CycloneDX output can contain duplicate dependsOn items scanning Alpine images using option --removed-pkgs

[rutger-gerritsen]

Description

Currently, the CycloneDX output generated by Trivy can contain duplicate dependsOn items scanning Alpine images using option --removed-pkgs. Which causes validation against the JSON schema to fail.

Only Trivy v0.53.0 and higher has this issue. With Trivy v0.52.2 it works fine.

Desired Behavior

CycloneDX BOMs generated by Trivy should not fail schema validation. dependsOn should not contain duplicate items.

Actual Behavior

CycloneDX BOMs generated by Trivy fail schema validation.

Reproduction Steps

1. Generate a CycloneDX BOM for `node:22.11-alpine`: `trivy image -f cyclonedx --output node_22.11.cdx.json node:22.11-alpine --removed-pkgs --debug`
2. Validate the generated BOM against the [CycloneDX v1.6 JSON schema](https://raw.githubusercontent.com/CycloneDX/specification/master/schema/bom-1.6.schema.json)
   * Using the CycloneDX CLI: `cyclonedx validate --input-file node_22.11.cdx.json`
   * Or manually using https://www.jsonschemavalidator.net/
3. Observe schema validation errors due to duplicate items in `dependsOn`

Target

Container Image

Scanner

None

Output Format

CycloneDX

Mode

Standalone

Debug Output

trivy image -f cyclonedx --output node_22.11.cdx.json node:22.11-alpine --removed-pkgs --debug
2024-11-06T11:24:07+01:00       DEBUG   No plugins loaded
2024-11-06T11:24:07+01:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-06T11:24:07+01:00       DEBUG   Cache dir       dir="C:\\trivy"
2024-11-06T11:24:07+01:00       DEBUG   Cache dir       dir="C:\\trivy"
2024-11-06T11:24:07+01:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-11-06T11:24:07+01:00       DEBUG   Ignore statuses statuses=[]
2024-11-06T11:24:07+01:00       INFO    "--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2024-11-06T11:24:07+01:00       DEBUG   [pkg] Package types     types=[os library]
2024-11-06T11:24:07+01:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2024-11-06T11:24:07+01:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-11-06T11:24:07+01:00       DEBUG   Initializing scan cache...      type="fs"
2024-11-06T11:24:08+01:00       DEBUG   [image] Detected image ID       image_id="sha256:8847cc4ac5ca55b993ebcc0cd7b994c5e083a606eef81cf4cdb4126169c1d2c7"
2024-11-06T11:24:08+01:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85 sha256:a23f1d561d7a84ab20cc0adbb153ecd5ca05aec28618e0dfeb12a123b35497c3 sha256:b4e26c98a796a83a69e5d0019a64ca587f32d80249dd3effd40f68a70d9b24d8 sha256:efddf95d04af513dfe66aea04da1d5dc4243951cda0fa54788f5ba0423d980c1]
2024-11-06T11:24:08+01:00       DEBUG   [image] Detected base layers    diff_ids=[sha256:63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85]
2024-11-06T11:24:08+01:00       DEBUG   [image] Missing image ID in cache       image_id="sha256:8847cc4ac5ca55b993ebcc0cd7b994c5e083a606eef81cf4cdb4126169c1d2c7"
2024-11-06T11:24:08+01:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:63ca1fbb43ae5034640e5e6cb3e083e05c290072c5366fcaa9d62435a4cced85"
2024-11-06T11:24:08+01:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:a23f1d561d7a84ab20cc0adbb153ecd5ca05aec28618e0dfeb12a123b35497c3"
2024-11-06T11:24:08+01:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:b4e26c98a796a83a69e5d0019a64ca587f32d80249dd3effd40f68a70d9b24d8"
2024-11-06T11:24:08+01:00       DEBUG   [image] Missing diff ID in cache        diff_id="sha256:efddf95d04af513dfe66aea04da1d5dc4243951cda0fa54788f5ba0423d980c1"
2024-11-06T11:24:17+01:00       DEBUG   No secrets found in container image config
2024-11-06T11:24:17+01:00       INFO    Detected OS     family="alpine" version="3.20.3"
2024-11-06T11:24:17+01:00       INFO    Number of language-specific files       num=1
2024-11-06T11:24:17+01:00       DEBUG   [vex] VEX filtering is disabled

Operating System

Windows 11

Version

Version: 0.57.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @rutger-gerritsen
Thanks for your report!

Created #7886 for this issue.

Regards, Dmitriy