You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
same problem is with other native build eco-systems like C, where I am not able to attach somehow dependencies list like with Go build is done
Then I have Docker image with dependencies from docker-build
Now I have two possible SBOMs that might be attached to OCI image
First) SBOM of GraalVM build
Second) SBOM when scanning Docker image
When I attach both SBOMs to OCI image, currently Trivy takes first one.
I believe that in this case, both SBOMs should be considered for vulnerability scan.
In case of result generated, there should be information from which dependency comes vulnerability (or License violation) detected. If it comes from GraalVM-SBOM or from Image-SBOM or from both.
What do you think?
Thx
Ivos
Note 1: There should not be limitation of how many SBOMs could be attached to OCI image.
Note 2: Workaround might be to merge SBOMs to one (using some CLI tool) and upload/replace current SBOM in the OCI Registry.
Note 3: GraalVM currently in Enterprise edition somehow supports SBOM metadata attached to the binary / but I would not rely on it. See https://www.graalvm.org/latest/reference-manual/native-image/guides/use-sbom-support/
kind/featureCategorizes issue or PR as related to a new feature.scan/vulnerabilityIssues relating to vulnerability scanning
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Description
Hi, as discussed here #6288 (reply in thread) I am opening this idea.
Use case is following:
When I attach both SBOMs to OCI image, currently Trivy takes first one.
I believe that in this case, both SBOMs should be considered for vulnerability scan.
In case of result generated, there should be information from which dependency comes vulnerability (or License violation) detected. If it comes from GraalVM-SBOM or from Image-SBOM or from both.
What do you think?
Thx
Ivos
Note 1: There should not be limitation of how many SBOMs could be attached to OCI image.
Note 2: Workaround might be to merge SBOMs to one (using some CLI tool) and upload/replace current SBOM in the OCI Registry.
Note 3: GraalVM currently in Enterprise edition somehow supports SBOM metadata attached to the binary / but I would not rely on it. See https://www.graalvm.org/latest/reference-manual/native-image/guides/use-sbom-support/
Target
SBOM
Scanner
Vulnerability
Beta Was this translation helpful? Give feedback.
All reactions