Wrong version detected for protobuf-kotlin

[larsriehn]

Description

Our application contains protobuf 4.28.2 defined in build.gradle.kts:
"com.google.protobuf:protoc:4.28.2"
I verified that this is the version of the jar contained in the build.
The generated SBOM and the trivy vulnerability check show the version 4.28.0 for protobuf-kotlin (interestingly everything is correct for protobuf-java).
See the correct version of the jar: protobuf-kotlin-4.28.2.jar not matching all other versions.
{
"bom-ref": "pkg:maven/com.google.protobuf/[email protected]",
"type": "library",
"group": "com.google.protobuf",
"name": "protobuf-kotlin",
"version": "4.28.0",
"hashes": [
{
"alg": "SHA-1",
"content": "5c444c13182baa06a30975cf90e62ff9acd95da7"
}
],
"purl": "pkg:maven/com.google.protobuf/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:FilePath",
"value": "app/reclaim-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/protobuf-kotlin-4.28.2.jar"
},
{
"name": "aquasecurity:trivy:LayerDiffID",
"value": "sha256:6067a1acffb5e84e336a6316bd490463f02c866108c1f93e56be72e322048766"
},
{
"name": "aquasecurity:trivy:LayerDigest",
"value": "sha256:026f3b27d2358d1b4c5592b6eac010a85e6b4af20ffe1cbe17e67b18713c72cb"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "jar"
}
]
},

I do have the same behaviour with protobuf-kotlin-3.25.5.jar where trivy shows CVEs for 3.25.0

Desired Behavior

The correct version 4.28.2 should used.
(Second case 3.25.5 should be used)

Actual Behavior

Version 4.28.0 is used.
(Second case 3.25.0 is used)

Reproduction Steps

1. Build Kotlin application as a Docker image
2. Scan image with Trivy
3. Create CycloneDX SBOM with Trivy

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Client/Server

Debug Output

$ trivy image ${TRIVY_LOG_OUTPUT} ${TRIVY_EXTRA_FLAGS} --format cyclonedx --scanners vuln --input "${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA}-${IMAGE}.tar" --output ${TRIVY_REPORT_FILE} --server ${TRIVY_SERVER_URL}


Total: 0 (HIGH: 0)
Java (jar)
==========
Total: 1 (HIGH: 1)
┌─────────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬────────────────────────┬───────────────────────────────────────────────────────────┐
│               Library               │ Vulnerability │ Severity │ Status │ Installed Version │     Fixed Version      │                           Title                           │
├─────────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼────────────────────────┼───────────────────────────────────────────────────────────┤
│ com.google.protobuf:protobuf-kotlin │ CVE-2024-7254 │ HIGH     │ fixed  │ 4.28.0            │ 3.25.5, 4.27.5, 4.28.2 │ protobuf: StackOverflow vulnerability in Protocol Buffers │
│ (reclaim-0.0.1-SNAPSHOT.jar)        │               │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2024-7254                 │
└─────────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴────────────────────────┴───────────────────────────────────────────────────────────┘

Operating System

Gitlab Runner

Version

0.56.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @larsriehn
Thanks for your report!

Can you create a test image and push it to dockerhub (or another registry)?
This will speed up the investigation of your case.

Regards, Dmitriy

[larsriehn]

Hello @DmitriyLewen !
You can find an image here: docker pull larsriehn/kotlin-demo
(https://hub.docker.com/repository/docker/larsriehn/kotlin-demo/general)
Unpacking it will show protobuf-kotlin-4.28.2.jar inside.

The trivy vuln scan instead shows the version 4.28.0 and the CVE--2024-7254 in this version (fixed in 4.28.2):
com.google.protobuf:protobuf-kotlin (app.jar) │ CVE-2024-7254 │ HIGH │ fixed │ 4.28.0 │ 3.25.5, 4.27.5, 4.28.2

[DmitriyLewen]

Hello @larsriehn
Thanks!

v4.28.0 and v4.28.2 have same sha1:

• https://repo1.maven.org/maven2/com/google/protobuf/protobuf-kotlin/4.28.2/protobuf-kotlin-4.28.2.jar.sha1
• https://repo1.maven.org/maven2/com/google/protobuf/protobuf-kotlin/4.28.0/protobuf-kotlin-4.28.0.jar.sha1

More about this problem you can read in #7567.

Regards, Dmitriy

[DmitriyLewen]

duplicate of #7567