-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inconsistent vulnerabilities in container image scan vs container image's sbom scan #3649
Labels
kind/bug
Categorizes issue or PR as related to a bug.
priority/backlog
Higher priority than priority/awaiting-more-evidence.
scan/vulnerability
Issues relating to vulnerability scanning
Comments
The Alpine repository information (edge) is not output as SBOM, the data source to be referenced differs between when detecting from an image and when detecting from SBOM, and the detection results change. |
This issue is stale because it has been labeled with inactivity. |
github-actions
bot
added
the
lifecycle/stale
Denotes an issue or PR has remained open with no activity and will be auto-closed.
label
Apr 28, 2023
Commenting to just keep it active |
github-actions
bot
removed
the
lifecycle/stale
Denotes an issue or PR has remained open with no activity and will be auto-closed.
label
Apr 29, 2023
knqyf263
added
the
priority/backlog
Higher priority than priority/awaiting-more-evidence.
label
May 8, 2023
A simple example is comparing:
With
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
kind/bug
Categorizes issue or PR as related to a bug.
priority/backlog
Higher priority than priority/awaiting-more-evidence.
scan/vulnerability
Issues relating to vulnerability scanning
Description
I tried scanning container image 18fgsa/s3-resource:latest (a publicly available container image) with trivy and got total 93 unique (derived from CVE and package name only) findings.
I tried exporting the sbom file in spdx format of the same container image and scanned the sbom with trivy and got 66 unique (derived from CVE and package name only) findings.
There is inconsistency in both results.
I carried out the following commands to identify the difference.
The output of the above diff command is given below :-
I checked if these packages were part of the sbom file and noted that these packages were recorded as part of sbom file. However , trivy does not consider these packages / misses these packages due to some reason while checking against vulnerability database.
What did you expect to happen?
trivy should report same findings and same count of findings for a given vulnerability db update version for the same container image irrespective of target being sbom of the container image or the container image itself.
What happened instead?
trivy missed certain findings from sbom scan report.
Output of run with
-debug
:Output of
trivy -v
:Additional details (base image name, container registry info...):
The files are attached with this issue for troubleshooting.
Uploading json files as txt files since Github does'nt seem to allow me to upload json files.
SBOM SPDX json file of the container image -> sbom.txt
Container Scan json output -> container_scan.txt
SBOM Scan json output -> sbom_scan.txt
container_scan.txt
sbom.txt
sbom_scan.txt
The text was updated successfully, but these errors were encountered: