You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have noticed that some images provide different target names in their scanner output, when the image is scanned compared to when Trivy is used to generate an SBOM and then that SBOM is scanned.
The vulnerability counts provided in these cases are the same, which is why I think this differs from #3649.
I haven't been able to identify exactly what the scope of the issue is, but it is at least the case for gobinary target types. This is not reproducible for every image that contains vulnerable Go binaries.
Also I didn't run trivy clean --all as suggested when filing this issue because it doesn't appear to be a supported subcommand anymore.
Desired Behavior
The path to Go binaries should be consistent for any given image, whether an image scan is performed or whether an SBOM is generated (by Trivy) for the image, and then that SBOM is scanned.
Actual Behavior
The image scan provides a full path to the vulnerable Go binary. Generating an SBOM (with Trivy) and then scanning that SBOM provides an empty path to the vulnerable Go binary, with the vulnerability information, and the full path to the vulnerable Go binary, with no associated vulnerability information.
kind/bugCategorizes issue or PR as related to a bug.
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Description
I have noticed that some images provide different target names in their scanner output, when the image is scanned compared to when Trivy is used to generate an SBOM and then that SBOM is scanned.
The vulnerability counts provided in these cases are the same, which is why I think this differs from #3649.
I haven't been able to identify exactly what the scope of the issue is, but it is at least the case for
gobinary
target types. This is not reproducible for every image that contains vulnerable Go binaries.Also I didn't run
trivy clean --all
as suggested when filing this issue because it doesn't appear to be a supported subcommand anymore.Desired Behavior
The path to Go binaries should be consistent for any given image, whether an image scan is performed or whether an SBOM is generated (by Trivy) for the image, and then that SBOM is scanned.
Actual Behavior
The image scan provides a full path to the vulnerable Go binary. Generating an SBOM (with Trivy) and then scanning that SBOM provides an empty path to the vulnerable Go binary, with the vulnerability information, and the full path to the vulnerable Go binary, with no associated vulnerability information.
Reproduction Steps
Target
Container Image
Scanner
Vulnerability
Output Format
JSON
Mode
Standalone
Debug Output
Operating System
Ubuntu 22.04.4 LTS
Version
Checklist
trivy clean --all
Beta Was this translation helpful? Give feedback.
All reactions