Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(sbom): packages layers are not saved in sbom mode. #5430

Closed
DmitriyLewen opened this issue Oct 23, 2023 Discussed in #5424 · 0 comments · Fixed by #5432
Closed

bug(sbom): packages layers are not saved in sbom mode. #5430

DmitriyLewen opened this issue Oct 23, 2023 Discussed in #5424 · 0 comments · Fixed by #5432
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Oct 23, 2023
edited
Loading

Discussed in #5424

We save DiffIDs and Digests of packages in SBOM formats:

  • CycloneDX - properties of component:
    "component": {
          "bom-ref": "pkg:pypi/[email protected]?file_path=usr%2Flocal%2Flib%2Fpython3.9%2Fsite-packages%2Fpip-23.0.1.dist-info%2FMETADATA",
      "type": "library",
      "name": "pip",
      "version": "23.0.1",
      "licenses": [
        {
          "license": {
            "name": "MIT"
          }
        }
      ],
      "purl": "pkg:pypi/[email protected]",
      "properties": [
        {
          "name": "aquasecurity:trivy:FilePath",
          "value": "usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA"
        },
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:1def056a3160854c9395aa76282dd62172ec08c18a5fa03bb7d50a777c15ba99"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:de7a1221312a618b08638bf779ae3d529927397cf96df3b1eace8cf941a66959"
        },
  • SPDX - attributionTexts of packages:
  "packages": [
    {
      "name": "adduser",
      "SPDXID": "SPDXRef-Package-d78bccd9a666f87d",
      "versionInfo": "3.118+deb11u1",
      "supplier": "Organization: Debian Adduser Developers \u003c[email protected]\u003e",
      "downloadLocation": "NONE",
      "sourceInfo": "built package from: adduser 3.118+deb11u1",
      "licenseConcluded": "GPL-2.0-only",
      "licenseDeclared": "GPL-2.0-only",
      "copyrightText": "",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:deb/debian/[email protected]%2Bdeb11u1?arch=all\u0026distro=debian-11.8"
        }
      ],
      "attributionTexts": [
        "PkgID: [email protected]+deb11u1",
        "LayerDigest: sha256:e67fdae3559346105027c63e7fb032bba57e62b1fe9f2da23e6fdfb56384e00b",
        "LayerDiffID: sha256:633f5bf471f7595b236a21e62dc60beef321db45916363a02ad5af02d794d497"
      ],

When we scan sbom files - we need to include digests in packages and vulnerabilities (like we do for the json format).

See more in #5424
@DmitriyLewen DmitriyLewen added the kind/bug Categorizes issue or PR as related to a bug. label Oct 23, 2023
@DmitriyLewen DmitriyLewen self-assigned this Oct 23, 2023
@DmitriyLewen DmitriyLewen mentioned this issue Oct 23, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(sbom): save digests for package/application when scanning SBOM files DmitriyLewen/trivy
1 participant
@DmitriyLewen