Potential hash collision when package hash calculation fails in pkg/dependency/id.go. SAST

[Babaijan]

Description

Description

I've noticed a potential issue in the UID function in pkg/dependency/id.go where hash calculation errors may lead to hash collisions.

Current Behavior

When hashstructure.Hash() fails, the function:

1. Logs a warning: "Failed to calculate the package hash"
2. Continues execution
3. Returns strconv.FormatUint(hash, 16) where hash = 0 (zero value)

trivy/pkg/dependency/id.go

Lines 40 to 56 in f64e0da

	func UID(filePath string, pkg types.Package) string {
	if pkg.Identifier.UID != "" {
	return pkg.Identifier.UID
	}
	v := map[string]any{
	"filePath": filePath, // To differentiate the hash of the same package but different file path
	"pkg": pkg,
	}
	hash, err := hashstructure.Hash(v, hashstructure.FormatV2, &hashstructure.HashOptions{
	ZeroNil: true,
	IgnoreZeroValue: true,
	})
	if err != nil {
	log.Warn("Failed to calculate the package hash", log.String("pkg", pkg.Name), log.Err(err))
	}
	return strconv.FormatUint(hash, 16)
	}

Questions

I'm trying to understand if this behavior could actually lead to problems:

If hashstructure.Hash() fails for multiple different packages, they would all get the same UID "0", which could cause:

• Hash collisions in dependency graphs
• Incorrect vulnerability matching

Is this deliberate design for fault tolerance, or is it something that should be revisited to prevent possible hash collisions?

Found by Linux Verification Center with SVACE

Target

None

Scanner

None