CycloneDX SBOM files generated by trivy are not compliant with corresponding CycloneDX schema

[LesSyner]

Description

I discovered that Cyclonedx-JSON SBOM files generated by trivy are not compliant with corresponding CycloneDX schema. I discovered it while trying to work with licenses and external tools which support it (Dependency-track). So in particular the issue is with license, where trivy-generated SBOM has following structure:

      "bom-ref": "pkg:deb/ubuntu/[email protected]?arch=all\u0026distro=ubuntu-22.04",
      "type": "library",
      "name": "adduser",
      "version": "3.118ubuntu5",
      "licenses": [
        {
          "expression": "GPL-2.0"
        }
      ],

and compliant structure looks like this (generated by syft):

      "bom-ref": "pkg:deb/ubuntu/[email protected]?arch=all&distro=ubuntu-22.04&package-id=00a3e975e84427e2",
      "type": "library",
      "name": "adduser",
      "version": "3.118ubuntu5",
      "licenses": [
        {
          "license": {
            "id": "GPL-2.0-only"
          }
        }
      ],

Desired Behavior

trivy produces SBOM files compliant with CycloneDX-JSON schema

Actual Behavior

trivy generates invalid SBOM JSON files

Reproduction Steps

1. trivy image -f cyclonedx --scanners license ubuntu:22.04 > ubuntu22.04.trivy.json

2. cyclonedx validate --input-file ubuntu22.04.trivy.json --input-format json --input-version v1_4
Validating JSON BOM...
Validation failed: 
#/properties/dependencies/items
BOM is not valid.

3. syft packages -o cyclonedx-json ubuntu:22.04 > ubuntu22.04.syft.json

4. cyclonedx validate --input-file ubuntu22.04.syft.json --input-format json --input-version v1_4
Validating JSON BOM...
BOM validated successfully.

Trivy used above is v0.42.1 since 0.43 introduced CycloneDX schema 1.5 with no option for fallback to v1.4 and currently cyclonedx tool doesn't suppport yet v1.5. But I've checked it also with latest trivy and licenses structure is exactly the same.

Target

Container Image

Scanner

License

Output Format

CycloneDX

Mode

Standalone

Debug Output

DEBUG	["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'.
DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
DEBUG	cache dir:  .
INFO	License scanning is enabled
DEBUG	Image ID: sha256:37f74891464b2067aacbde60d9e2888e002af047a0d5dfc0b06b701928e0b473
DEBUG	Diff IDs: [sha256:c5ca84f245d30117a9a2720cb4297cedf3642816471d4d699f4d77e39e13a39c]
DEBUG	Base Layers: []
DEBUG	Missing image ID in cache: sha256:37f74891464b2067aacbde60d9e2888e002af047a0d5dfc0b06b701928e0b473
DEBUG	Missing diff ID in cache: sha256:c5ca84f245d30117a9a2720cb4297cedf3642816471d4d699f4d77e39e13a39c
DEBUG	Skipping directory: dev
DEBUG	Skipping directory: proc
DEBUG	Skipping directory: sys
DEBUG	No secrets found in container image config

Operating System

macOS Ventura 13.5

Version

Version: 0.42.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-07-26 06:08:40.049602013 +0000 UTC
  NextUpdate: 2023-07-26 12:08:40.049601613 +0000 UTC
  DownloadedAt: 2023-07-26 10:10:28.217628 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-07-31 00:51:48.861488562 +0000 UTC
  NextUpdate: 2023-08-03 00:51:48.861488162 +0000 UTC
  DownloadedAt: 2023-07-31 15:11:35.839586 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @LesSyner
Thanks for your report!

We fixed this problem in #4941.
v0.44.1 will include this fix.

Regards, Dmitriy