CycloneDX VEX: Trivy fails to suppress all findings when the same CVE (with a different PURL) is listed in multiple VEX statements.

[johnnyrootio]

Description

Trivy does not suppress vulnerability findings when scanning a CycloneDX Software Bill of Materials (SBOM) using the --vex option with a VEX document containing VEX statements that reference the same CVE in multiple statements with differing Package URLs (PURLs). It's common for a single CVE to be identified in various libraries within a Docker image. With VEX, these vulnerabilities can be marked as "not_affected" and thus suppressed from Trivy's output. However, when multiple statements are in a CycloneDX file for the same CVE but with different PURLs, Trivy only considers the last such statement in the VEX file.

Desired Behavior

Trivy suppresses output findings related to each VEX statement that references the same CVE but with different PURLs.

Actual Behavior

Trivy suppresses output findings for only the positionally last VEX statement in the VEX document that references the same CVE but with different PURLs.

Reproduction Steps

1. Pull the Docker image indicated in this Trivy command.

trivy image python:3.12.7-slim-bookworm --severity CRITICAL,HIGH

2. Run the Trivy command. Notice that the table reports multiple instances of CVE-2024-26462 referencing different PURLS

3. Generate an SBOM for this image using the following Trivy command.

trivy image --format cyclonedx -o python_3.12.7-slim-bookworm.json python:3.12.7-slim-bookworm
 
3. Create a valid VEX file with multiple statements referencing CVE-2024-26462 for different PURLS marked "state":"not_affected". Use the vuln findings table to identify the PURLS for CVE-2024-26462. Name the VEX file: vex_python_3.12.7-slim-bookworm.json

4. Run the following command to apply the VEX statements to an SBOM scan output from Trivy.

trivy sbom python_3.12.7-slim-bookworm.json --vex vex_python_3.12.7-slim-bookworm.json --severity CRITICAL,HIGH

5. See that only one (the last VEX file entry) VEX statement was applied to the scan findingsby Trivy.
...

Target

SBOM

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

Note: All of the findings should have been suppressed for CVE-2024-26462

johnamaral@Johns-MacBook-Pro-2 RootVexTest % trivy sbom sbom_rootioinc_airbus_fastapi_r0.json --vex vex_rootioinc_airbus_fastapi_r0.json --severity CRITICAL,HIGH --debug
2024-11-06T19:59:57-05:00	DEBUG	No plugins loaded
2024-11-06T19:59:57-05:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-06T19:59:57-05:00	DEBUG	Cache dir	dir="/Users/johnamaral/Library/Caches/trivy"
2024-11-06T19:59:57-05:00	DEBUG	Cache dir	dir="/Users/johnamaral/Library/Caches/trivy"
2024-11-06T19:59:57-05:00	DEBUG	Parsed severities	severities=[CRITICAL HIGH]
2024-11-06T19:59:57-05:00	DEBUG	Ignore statuses	statuses=[]
2024-11-06T19:59:57-05:00	DEBUG	DB update was skipped because the local DB is the latest
2024-11-06T19:59:57-05:00	DEBUG	DB info	schema=2 updated_at=2024-11-06T18:16:55.465818361Z next_update=2024-11-07T18:16:55.465817961Z downloaded_at=2024-11-06T19:31:05.069677Z
2024-11-06T19:59:57-05:00	DEBUG	[pkg] Package types	types=[os library]
2024-11-06T19:59:57-05:00	DEBUG	[pkg] Package relationships	relationships=[unknown root direct indirect]
2024-11-06T19:59:57-05:00	INFO	[vuln] Vulnerability scanning is enabled
2024-11-06T19:59:57-05:00	DEBUG	Enabling misconfiguration scanners	scanners=[]
2024-11-06T19:59:57-05:00	DEBUG	Initializing scan cache...	type="memory"
2024-11-06T19:59:57-05:00	INFO	Detected SBOM format	format="cyclonedx-json"
2024-11-06T19:59:57-05:00	DEBUG	Unmarshalling CycloneDX JSON...
2024-11-06T19:59:57-05:00	DEBUG	[sbom] Skipping a component with an unsupported type	file_path="sbom_rootioinc_airbus_fastapi_r0.json" name="rootioinc/airbus:fastapi_r0" version="" type="oci"
2024-11-06T19:59:57-05:00	INFO	Detected OS	family="debian" version="12.7"
2024-11-06T19:59:57-05:00	INFO	[debian] Detecting vulnerabilities...	os_version="12" pkg_num=104
2024-11-06T19:59:57-05:00	INFO	Number of language-specific files	num=1
2024-11-06T19:59:57-05:00	INFO	[python-pkg] Detecting vulnerabilities...
2024-11-06T19:59:57-05:00	DEBUG	[python-pkg] Scanning packages for vulnerabilities	file_path=""
2024-11-06T19:59:57-05:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.57/docs/scanner/vulnerability#severity-selection for details.
2024-11-06T19:59:57-05:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

