Inconsistent cyclonedx SBOM results

[doronguttman]

Description

In some cases we get inconsistent cyclonedx results (running the same trivy command on the same package-lock.json file multiple times generates different versions of packages in a cyclonedx file). We were able to create a minimal package.json and package-lock.json to create this (see attached)
package.json
package-lock.json

also attached below are results of running the following command multiple times in the directory of the package-lock.json:

trivy fs --include-dev-deps --format cyclonedx --scanners vuln  --output "cyclonedx.{num}.json" .

cyclonedx.1.json
cyclonedx.2.json

(ignore the changes in the positions, timestamps and ref UUIDs, you can see a difference in the dependency versions of the pkg:npm/%40aws-crypto/[email protected] package:

{
  "ref": "pkg:npm/%40aws-crypto/[email protected]",
  "dependsOn": [
    "pkg:npm/%40aws-sdk/[email protected]",
    "pkg:npm/%40aws-sdk/[email protected]",
    "pkg:npm/[email protected]"
  ]
}

vs.

{
  "ref": "pkg:npm/%40aws-crypto/[email protected]",
  "dependsOn": [
    "pkg:npm/%40aws-sdk/[email protected]",
    "pkg:npm/%40aws-sdk/[email protected]",
    "pkg:npm/[email protected]"
  ]
}

Desired Behavior

the end result should be deterministic and produce the same results in each execution

Actual Behavior

produces different results in each execution with no apparent logic

Reproduction Steps

1. copy the provided package-lock.json file to an empty directory
2. execute: trivy fs --include-dev-deps --format cyclonedx --scanners vuln  --output "cyclonedx.{REPLACE_WITH_NUMBER}.json" .
3. repeat execution multiple times
4. compare the output file and see differences in versions

Target

Filesystem

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

$ trivy fs --include-dev-deps --format cyclonedx --scanners vuln  --debug --output "cyclonedx.{REPLACE_WITH_NUMBER}.json" .
2025-04-24T16:24:05-04:00       DEBUG   No plugins loaded
2025-04-24T16:24:05-04:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-04-24T16:24:05-04:00       DEBUG   Cache dir       dir="/home/user/.cache/trivy"
2025-04-24T16:24:05-04:00       DEBUG   Cache dir       dir="/home/user/.cache/trivy"
2025-04-24T16:24:05-04:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-04-24T16:24:05-04:00       DEBUG   Ignore statuses statuses=[]
2025-04-24T16:24:05-04:00       DEBUG   DB update was skipped because the local DB is the latest
2025-04-24T16:24:05-04:00       DEBUG   DB info schema=2 updated_at=2025-04-24T18:18:36.235047737Z next_update=2025-04-25T18:18:36.235047397Z downloaded_at=2025-04-24T20:23:23.945524971Z
2025-04-24T16:24:05-04:00       DEBUG   [pkg] Package types     types=[os library]
2025-04-24T16:24:05-04:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2025-04-24T16:24:05-04:00       INFO    [vuln] Vulnerability scanning is enabled
2025-04-24T16:24:05-04:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-04-24T16:24:05-04:00       DEBUG   Initializing scan cache...      type="memory"
2025-04-24T16:24:05-04:00       INFO    [npm] To collect the license information of packages, "npm install" needs to be performed beforehand      dir="node_modules"
2025-04-24T16:24:05-04:00       DEBUG   OS is not detected.
2025-04-24T16:24:05-04:00       DEBUG   Detected OS: unknown
2025-04-24T16:24:05-04:00       INFO    Number of language-specific files       num=1
2025-04-24T16:24:05-04:00       INFO    [npm] Detecting vulnerabilities...
2025-04-24T16:24:05-04:00       DEBUG   [npm] Scanning packages for vulnerabilities     file_path="package-lock.json"
2025-04-24T16:24:05-04:00       DEBUG   [vex] VEX filtering is disabled

Operating System

Ubuntu 24.04.1 LTS

Version

Version: 0.56.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-04-24 18:18:36.235047737 +0000 UTC
  NextUpdate: 2025-04-25 18:18:36.235047397 +0000 UTC
  DownloadedAt: 2025-04-24 20:23:23.945524971 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

Thank you for the detailed report. Thanks to the package.json you shared to help reproduce the issue, we were able to identify the problem.

We assumed that a given package@version would have the same dependencies within the same project. Unfortunately, that doesn't seem to be the case. Please take a look at the following:

$ npm ls --all --json | jq '.dependencies["aws-amplify"].dependencies["@aws-amplify/interactions"].dependencies["@aws-sdk/client-lex-runtime-v2"].dependencies["@aws-sdk/eventstream-handler-node"].dependencies["@aws-sdk/eventstream-codec"].dependencies["@aws-crypto/crc32"].dependencies["@aws-crypto/util"]'
{
  "version": "2.0.2",
  "resolved": "https://registry.npmjs.org/@aws-crypto/util/-/util-2.0.2.tgz",
  "overridden": false,
  "dependencies": {
    "@aws-sdk/types": {
      "version": "3.775.0"
    },
    "@aws-sdk/util-utf8-browser": {
      "version": "3.6.1"
    },
    "tslib": {
      "version": "1.14.1"
    }
  }
}

$ npm ls --all --json | jq '.dependencies["aws-amplify"].dependencies["@aws-amplify/geo"].dependencies["@aws-sdk/client-location"].dependencies["@aws-crypto/sha256-browser"].dependencies["@aws-crypto/util"]'
{
  "version": "2.0.2",
  "resolved": "https://registry.npmjs.org/@aws-crypto/util/-/util-2.0.2.tgz",
  "overridden": false,
  "dependencies": {
    "@aws-sdk/types": {
      "version": "3.186.0"
    },
    "@aws-sdk/util-utf8-browser": {
      "version": "3.186.0"
    },
    "tslib": {
      "version": "1.14.1",
      "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
      "overridden": false
    }
  }
}

Even though they are both @aws-crypto/[email protected], the versions of their dependencies differ, @aws-sdk/[email protected] and @aws-sdk/[email protected]. Therefore, they need to be treated as separate packages.

You can also see different graphs under @aws-crypto/[email protected].

$ npm ls --all
  │ │ │ ├─┬ @aws-crypto/[email protected]
  │ │ │ │ ├── @aws-sdk/[email protected] deduped
  │ │ │ │ ├── @aws-sdk/[email protected] deduped
  │ │ │ │ └── [email protected]

...

  │ │ │ │ ├─┬ @aws-crypto/[email protected]
  │ │ │ │ │ ├─┬ @aws-crypto/[email protected]
  │ │ │ │ │ │ ├── @aws-sdk/[email protected] deduped
  │ │ │ │ │ │ ├── @aws-sdk/[email protected] deduped
  │ │ │ │ │ │ └── [email protected] deduped

Currently, Trivy treats these as duplicates and excludes them, so which one gets picked determines the result—and it isn’t deterministic.

[knqyf263]

Tracking #8776