Missing vulnerabilities scanning SBOMs produced by the official SPDX Maven Plugin

[pablogalegoc]

Description

I've cloned the spring-petclinic and reset the repo to an old commit to ensure there are more packages with outdated versions. Then added the official SPDX Maven Plugin to the pom.xml file under <plugins>, like it is shown in the Usage section of the documentation, setting the version to 0.7.3. Trivy is only capable of identifying one package from
org.springframework.samples_spring-petclinic-3.1.0-SNAPSHOT.spdx.json, thus leading to a very short vulnerability report.

My guess is that the ID function returns strings that can't be matched in the vulnerability DB (for example, PostgreSQL JDBC Driver:42.6.0).

Desired Behavior

If there is a purl available, use it as the primary identifier for a package in the vulnerability DB or as a fallback method.

Actual Behavior

I think it is using the ID function, as mentioned above.

Reproduction Steps

1. git clone https://github.com/spring-projects/spring-petclinic.git && cd spring-petclinic && git reset --hard 5accc40c77e51cb15eb87a480e679a5012d1423e
2. Add the official SPDX Maven Plugin, like it is shown in the [Usage](https://github.com/spdx/spdx-maven-plugin?tab=readme-ov-file#usage) section of the documentation, setting the version to 0.7.3
3. ./mvnw spdx:createSPDX
4. trivy sbom target/site/org.springframework.samples_spring-petclinic-3.1.0-SNAPSHOT.spdx.json -f json -o scan.json

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

2024-06-21T13:26:26+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-06-21T13:26:26+02:00       DEBUG   Ignore statuses statuses=[]
2024-06-21T13:26:26+02:00       DEBUG   Cache dir       dir="/Users/pgalego/Library/Caches/trivy"
2024-06-21T13:26:26+02:00       DEBUG   DB update was skipped because the local DB is the latest
2024-06-21T13:26:26+02:00       DEBUG   DB info schema=2 updated_at=2024-06-21T06:12:43.970221161Z next_update=2024-06-21T12:12:43.97022092Z downloaded_at=2024-06-21T08:17:22.220552Z
2024-06-21T13:26:26+02:00       INFO    Vulnerability scanning is enabled
2024-06-21T13:26:26+02:00       DEBUG   Vulnerability type      type=[os library]
2024-06-21T13:26:26+02:00       DEBUG   Enabling misconfiguration scanners      scanners=[]
2024-06-21T13:26:26+02:00       INFO    Detected SBOM format    format="spdx-json"
2024-06-21T13:26:26+02:00       DEBUG   OS is not detected.
2024-06-21T13:26:26+02:00       DEBUG   Detected OS: unknown
2024-06-21T13:26:26+02:00       INFO    Number of language-specific files       num=1
2024-06-21T13:26:26+02:00       INFO    [jar] Detecting vulnerabilities...
2024-06-21T13:26:26+02:00       DEBUG   [jar] Scanning packages for vulnerabilities     file_path=""

Operating System

macOS 14.5

Version

Version: 0.52.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-06-21 06:12:43.970221161 +0000 UTC
  NextUpdate: 2024-06-21 12:12:43.97022092 +0000 UTC
  DownloadedAt: 2024-06-21 08:17:22.220552 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-06-10 01:05:31.416428614 +0000 UTC
  NextUpdate: 2024-06-13 01:05:31.416428444 +0000 UTC
  DownloadedAt: 2024-06-10 14:40:55.678006 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @pablogalegoc
Thanks for your report!

Created #7007 for this task.

Regards, Dmitriy