sbom_rootioinc_airbus_fastapi_r0.json (debian 12.7)

Total: 3 (HIGH: 3, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version │                   Title                    │
├──────────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ libgssapi-krb5-2 │ CVE-2024-26462 │ HIGH     │ affected │ 1.20.1-2+deb12u2  │               │ krb5: Memory leak at /krb5/src/kdc/ndr.c   │
│                  │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-26462 │
├──────────────────┤                │          │          │                   ├───────────────┤                                            │
│ libk5crypto3     │                │          │          │                   │               │                                            │
│                  │                │          │          │                   │               │                                            │
├──────────────────┤                │          │          │                   ├───────────────┤                                            │
│ libkrb5support0  │                │          │          │                   │               │                                            │
│                  │                │          │          │                   │               │                                            │
└──────────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

Operating System

macOS Ventura 13.5

Version

johnamaral@Johns-MacBook-Pro-2 RootVexTest % trivy --version
Version: 0.57.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-06 18:16:55.465818361 +0000 UTC
  NextUpdate: 2024-11-07 18:16:55.465817961 +0000 UTC
  DownloadedAt: 2024-11-06 19:31:05.069677 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-10-29 02:43:29.210209896 +0000 UTC
  NextUpdate: 2024-11-01 02:43:29.210209776 +0000 UTC
  DownloadedAt: 2024-10-29 16:48:18.400937 +0000 UTC
johnamaral@Johns-MacBook-Pro-2 RootVexTest %

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @johnnyrootio

I can't reproduce your issue.

My CycloneDX VEX file works correctly:

➜ cat vex_python_3.12.7-slim-bookworm.json 
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "vulnerabilities": [
    {
      "id": "CVE-2024-26462",
      "analysis": {
        "state": "not_affected"
      },
      "affects": [
        {
          "ref": "urn:cdx:63b7fa18-f4ad-493c-9767-44b2dc78708a/1#pkg:deb/debian/[email protected]%2Bdeb12u2?arch=amd64\u0026distro=debian-12.7"
        },
        {
          "ref": "urn:cdx:63b7fa18-f4ad-493c-9767-44b2dc78708a/1#pkg:deb/debian/[email protected]%2Bdeb12u2?arch=amd64\u0026distro=debian-12.7"
        },
        {
          "ref": "urn:cdx:63b7fa18-f4ad-493c-9767-44b2dc78708a/1#pkg:deb/debian/[email protected]%2Bdeb12u2?arch=amd64\u0026distro=debian-12.7"
        }
      ]
    }
  ]
}

➜ trivy sbom python_3.12.7-slim-bookworm.cdx.json --vex vex_python_3.12.7-slim-bookworm.json --severity CRITICAL,HIGH --show-suppressed
2024-11-08T14:22:02+06:00	INFO	[vuln] Vulnerability scanning is enabled
2024-11-08T14:22:02+06:00	INFO	Detected SBOM format	format="cyclonedx-json"
2024-11-08T14:22:02+06:00	INFO	Detected OS	family="debian" version="12.7"
2024-11-08T14:22:02+06:00	INFO	[debian] Detecting vulnerabilities...	os_version="12" pkg_num=105
2024-11-08T14:22:02+06:00	INFO	Number of language-specific files	num=1
2024-11-08T14:22:02+06:00	INFO	[python-pkg] Detecting vulnerabilities...
2024-11-08T14:22:02+06:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.57/docs/scanner/vulnerability#severity-selection for details.

