k8s KBOM is not generating proper PURL as versions are missing

[dsever]

Description

We are running trivy to generate KBOM and use it for offline scanning

Commnda: /usr/bin/trivy k8s minikube --format cyclonedx --disable-node-collector

But generated KBOM is not reflecting installed versions of the installed components (e.g. api, schedulers, proxy...) only for items installed a packages like kubelet

Desired Behavior

KBOM should include artifact versions as well, most likely SHA in case of containers.

Actual Behavior

Versions are missing for system components that we run as containers

Reproduction Steps

1.Use minikube 
2.run command  trivy k8s minikube --format cyclonedx --disable-node-collector  
3. observe output
...

Target

Kubernetes

Scanner

None

Output Format

CycloneDX

Mode

Standalone

Debug Output

/usr/bin/trivy k8s minikube --format cyclonedx --disable-node-collector  --debug
2025-02-04T12:00:30+01:00	DEBUG	No plugins loaded
2025-02-04T12:00:30+01:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-04T12:00:30+01:00	DEBUG	Cache dir	dir="/home/dsever/.cache/trivy"
2025-02-04T12:00:30+01:00	DEBUG	Cache dir	dir="/home/dsever/.cache/trivy"
2025-02-04T12:00:30+01:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-04T12:00:30+01:00	DEBUG	Ignore statuses	statuses=[]
2025-02-04T12:00:30+01:00	INFO	"--format cyclonedx" disables security scanning. Specify "--scanners vuln" explicitly if you want to include vulnerabilities in the "cyclonedx" report.
2025-02-04T12:00:30+01:00	INFO	Scanning K8s...	K8s="minikube"
{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:1ba17950-5a42-4928-b3d7-d383a38dd2c5",
  "version": 1,
  "metadata": {
    "timestamp": "2025-02-04T11:00:30+00:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "group": "aquasecurity",
          "name": "trivy",
          "version": "0.59.0"
        }
      ]
    },
    "component": {
      "bom-ref": "pkg:k8s/k8s.io%[email protected]",
      "type": "platform",
      "name": "k8s.io/kubernetes",
      "version": "v1.24.1",
      "purl": "pkg:k8s/k8s.io%[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:resource:Name",
          "value": "minikube"
        },
        {
          "name": "aquasecurity:trivy:resource:Type",
          "value": "cluster"
        }
      ]
    }
  },
  "components": [
    {
      "bom-ref": "02d8720d-0de5-4845-90ae-dcbadb745bc4",
      "type": "operating-system",
      "name": "ubuntu",
      "version": "20.04.4",
      "properties": [
        {
          "name": "aquasecurity:trivy:Class",
          "value": "os-pkgs"
        },
        {
          "name": "aquasecurity:trivy:Type",
          "value": "ubuntu"
        }
      ]
    },
    {
      "bom-ref": "320f17fa-3bbb-498a-82d2-0a1e96c3d08b",
      "type": "application",
      "name": "go.etcd.io/etcd/v3",
      "purl": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3",
      "properties": [
        {
          "name": "aquasecurity:trivy:resource:Name",
          "value": "nginx"
        },
        {
          "name": "aquasecurity:trivy:resource:Type",
          "value": "controlPlane"
        }
      ]
    },
    {
      "bom-ref": "8b43eb6c-bb77-4c90-89a6-60d43b2fd95c",
      "type": "application",
      "name": "node-core-components",
      "properties": []
    },
    {
      "bom-ref": "c26332ed-6f68-4e87-859d-baa9dd7b7ef0",
      "type": "platform",
      "name": "minikube",
      "properties": [
        {
          "name": "aquasecurity:trivy:Architecture",
          "value": "amd64"
        },
        {
          "name": "aquasecurity:trivy:HostName",
          "value": "minikube"
        },
        {
          "name": "aquasecurity:trivy:KernelVersion",
          "value": "5.15.0-84-generic"
        },
        {
          "name": "aquasecurity:trivy:NodeRole",
          "value": "master"
        },
        {
          "name": "aquasecurity:trivy:OperatingSystem",
          "value": "linux"
        },
        {
          "name": "aquasecurity:trivy:resource:Name",
          "value": "minikube"
        },
        {
          "name": "aquasecurity:trivy:resource:Type",
          "value": "node"
        }
      ]
    },
    {
      "bom-ref": "e71d800b-df70-4637-b1be-a1928f867051",
      "type": "application",
      "name": "go.etcd.io/etcd/v3",
      "purl": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3",
