Trivy doesn't find CSAF assessments related to a relationship

[javierfreire]

Description

Trivy fails to find VEX assessments when they reference the relationship between a vulnerable package and an intermediate package.

For example, consider a Bitnami module that includes a Python library and is packaged as a container image. The corresponding SPDX document defines three packages: the image, the Bitnami module, and the Python library. Meanwhile, the CSAF file contains an assessment related to the relationship between the Bitnami module and the Python library. In this scenario, Trivy does not correctly match the assessment.

Desired Behavior

Trivy finds the assessments and skips the vulnerabilities.

Actual Behavior

Trivy shows all the vulnerabilities even if there are assessments.

Reproduction Steps

1. Create the SPDX file

cat > spdx.json <<EOF
{
  "SPDXID": "SPDXRef-DOCUMENT",
  "creationInfo": {
    "created": "2025-02-10T16:54:21Z",
    "creators": [ ]
  },
  "dataLicense": "CC0-1.0",
  "documentNamespace": "https://tanzu.vmware.com/application-catalog/spdx/3fe72f87-b062-47ab-b570-a903a1554fe9",
  "hasExtractedLicensingInfos": [
    {
      "extractedText": "Apache-Software-License",
      "licenseId": "LicenseRef-Apache-Software-License"
    },
    {
      "extractedText": "Apache-Software-License--BSD-License",
      "licenseId": "LicenseRef-Apache-Software-License--BSD-License"
    },
    {
      "extractedText": "BSD-License--Apache-Software-License",
      "licenseId": "LicenseRef-BSD-License--Apache-Software-License"
    },
    {
      "extractedText": "MIT-License",
      "licenseId": "LicenseRef-MIT-License"
    },
    {
      "extractedText": "MIT-License--Apache-Software-License",
      "licenseId": "LicenseRef-MIT-License--Apache-Software-License"
    },
    {
      "extractedText": "Python-Software-Foundation-License",
      "licenseId": "LicenseRef-Python-Software-Foundation-License"
    },
    {
      "extractedText": "Python-Software-Foundation-License--Other-Proprietary-License",
      "licenseId": "LicenseRef-Python-Software-Foundation-License--Other-Proprietary-License"
    },
    {
      "extractedText": "UNKNOWN",
      "licenseId": "LicenseRef-UNKNOWN"
    },
    {
      "extractedText": "Zope-Public-License",
      "licenseId": "LicenseRef-Zope-Public-License"
    },
    {
      "extractedText": "pubkey",
      "licenseId": "LicenseRef-pubkey"
    }
  ],
  "name": "SPDX document for airflow:2.10.5-photon-5-r0",
  "packages": [
    {
      "SPDXID": "SPDXRef-airflow-gnrtd556",
      "copyrightText": "NOASSERTION",
      "downloadLocation": "https://github.com/apache/airflow/archive/refs/tags/2.10.5.tar.gz",
      "externalRefs": [
        {
          "referenceCategory": "SECURITY",
          "referenceLocator": "cpe:2.3:*:apache:airflow:2.10.5:*:*:*:*:*:*:*",
          "referenceType": "cpe23Type"
        },
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceLocator": "pkg:bitnami/[email protected]?arch=amd64\u0026distro=photon-5",
          "referenceType": "purl"
        }
      ],
      "filesAnalyzed": false,
      "licenseConcluded": "Apache-2.0",
      "licenseDeclared": "Apache-2.0",
      "name": "airflow",
      "primaryPackagePurpose": "LIBRARY",
      "versionInfo": "2.10.5-0"
    },
    {
      "SPDXID": "SPDXRef-Package-gnrtd486",
      "copyrightText": "NOASSERTION",
      "downloadLocation": "NONE",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceLocator": "pkg:pypi/[email protected]",
          "referenceType": "purl"
        }
      ],
      "filesAnalyzed": true,
      "licenseConcluded": "BSD-3-Clause",
      "licenseDeclared": "BSD-3-Clause",
      "name": "Werkzeug",
      "packageVerificationCode": {
        "packageVerificationCodeValue": "79fdc5c2ae4518235f1504bb5ba4371f0b429dec"
      },
      "primaryPackagePurpose": "LIBRARY",
      "supplier": "NOASSERTION",
      "versionInfo": "2.2.3"
    },
    {
      "SPDXID": "SPDXRef-ContainerImage-gnrtd1572",
      "downloadLocation": "NONE",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceLocator": "pkg:oci/airflow@sha256%3A445400e36e168d2186330fce04d5171dda12876a4326110ba26c3a8f016d6bb9",
          "referenceType": "purl"
        }
      ],
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "NOASSERTION",
      "name": "airflow",
      "primaryPackagePurpose": "CONTAINER",
      "versionInfo": "2.10.5-photon-5-r0"
    }
  ],
  "relationships": [
    {
      "relatedSpdxElement": "SPDXRef-ContainerImage-gnrtd1572",
      "relationshipType": "DESCRIBES",
      "spdxElementId": "SPDXRef-DOCUMENT"
    },
    {
      "relatedSpdxElement": "SPDXRef-airflow-gnrtd556",
      "relationshipType": "CONTAINS",
      "spdxElementId": "SPDXRef-ContainerImage-gnrtd1572"
    },
    {
      "relatedSpdxElement": "SPDXRef-Package-gnrtd486",
      "relationshipType": "CONTAINS",
      "spdxElementId": "SPDXRef-airflow-gnrtd556"
    }
  ],
  "spdxVersion": "SPDX-2.3"
}
EOF