python_3.12.7-slim-bookworm.cdx.json (debian 12.7)

Total: 4 (HIGH: 3, CRITICAL: 1)

┌─────────────────┬────────────────┬──────────┬──────────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│     Library     │ Vulnerability  │ Severity │    Status    │ Installed Version │ Fixed Version │                         Title                          │
├─────────────────┼────────────────┼──────────┼──────────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libkrb5support0 │ CVE-2024-26462 │ HIGH     │ affected     │ 1.20.1-2+deb12u2  │               │ krb5: Memory leak at /krb5/src/kdc/ndr.c               │
│                 │                │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2024-26462             │
├─────────────────┼────────────────┤          │              ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libsqlite3-0    │ CVE-2023-7104  │          │              │ 3.40.1-2          │               │ sqlite: heap-buffer-overflow at sessionfuzz            │
│                 │                │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2023-7104              │
├─────────────────┼────────────────┤          │              ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ perl-base       │ CVE-2023-31484 │          │              │ 5.36.0-7+deb12u1  │               │ perl: CPAN.pm does not verify TLS certificates when    │
│                 │                │          │              │                   │               │ downloading distributions over HTTPS...                │
│                 │                │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2023-31484             │
├─────────────────┼────────────────┼──────────┼──────────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ zlib1g          │ CVE-2023-45853 │ CRITICAL │ will_not_fix │ 1:1.2.13.dfsg-1   │               │ zlib: integer overflow and resultant heap-based buffer │
│                 │                │          │              │                   │               │ overflow in zipOpenNewFileInZip4_6                     │
│                 │                │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2023-45853             │
└─────────────────┴────────────────┴──────────┴──────────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

Suppressed Vulnerabilities (Total: 3)

┌──────────────────┬────────────────┬──────────┬──────────────┬───────────┬───────────────┐
│     Library      │ Vulnerability  │ Severity │    Status    │ Statement │    Source     │
├──────────────────┼────────────────┼──────────┼──────────────┼───────────┼───────────────┤
│ libgssapi-krb5-2 │ CVE-2024-26462 │ HIGH     │ not_affected │ N/A       │ CycloneDX VEX │
├──────────────────┤                │          │              │           │               │
│ libk5crypto3     │                │          │              │           │               │
├──────────────────┤                │          │              │           │               │
│ libkrb5-3        │                │          │              │           │               │
└──────────────────┴────────────────┴──────────┴──────────────┴───────────┴───────────────┘

Can you send your VEX file?

[johnnyrootio]

[vex_python_3.12.7-slim-bookworm-fails.json](https://github.com/user-attachments/files/17687668/vex_python_3.12.7-slim-bookworm-fails.json)

Thanks for the response.

Attached is my VEX file. You can see from the scanner output table that only one of the CVE's listed in my VEX file was suppressed. The difference is that you list CVE-2024-26462 once in your VEX file with multiple "affects" elements. I list multiple "vulnerabilities" elements (CVE-2024-26462) with a single "affects" in each section.

[DmitriyLewen]

Got it.

We use only the last element for the vulnerability.
This is necessary to be able to add/remove/update the vulnerability information (instead of overwriting it).
https://github.com/openvex/spec/blob/fa5ba0c0afedb008dc5ebad418548cacf16a3ca7/OPENVEX-SPEC.md#the-vex-statement

If you want to suppress multiple packets, you need to add all packets to the affects array.

[johnnyrootio]

Ok - thanks. FWIW, I modified the Trivy code locally to make my scenario (and your) work fine. But it seems not worth it to submit a PR since the method using the affects array works fine. Thanks for your help.