      "properties": [
        {
          "name": "aquasecurity:trivy:resource:Name",
          "value": "etcd-minikube"
        },
        {
          "name": "aquasecurity:trivy:resource:Type",
          "value": "controlPlane"
        }
      ]
    },
    {
      "bom-ref": "pkg:golang/docker%3A%2F%[email protected]",
      "type": "application",
      "name": "docker://20.10.17",
      "version": "v20.10.17",
      "purl": "pkg:golang/docker%3A%2F%[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:resource:Name",
          "value": "docker://20.10.17"
        },
        {
          "name": "aquasecurity:trivy:resource:Type",
          "value": "node"
        }
      ]
    },
    {
      "bom-ref": "pkg:k8s/k8s.io%2Fapiserver",
      "type": "application",
      "name": "k8s.io/apiserver",
      "purl": "pkg:k8s/k8s.io%2Fapiserver",
      "properties": [
        {
          "name": "aquasecurity:trivy:resource:Name",
          "value": "kube-apiserver-minikube"
        },
        {
          "name": "aquasecurity:trivy:resource:Type",
          "value": "controlPlane"
        }
      ]
    },
    {
      "bom-ref": "pkg:k8s/k8s.io%2Fcontroller-manager",
      "type": "application",
      "name": "k8s.io/controller-manager",
      "purl": "pkg:k8s/k8s.io%2Fcontroller-manager",
      "properties": [
        {
          "name": "aquasecurity:trivy:resource:Name",
          "value": "kube-controller-manager-minikube"
        },
        {
          "name": "aquasecurity:trivy:resource:Type",
          "value": "controlPlane"
        }
      ]
    },
    {
      "bom-ref": "pkg:k8s/k8s.io%2Fkube-proxy",
      "type": "application",
      "name": "k8s.io/kube-proxy",
      "purl": "pkg:k8s/k8s.io%2Fkube-proxy",
      "properties": [
        {
          "name": "aquasecurity:trivy:resource:Name",
          "value": "kube-proxy-clwj5"
        },
        {
          "name": "aquasecurity:trivy:resource:Type",
          "value": "node"
        }
      ]
    },
    {
      "bom-ref": "pkg:k8s/k8s.io%2Fkube-scheduler",
      "type": "application",
      "name": "k8s.io/kube-scheduler",
      "purl": "pkg:k8s/k8s.io%2Fkube-scheduler",
      "properties": [
        {
          "name": "aquasecurity:trivy:resource:Name",
          "value": "kube-scheduler-minikube"
        },
        {
          "name": "aquasecurity:trivy:resource:Type",
          "value": "controlPlane"
        }
      ]
    },
    {
      "bom-ref": "pkg:k8s/k8s.io%[email protected]",
      "type": "application",
      "name": "k8s.io/kubelet",
      "version": "v1.24.1",
      "purl": "pkg:k8s/k8s.io%[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:resource:Name",
          "value": "k8s.io/kubelet"
        },
        {
          "name": "aquasecurity:trivy:resource:Type",
          "value": "node"
        }
      ]
    },
    {
      "bom-ref": "pkg:k8s/kube-dns",
      "type": "application",
      "name": "kube-dns",
      "purl": "pkg:k8s/kube-dns",
      "properties": [
        {
          "name": "aquasecurity:trivy:resource:Name",
          "value": "coredns-6d4b75cb6d-5tddm"
        }
      ]
    },
    {
      "bom-ref": "pkg:k8s/some-ntwork-component",
      "type": "application",
      "name": "some-ntwork-component",
      "purl": "pkg:k8s/some-ntwork-component",
      "properties": [
        {
          "name": "aquasecurity:trivy:resource:Name",
          "value": "nginx2"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "8b43eb6c-bb77-4c90-89a6-60d43b2fd95c",
      "dependsOn": [
        "pkg:golang/docker%3A%2F%[email protected]",
        "pkg:k8s/k8s.io%[email protected]"
      ]
    },
    {
      "ref": "c26332ed-6f68-4e87-859d-baa9dd7b7ef0",
      "dependsOn": [
        "02d8720d-0de5-4845-90ae-dcbadb745bc4",
        "8b43eb6c-bb77-4c90-89a6-60d43b2fd95c"
      ]
    },
    {
      "ref": "pkg:k8s/k8s.io%[email protected]",
      "dependsOn": [
        "320f17fa-3bbb-498a-82d2-0a1e96c3d08b",
        "c26332ed-6f68-4e87-859d-baa9dd7b7ef0",
        "e71d800b-df70-4637-b1be-a1928f867051",
        "pkg:k8s/k8s.io%2Fapiserver",
        "pkg:k8s/k8s.io%2Fcontroller-manager",
        "pkg:k8s/k8s.io%2Fkube-proxy",
        "pkg:k8s/k8s.io%2Fkube-scheduler",
        "pkg:k8s/kube-dns",
        "pkg:k8s/some-ntwork-component"
      ]
    }
  ],
  "vulnerabilities": []
}

