bug: cyclonedx vex doesn't filter vulnerabilites with escaped characters in bomRef

[DmitriyLewen]

Discussed in #6020

^{Originally posted by ademsayin-essentx January 30, 2024}

Description

I want to ignore some vulnerabilities via the --vex option when scanning an sbom with trivy.
Even though the vulnerabilities are defined in the standalone vex file, they are still found by trivy.
I was able to reproduce it with the current ubuntu image.
It looks like when there are special characters (in this case a: +) in the purl or bom-ref, the character gets url-encoded to %2B.
However, the filter for the vex information seems to not like this url-encoded value.
Both vulnerabilities that are not ignored have this %2B in the purl, bom-ref.

Desired Behavior

All vulnerabilities that are defined in vex file are ignored.

Actual Behavior

Not all vulnerabilities are ignored by trivy and are still shown in the table.

Reproduction Steps

1. Create cyclonedx file with trivy for ubuntu (At the time of writing this created vulns with url-encoded purls) : trivy image ubuntu:latest --format cyclonedx --scanners vuln -o ubuntu.cdx
2. Save following commands as a script: (it will create a vex file from the sbom file and set all vulnerabilities to not_affected and correctly set the ref in the affects to the sbom file)
jq must be installed!

#! /bin/bash

filename=$1
if [[ -f ${filename} ]]; then

	vex_filename="${filename}.vex"

	sbom_serial=$(jq -r '.serialNumber' "${filename}")
	only_serial=${sbom_serial##*:}

	jq '{"bomFormat":.bomFormat,"specVersion":.specVersion,"version":.version,"vulnerabilities":.vulnerabilities}' "${filename}" > "${vex_filename}.tmp" && mv "${vex_filename}.tmp" "${vex_filename}" 

  jq '.vulnerabilities |= map( . + {analysis: {state: "not_affected"}})' "${vex_filename}" > "${vex_filename}.tmp" && mv "${vex_filename}.tmp" "${vex_filename}"
	jq '.vulnerabilities |= map( .affects |= map(.ref |= "urn:cdx:'"${only_serial}"'/1#\(.)"))' "${vex_filename}" > "${vex_filename}.tmp" && mv "${vex_filename}.tmp" "${vex_filename}"

	trivy sbom "${filename}" --vex "${vex_filename}"
fi

3. Execute the script with the sbom file from step 1 (ubuntu.cdx) as the first argument
4. Check the trivy output (it will execute trivy sbom --vex at the end)
5. libstdc++6 and libzstd1 are still shown as vulnerabilities even though they are set to not_affected in the vex file together will all the other vulnerabilities (which are ignored)

Target

SBOM

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

2024-01-30T15:20:47.356+0100    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-01-30T15:20:47.357+0100    DEBUG   Ignore statuses {"statuses": null}
2024-01-30T15:20:47.370+0100    DEBUG   cache dir:  /home/cobolic/.cache/trivy
2024-01-30T15:20:47.370+0100    DEBUG   DB update was skipped because the local DB is the latest
2024-01-30T15:20:47.370+0100    DEBUG   DB Schema: 2, UpdatedAt: 2024-01-30 12:14:12.063422678 +0000 UTC, NextUpdate: 2024-01-30 18:14:12.063422257 +0000 UTC, DownloadedAt: 2024-01-30 13:01:55.364650861 +0000 UTC
2024-01-30T15:20:47.371+0100    INFO    Vulnerability scanning is enabled
2024-01-30T15:20:47.371+0100    DEBUG   Vulnerability type:  [os library]
2024-01-30T15:20:47.371+0100    DEBUG   Enabling misconfiguration scanners: []
2024-01-30T15:20:47.376+0100    INFO    Detected SBOM format: cyclonedx-json
2024-01-30T15:20:47.381+0100    DEBUG   Unmarshaling CycloneDX JSON...
2024-01-30T15:20:47.396+0100    INFO    Detected OS: ubuntu
2024-01-30T15:20:47.397+0100    INFO    Detecting Ubuntu vulnerabilities...
2024-01-30T15:20:47.397+0100    DEBUG   ubuntu: os version: 22.04
2024-01-30T15:20:47.397+0100    DEBUG   ubuntu: the number of packages: 101
2024-01-30T15:20:47.398+0100    INFO    Number of language-specific files: 0
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2023-29383", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2016-20013", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2022-27943", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2022-27943", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2024-22365", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2024-22365", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2022-3219", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2020-22916", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2023-7008", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2023-7008", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2024-0553", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2024-0567", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2022-3715", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2016-2781", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2016-20013", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2023-6129", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2023-6237", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2024-22365", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2024-22365", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2017-11164", "status": "not_affected", "justification": ""}
2024-01-30T15:20:47.406+0100    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2023-29383", "status": "not_affected", "justification": ""}

ubuntu.cdx (ubuntu 22.04)

Total: 2 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬──────────┬───────────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │  Status  │   Installed Version   │ Fixed Version │                         Title                          │
├────────────┼────────────────┼──────────┼──────────┼───────────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libstdc++6 │ CVE-2022-27943 │ LOW      │ affected │ 12.3.0-1ubuntu1~22.04 │               │ libiberty/rust-demangle.c in GNU GCC 11.2 allows stack │
│            │                │          │          │                       │               │ exhaustion in demangle_const                           │
│            │                │          │          │                       │               │ https://avd.aquasec.com/nvd/cve-2022-27943             │
├────────────┼────────────────┤          │          ├───────────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libzstd1   │ CVE-2022-4899  │          │          │ 1.4.8+dfsg-3build1    │               │ zstd: mysql: buffer overrun in util.c                  │
│            │                │          │          │                       │               │ https://avd.aquasec.com/nvd/cve-2022-4899              │
└────────────┴────────────────┴──────────┴──────────┴───────────────────────┴───────────────┴────────────────────────────────────────────────────────┘

Operating System

Linux Ubuntu

Version

Version: 0.48.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-01-30 12:14:12.063422678 +0000 UTC
  NextUpdate: 2024-01-30 18:14:12.063422257 +0000 UTC
  DownloadedAt: 2024-01-30 13:01:55.364650861 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting