(SBOM generate + SBOM scan) metadata differs from image scan metadata #7169
mhbardsley
started this conversation in
Bugs
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
I have noticed that some images provide different target names in their scanner output, when the image is scanned compared to when Trivy is used to generate an SBOM and then that SBOM is scanned.
The vulnerability counts provided in these cases are the same, which is why I think this differs from #3649.
I haven't been able to identify exactly what the scope of the issue is, but it is at least the case for
gobinary
target types. This is not reproducible for every image that contains vulnerable Go binaries.Also I didn't run
trivy clean --all
as suggested when filing this issue because it doesn't appear to be a supported subcommand anymore.Desired Behavior
The path to Go binaries should be consistent for any given image, whether an image scan is performed or whether an SBOM is generated (by Trivy) for the image, and then that SBOM is scanned.
Actual Behavior
The image scan provides a full path to the vulnerable Go binary. Generating an SBOM (with Trivy) and then scanning that SBOM provides an empty path to the vulnerable Go binary, with the vulnerability information, and the full path to the vulnerable Go binary, with no associated vulnerability information.
Reproduction Steps
Target
Container Image
Scanner
Vulnerability
Output Format
JSON
Mode
Standalone
Debug Output
Operating System
Ubuntu 22.04.4 LTS
Version
Checklist
trivy clean --all
Beta Was this translation helpful? Give feedback.
All reactions