2. Create the CSAF file

cat > vex.json <<EOF
{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "publisher": {
      "category": "vendor",
      "name": "Broadcom, Inc.",
      "namespace": "https://tanzu.vmware.com/application-catalog"
    },
    "title": "Advisory for airflow 2.10.5-photon-5-r0",
    "tracking": {
      "current_release_date": "2025-02-10T16:55:58Z",
      "generator": {
        "engine": {
          "name": "Tanzu VEX CLI",
          "version": "1.0.0"
        }
      },
      "id": "21c86e00-5b6c-4449-8644-371806e608ea",
      "initial_release_date": "2025-02-10T16:55:58Z",
      "revision_history": [],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python 3.12.9-1",
                "product": {
                  "name": "python",
                  "product_id": "python_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:bitnami/[email protected]?arch=amd64\u0026distro=photon-5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "python"
          }
        ],
        "category": "vendor",
        "name": "Broadcom, Inc."
      },
      {
        "category": "product_version",
        "name": "Werkzeug 2.2.3",
        "product": {
          "name": "Werkzeug",
          "product_id": "werkzeug",
          "product_identification_helper": {
            "purl": "pkg:pypi/[email protected]"
          }
        }
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "Werkzeug-2.2.3 is component of airflow-2.10.5-0",
          "product_id": "airflow_amd64:werkzeug"
        },
        "product_reference": "werkzeug",
        "relates_to_product_reference": "airflow_amd64"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-34069",
      "flags": [
        {
          "label": "vulnerable_code_cannot_be_controlled_by_adversary",
          "product_ids": [
            "airflow_amd64:werkzeug"
          ]
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "...",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "known_not_affected": [
          "airflow_amd64:werkzeug"
        ]
      },
      "threats": [
        {
          "category": "impact",
          "details": "...",
          "product_ids": [
            "airflow_amd64:werkzeug"
          ]
        }
      ]
    }
  ]
}
EOF

3. Run trivy

trivy sbom spdx.json --vex vex.json

### Target

None

### Scanner

None

### Output Format

None

### Mode

None

### Debug Output

```bash
$ trivy sbom spdx.json --vex vex.json -d
2025-02-19T15:59:12+01:00       DEBUG   No plugins loaded
2025-02-19T15:59:12+01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-19T15:59:12+01:00       DEBUG   Ignore statuses statuses=[]
2025-02-19T15:59:12+01:00       DEBUG   [vulndb] There is no valid metadata file        err="unable to open a file: open /home/fjavier/.cache/trivy/db/metadata.json: no such file or directory"
2025-02-19T15:59:12+01:00       INFO    [vulndb] Need to update DB
2025-02-19T15:59:12+01:00       DEBUG   [vulndb] No metadata file
2025-02-19T15:59:12+01:00       INFO    [vulndb] Downloading vulnerability DB...
2025-02-19T15:59:12+01:00       INFO    [vulndb] Downloading artifact...        repo="mirror.gcr.io/aquasec/trivy-db:2"
59.24 MiB / 59.24 MiB [------------------------------] 100.00% 3.11 MiB p/s 19s
2025-02-19T15:59:32+01:00       INFO    [vulndb] Artifact successfully downloaded       repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-02-19T15:59:32+01:00       DEBUG   Updating database metadata...
2025-02-19T15:59:32+01:00       DEBUG   DB info schema=2 updated_at=2025-02-19T12:18:27.677573356Z next_update=2025-02-20T12:18:27.677573095Z downloaded_at=2025-02-19T14:59:32.728953767Z
2025-02-19T15:59:32+01:00       DEBUG   [pkg] Package types     types=[os library]
2025-02-19T15:59:32+01:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-02-19T15:59:32+01:00       INFO    [vuln] Vulnerability scanning is enabled
2025-02-19T15:59:32+01:00       DEBUG   Enabling misconfiguration scanners      scanners=[]
2025-02-19T15:59:32+01:00       DEBUG   Initializing scan cache...      type="memory"
2025-02-19T15:59:32+01:00       INFO    Detected SBOM format    format="spdx-json"
2025-02-19T15:59:32+01:00       DEBUG   [sbom] Skipping a component with an unsupported type    file_path="spdx.json" name="airflow" version="2.10.5-photon-5-r0" type="oci"
2025-02-19T15:59:32+01:00       DEBUG   OS is not detected.
2025-02-19T15:59:32+01:00       DEBUG   Detected OS: unknown
2025-02-19T15:59:32+01:00       INFO    Number of language-specific files       num=2
2025-02-19T15:59:32+01:00       INFO    [bitnami] Detecting vulnerabilities...
2025-02-19T15:59:32+01:00       DEBUG   [bitnami] Scanning packages for vulnerabilities file_path=""
2025-02-19T15:59:32+01:00       INFO    [python-pkg] Detecting vulnerabilities...
2025-02-19T15:59:32+01:00       DEBUG   [python-pkg] Scanning packages for vulnerabilities      file_path=""
2025-02-19T15:59:32+01:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"

Python (python-pkg)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 1, CRITICAL: 0)
....

Operating System

Ubuntu 24.10

Version

$ trivy --version
Version: 0.59.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-02-19 12:18:27.677573356 +0000 UTC
  NextUpdate: 2025-02-20 12:18:27.677573095 +0000 UTC
  DownloadedAt: 2025-02-19 14:59:32.728953767 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting