Skip to content

Out-of-graph OS packages are excluded when mixed with in-graph packages in SBOM #9193

New issue
New issue
Closed
Bug
#9194
Closed
Out-of-graph OS packages are excluded when mixed with in-graph packages in SBOM#9193
Bug
#9194
Labels
kind/bugCategorizes issue or PR as related to a bug.scan/sbomIssues relating to SBOM
Milestone
v0.65.0
@knqyf263

Description

@knqyf263
knqyf263
opened on Jul 14, 2025

Description

When scanning SBOM files with Trivy, many OS packages are missing from the output. This issue occurs when both in-graph OS packages (packages directly connected to the OS component in the dependency graph) and out-of-graph OS packages (orphaned packages not connected to the OS component) are present in the SBOM. Currently, only in-graph packages are included in the final output, while out-of-graph packages are excluded.

This is a general issue that affects all operating systems and SBOM formats.

Environment

  • Trivy version: Latest main branch
  • SBOM formats: CycloneDX, SPDX (potentially affects both)
  • Test case: Amazon Linux 2023 (but affects all OS types)

Reproduction Steps

  1. Use the SBOM file from the discussion
  2. Run: trivy sbom --list-all-pkgs --format json 9006.json
  3. Count packages: jq '.Results[0].Packages | length'

Expected Behavior

Based on the original SBOM components:

jq '[.components[] | select(.type == "library")] | length' 9006.json
# Returns: 194

Both in-graph and out-of-graph OS packages should be included in the final output.

Actual Behavior

Current Trivy output:

./trivy sbom --list-all-pkgs --format json 9006.json | jq '.Results[0].Packages | length'
# Returns: 27

Only in-graph OS packages are included, while out-of-graph packages are excluded.

Root Cause

The issue occurs in the addOrphanPkgs function in pkg/sbom/io/decode.go. When both in-graph and out-of-graph OS packages exist:

  1. In-graph packages are processed first and added to a PackageInfo entry
  2. Out-of-graph packages are processed separately and put in a new PackageInfo entry instead of being merged with existing ones
  3. Only the first PackageInfo entry is retained in the final output

Impact

  • Missing OS packages means vulnerability scanning may miss security issues in those packages
  • Affects all OS types (Alpine, Debian, Ubuntu, RHEL, etc.) when scanning SBOM files
  • Potentially affects both CycloneDX and SPDX formats
  • Reduces accuracy of security scanning results

Related Discussion

This issue is based on the discussion: #9006

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.scan/sbomIssues relating to SBOM

    Type

    Bug

    Projects

    Trivy Roadmap

    Status

    No status

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions