0", "dependsOn": [] }, { "ref": "pkg:nuget/System.Buffers@4.5.0", "dependsOn": [] }, { "ref": "pkg:nuget/System.ComponentModel.Annotations@4.5.0", "dependsOn": [] }, { "ref": "pkg:nuget/System.IO.Pipelines@4.5.3", "dependsOn": [] }, { "ref": "pkg:nuget/System.Memory@4.5.1", "dependsOn": [] }, { "ref": "pkg:nuget/System.Runtime.CompilerServices.Unsafe@4.5.1", "dependsOn": [] }, { "ref": "pkg:nuget/System.Security.Principal.Windows@4.5.0", "dependsOn": [] }, { "ref": "pkg:nuget/System.Text.Encodings.Web@4.5.0", "dependsOn": [] } ], "vulnerabilities": [] }
macOS
Version: 0.45.0 Vulnerability DB: Version: 2 UpdatedAt: 2023-09-18 12:17:08.645500979 +0000 UTC NextUpdate: 2023-09-18 18:17:08.645500079 +0000 UTC DownloadedAt: 2023-09-18 15:19:46.14853 +0000 UTC
### Checklist - [X] Run `trivy image --reset` - [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
The text was updated successfully, but these errors were encountered:
Successfully merging a pull request may close this issue.
I originally posted this on the trivy repo, but figured it should actually be posted here. Original post: aquasecurity/trivy#5208
Description
Trivy doesn't generate a correct .NET dependency tree in CycloneDX. Please see this gist for the reference .deps.json file im using https://gist.github.com/noqcks/49089249820126cbaabe59b70ba12ae4
See the desired and actual behaviour section
Desired Behavior
Dependencies are listed for this package
Actual Behavior
The dependencies are empty.
Reproduction Steps
Operating System
macOS
Version
The text was updated successfully, but these errors were encountered: