additional details w.r.t jar in report

[kandarpsarvaiya]

Hi Team, earlier we were using anchore/inline-scan before for docker image vulnerability scan and here is the report we have with anchore for our sample app.
from anchore/inline-scan.

vulnerabilities package CRITICAL Vulnerability found in non-os package type (java) - /opt/apps/sample/sample-java-apps-1.0.0.jar:BOOT-INF/lib/commons-collections-3.2.1.jar (CVE-2017-15708 - https://nvd.nist.gov/vuln/detail/CVE-2017-15708)

now we are planning to use grype for docker image vulnerability scan, and we are getting following type of report. grype doesnt list that the .jar module has this specific jar has some vulnerabilities.

from grype.
sqlite-libs 3.20.1-r0 3.25.3-r0 apk CVE-2018-20346 High

here a question, is there a way we can get report with some additinal detail like which jar has any vulnerability found similar to anchore/inline-scan report line pasted above?

[tgerla]

Hi @kandarpsarvaiya, if you run grype with the "-o json" output format, you should get more detail for each vulnerability including package locations on the filesystem and paths of jars nested inside jars, like in your example. This may be what you're looking for. If not, please let us know and we can help.

There is a feature request to expand this in a more general way: #1199 -- it's something we're looking into improving in the future.

[tgerla]

I'll go ahead and close this issue but please let us know if you need anything else. Thanks!