Operating System

Ubuntu 22.04

Version

Version: 0.59.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-02-04 06:16:43.235689839 +0000 UTC
  NextUpdate: 2025-02-05 06:16:43.235689588 +0000 UTC
  DownloadedAt: 2025-02-04 08:20:28.124042591 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-01-06 05:07:52.693128372 +0000 UTC
  NextUpdate: 2025-01-09 05:07:52.693128061 +0000 UTC
  DownloadedAt: 2025-01-07 09:51:54.020976589 +0000 UTC
Check Bundle:
  Digest: sha256:8c65dc8da180c175514774007559f6e468b6adc414fc0cb8409c9d14a558d957
  DownloadedAt: 2025-02-04 10:16:53.2011581 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[afdesk]

@dsever thanks for the report!
I'll check it
but I suspect, there is an issue in minikube, because I can see a version for kind:

   {
      "bom-ref": "pkg:k8s/go.etcd.io%2Fetcd%[email protected]",
      "type": "application",
      "name": "go.etcd.io/etcd/v3",
      "version": "v3.5.15-0",
      "purl": "pkg:k8s/go.etcd.io%2Fetcd%[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:resource:Name",
          "value": "etcd-kind-control-plane"
        },
        {
          "name": "aquasecurity:trivy:resource:Type",
          "value": "controlPlane"
        }
      ]
    },

[dsever]

Tried but failed to understand from the code, how trivy is extracting the versions.

I can confirm it works on Kind on my side as well, but have multiple clusters on ubuntu with the same results as on minikube

e.g.

{
      "bom-ref": "16bd7115-a6bb-4d22-81f9-9497c1b954da",
      "type": "application",
      "name": "k8s.io/kube-proxy",
      "purl": "pkg:k8s/k8s.io%2Fkube-proxy",
      "properties": [
        {
          "name": "aquasecurity:trivy:resource:Name",
          "value": "kube-proxy-d29qw"
        },
        {
          "name": "aquasecurity:trivy:resource:Type",
          "value": "node"
        }
      ]
    },

[afdesk]

there is a bit strange if statement:
https://github.com/aquasecurity/trivy-kubernetes/blob/812ea842831c9f92184993d3810c9d28695e4de1/pkg/k8s/k8s.go#L581-L585

it's a reason to skip getting versions, because hex contains sha256: prefix (ex: sha256:470179274deb9dc3a81df55cfc24823ce153147d4ebf2ed649a4f271f51eaddf).
I need to investigate aquasecurity/trivy-kubernetes#320, and will create a new issue for it.

@dsever thanks!

[dsever]

It make sense as e.g status for minikube:

containerStatuses:
  - containerID: docker://46048186d2e5e7d616d3c7c1d2928727c448303383449956f12bef2d99e27fa7
    image: k8s.gcr.io/etcd:3.5.3-0
    imageID: docker-pullable://k8s.gcr.io/etcd@sha256:13f53ed1d91e2e11aac476ee9a0269fdda6cc4874eba903efd40daf50c55eee5
    lastState:
      terminated:
        containerID: docker://562dfe435709d4cd4e617859ffcff6a71134cd8854497b2adc16ce85c1c94fcd
        exitCode: 0
        finishedAt: "2025-01-22T18:04:39Z"
        reason: Completed
        startedAt: "2025-01-14T15:00:40Z"

then kind:

containerStatuses:
  - containerID: containerd://b26e70369ef601775bf30a75be4caa2eeeecc1354f02cceea92da2871512ebdb
    image: registry.k8s.io/etcd:3.5.7-0
    imageID: sha256:86b6af7dd652c1b38118be1c338e9354b33469e69a218f7e290a0ca5304ad681
    lastState: {}
    name: etcd
    ready: true
    restartCount: 0
    started: true
    state:
      running:

Basically in minikube case there is imageID but is not properly consumable by code https://github.com/aquasecurity/trivy-kubernetes/blob/812ea842831c9f92184993d3810c9d28695e4de1/pkg/k8s/k8s.go#L908 as it will return junk