How does Trivy get the dependencies of a project ?

[ks-fabrice-chapuis]

Question

Hello,
Currently, I am using Trivy to generate the Software Bills of Materials of the projects of my company, but I saw something weird.
I have a python project having several dependencies (internal as external). The problem is that the dependencies' version in the requirements.txt file is different from the version written in the json file created by Trivy. And the version written in the requirements.txt file is not even written in the SBOM.
For example,
Do you have any idea why ?
Is it possible for it to find the dependencies of an internal dependency ?
Is it possible to differentiate them from the external ones ?
Thank you very much for your time,
Fabrice

Target

SBOM

Scanner

None

Output Format

JSON

Mode

Standalone

Operating System

No response

Version

0.53.0

[DmitriyLewen]

Hello @ks-fabrice-chapuis
Thanks for you interest to Trivy!

details on scanning requirements.txt files can be found in - https://aquasecurity.github.io/trivy/v0.55/docs/coverage/language/python/#pip

Is it possible for it to find the dependencies of an internal dependency ?
Is it possible to differentiate them from the external ones ?

IIRC requirement.txt file contains all dependencies (direct and indirect). But there are no markers to split them.

You can send me your requirements.txt file and i will investigate its.

Regards, Dmitriy

[ks-fabrice-chapuis]

Hello,
thank you very much for you answer.
to answer you, one of our projects contains a dependency (as Trivy says) with "kogautils" v. 0.0.8 .
No kogautils is found in the requirements.txt, meaning it is a dependency of a dependency or an image dependency.
After investigation, the image is the only one using KogaUtils, but it has the version 1.0.4.
(KogaUtils is an internal library).

One more question: where does the name format of libraries come from ? Because it is not exactly the same as the one in the CVE json files, meaning that making a relation between a components table and a CVE table has a lot of false positives (since it requires a LIKE statement). Is it possible to have a format that suits the CVE format better ?
Thanks again for your help,
Fabrice

[ks-fabrice-chapuis]

or one more thing (a little bit clearer:
here is what Trivy gives us:
{
"bom-ref": "pkg:pypi/[email protected]",
"type": "library",
"name": "ansible-core",
"version": "2.14.3",
"licenses": [
{
"license": {
"name": "GNU General Public License v3 or later (GPLv3+)"
}
}
],
"purl": "pkg:pypi/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:FilePath",
"value": "usr/lib/python3.10/site-packages/ansible_core-2.14.3.dist-info/METADATA"
},
{
"name": "aquasecurity:trivy:LayerDiffID",
"value": "sha256:6db04f4b1edfc13a882fb18a816d8d6daa53343fa1801e75bbee1ace7966f230"
},
{
"name": "aquasecurity:trivy:LayerDigest",
"value": "sha256:5e3c07004235f748ad69da49492fcc01bbf542631cad8c60252229b6cb54a326"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "python-pkg"
}
]
},
{
"bom-ref": "pkg:pypi/[email protected]",
"type": "library",
"name": "ansible",
"version": "7.3.0",
"licenses": [
{
"license": {
"name": "GNU General Public License v3 or later (GPLv3+)"
}
}
],
"purl": "pkg:pypi/[email protected]",
"properties": [
{
"name": "aquasecurity:trivy:FilePath",
"value": "usr/lib/python3.10/site-packages/ansible-7.3.0.dist-info/METADATA"
},
{
"name": "aquasecurity:trivy:LayerDiffID",
"value": "sha256:6db04f4b1edfc13a882fb18a816d8d6daa53343fa1801e75bbee1ace7966f230"
},
{
"name": "aquasecurity:trivy:LayerDigest",
"value": "sha256:5e3c07004235f748ad69da49492fcc01bbf542631cad8c60252229b6cb54a326"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "python-pkg"
}
]
},

here is the requirements.txt of the project:
bpython==0.24
sigmaloader==2.11.0
flake8==5.0.4

yamllint==1.28.0
pytest==7.4.4
pytest-cov==4.0.0
pytest-mock==3.10.0
pytest-flake8==1.1.1
requests-mock==1.10.0
twine==4.0.2
wheel==0.38.1
mkdocs==1.5.3

attackcti==0.4.0
GitPython==3.1.41
python-gitlab==4.10.0

sigmaloader being an internal library, here is its requirements.txt:
aiohttp==3.10.5
beautifulsoup4==4.12.3
click==8.1.7
colorama==0.4.6
graphviz==0.20.3
Markdown==3.7
pydantic[email]==2.8.2
python-gitlab==4.10.0
jsonschema==4.23.0
PyYAML==6.0.2
requests-toolbelt==1.0.0
requests==2.32.3
splunk-sdk==2.0.2
eql==0.9.19
elasticsearch_dsl==8.15.1
isodate==0.6.1
ruyaml==0.91.0
azure-identity==1.17.1
azure-storage-blob==12.22.0
beautifulsoup4==4.12.3
click==8.1.7
markdown2==2.5.0
GitPython==3.1.41

Here is the requirements.txt of the repo used to generate the image of the initial requirements.txt:
Cython==3.0.10,<3.1
attrs==23.2.0
certifi==2024.7.4
charset-normalizer==3.3.2
coverage==7.5.1
exceptiongroup==1.2.1
idna==3.7
iniconfig==2.0.0
packaging==23.2
pluggy==1.5.0
pyparsing==3.1.2
pytest==7.4.4
requests==2.32.2
python-gitlab==4.5.0
pyyaml==6.0.1
pytest-flake8==1.1.1
pytest-cov==4.1.0
jinja2==3.1.4
requests-toolbelt==1.0.0
tomli==2.0.1
six==1.16.0
elasticsearch==7.17.9
urllib3<2,==1.26.18
pillow==10.3.0
click==8.1.7
flake8<7,==6.1.0
atlassian-python-api==3.41.13
markdown==3.6
ansible==9.6.0
pyzabbix==1.3.1

koga-utils==1.0.4

koga-utils is another internal library, but doesn't have ansible.
So, as we can see, Trivy finds 2 ansibles but we can not see where it comes from, and the only ansible is from the image but has yet another version.
do you have any idea how it can happen ?
Thanks again,
Fabrice

[DmitriyLewen]

Hello @ks-fabrice-chapuis

IIUC you scan image.

Trivy doesn't check requirements.txt files for image mode - https://aquasecurity.github.io/trivy/v0.55/docs/coverage/language/#supported-languages

Trivy detects ansible from METADATA file:

"name": "aquasecurity:trivy:FilePath",
"value": "usr/lib/python3.10/site-packages/ansible-7.3.0.dist-info/METADATA"