Unknown flag Error when converting JSON to cyclonedx

[scott-boost]

Description

When I run

trivy image ubuntu:latest --format cyclonedx --output /tmp/base.json
trivy sbom --format json --output /tmp/with_vulns.json --scanners vuln /tmp/base.json
trivy convert --format cyclonedx /tmp/with_vulns.json

I got the following warning AND the vulnerabilities section is empty

"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.

if I try to include --scanners vuln, I get an unknown flag error

trivy convert --format cyclonedx --scanners vuln /tmp/with_vulns.json
Fatal error	unknown flag: --scanners

Desired Behavior

Successfully convert a cyclonedx from JSON with vulnerabilities populated WITHOUT errors

Actual Behavior

• Unknown flag error if include --scanners vuln
• empty vulnerabilities if don't include --scanners vuln

Reproduction Steps

1. `trivy image ubuntu:latest --format cyclonedx --output /tmp/base.json`
2. `trivy sbom --format json --output /tmp/with_vulns.json --scanners vuln /tmp/base.json`
3A. `trivy convert --format cyclonedx /tmp/with_vulns.json`
3B. `trivy convert --format cyclonedx --scanners vuln /tmp/with_vulns.json`

Target

SBOM

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

`trivy convert --format cyclonedx --debug /tmp/with_vulns.json`


2024-06-25T13:25:27-04:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-06-25T13:25:27-04:00	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.
2024-06-25T13:25:27-04:00	DEBUG	Writing report to output...
{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:ce61fc6a-9f10-43bb-833d-cdeeae0e5881",
  "version": 1,
  "metadata": {
    "timestamp": "2024-06-25T17:25:27+00:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "group": "aquasecurity",
          "name": "trivy",
          "version": "dev"
        }
      ]
    },
    "component": {
      "bom-ref": "99bb04b1-2d4b-461e-ae35-a24a90e45ac7",
      "type": "application",
      "name": "/tmp/base.json",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "2"
        }
      ]
    }
  },
  "components": [
    {
      "bom-ref": "bcb4aa25-af63-453c-aa87-e1a6af077658",
      "type": "operating-system",
      "name": "ubuntu",
      "version": "24.04",
      "properties": [
        {
          "name": "aquasecurity:trivy:Class",
          "value": "os-pkgs"
        },
        {
          "name": "aquasecurity:trivy:Type",
          "value": "ubuntu"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "99bb04b1-2d4b-461e-ae35-a24a90e45ac7",
      "dependsOn": [
        "bcb4aa25-af63-453c-aa87-e1a6af077658"
      ]
    }
  ],
  "vulnerabilities": []
}

Operating System

macOS Sonoma 14.5

Version

v0.52.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

@DmitriyLewen We might need to enable vulnerabilities with trivy convert.

[DmitriyLewen]

hmm... but then we will always include vulnerabilities in CycloneDX report.
Perhaps we want to add new flag to include vulnerabilities in convert mode to give user option to make their own decisions?

[knqyf263]

I found out it was not a bug, but @scott-boost needs to add --list-all-pkgs as documented here.
https://aquasecurity.github.io/trivy/v0.52/docs/configuration/reporting/#converting

$ trivy sbom -f json --output /tmp/with_vulns.json --list-all-pkgs /tmp/base.json
$ trivy convert -f cyclonedx /tmp/with_vulns.json

2024-06-25T13:25:27-04:00 INFO "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the CycloneDX report.

This is confusing. I'll remove it for trivy convert.

[DmitriyLewen]

#7032 was merged.