GitHub Dependency Graph fails on gobinary

[MPV]

Description

invalid package url: in manifest \"gobinary\" decoding \"pkg:/\": type is missing

…when trying to do this (on an image):

• https://github.com/aquasecurity/trivy-action#using-trivy-to-generate-sbom

Desired Behavior

Dependency Graph uploaded, containing dependencies from the image.

Actual Behavior

[…]
Running trivy with options: trivy image  --format github --vuln-type  os,library --severity  UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL --output  dependency-results.sbom.json  my-image:bf749f578bf01266a531bea9116ca69791d84aaf
[…]
Uploading GitHub Dependency Snapshot{
  "message": "invalid package url: in manifest \"gobinary\" decoding \"pkg:/\": type is missing",
  "documentation_url": "https://docs.github.com/rest/dependency-graph/dependency-submission#create-a-snapshot-of-dependencies-for-a-repository"
}

Reproduction Steps

Using GitHub Actions:

      - name: Scan image with Trivy, submit results to GitHub Dependency Graph
        uses: aquasecurity/trivy-action@b77b85c0254bba6789e787844f0585cde1e56320 # 0.13.0
        with:
          scan-type: 'image'
          format: 'github'
          output: 'dependency-results.sbom.json'
          image-ref: "${{ env.IMAGE }}:${{ github.sha }}"
          github-pat: ${{ secrets.GITHUB_TOKEN }}

      - name: cat dependency-results.sbom.json
        run: |
          cat "dependency-results.sbom.json"

…on an image based on ibm-semeru-runtimes:open-11-jdk-focal@sha256:735b94b802d2d9b13f9a8991e02f21b0f4810796e833fcd8a8726887c0216678 but added some more files, most interesting probably vault (being a Golang binary). 🤷‍♂️

Target

Container Image

Scanner

None

Output Format

None

Mode

None

Debug Output

N/A

Operating System

Ubuntu-latest in GHA

Version

aquasecurity/trivy-action@b77b85c0254bba6789e787844f0585cde1e56320

Checklist

• Run trivy image --reset
• Read the troubleshooting

[knqyf263]

Duplicated
#5449

[MPV]

Could this be reopened? See my separate message on the problem (which is still broken after the fix you mention).

[MPV]

Using the newest version of trivy(-action), I am now instead getting:

"message": "invalid package url: in manifest \"gobinary\" decoding \"\": scheme is missing",

[MPV]

Here's one of the two examples I see in my SBOM that matches gobinary:

[...]
    "usr/local/bin/vault": {
      "name": "gobinary",
      "file": {
        "source_location": "usr/local/bin/vault"
      },
      "resolved": {
        "./api": {
          "relationship": "direct",
          "scope": "runtime"
        },
        "./api/auth/kubernetes": {
          "relationship": "direct",
          "scope": "runtime"
        },
        "./sdk": {
          "relationship": "direct",
          "scope": "runtime"
        },
        "cloud.google.com/go": {
          "package_url": "pkg:golang/cloud.google.com/go@v0.110.4",
          "relationship": "direct",
          "scope": "runtime"
        },
[...]

[pnag90]

I see the same issue in my case.
The use case is similar, generating the github report format with a docker image.

[pnag90]

Analyzing the file I could find that for one dependency, is missing the package_url field entirely, which causes GitHub's dependency submission API to fail with the error: invalid package url: in manifest \"gobinary\" decoding \"\": scheme is missing.
The entry looks like this:

"./internal/third_party/selinux": {
  "relationship": "direct",
  "scope": "runtime"
}

So this entry should have a valid package_url, something like: "pkg:golang/github.com/opencontainers/runc/internal/third_party/selinux@<version>".
This appears to be an internal/vendored package that Trivy couldn't properly convert to a valid package URL format.