-
Notifications
You must be signed in to change notification settings - Fork 530
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OWASP dependency track is not listing vulnerabilities (cyclone dx format) from grype , syft is working however #796
Comments
Thanks for the comment @usmankhanisb - looks like we need to get grype generating the latest version of cyclonedx as well as update it so it has parity with the syft format. Apologies for the lag between the tools. How to reproduce easily:
Not the version differences in the schema. Larger images would also show other delta points since the schema has changed. We probably also want to discuss keeping the formatting options up to date between the tools to reduce confusion and keep the API closer together. |
Happy to pick up this issue if @spiffcs you want to assign me to it. I believe that the json output is currently 1.4, but I can update the presenters to be 1.4 for the xml |
Thanks @cpendery! I'm working on this today, but I really appreciate the offer. |
@usmankhanisb @cpendery feel free to check out the tip of main on grype after #1038 has merged - grype is now using syft's formatting library which consumes the official upstream cyclonedx tooling. If you see other compatibility errors let us know! There is also a test now that checks against the official tooling to make sure syft/grype are producing valid outputs for the respective formats |
grype currently produces CYCLONE-DX SBOM that are not compliant with the cyclone-dx tooling libraries. Rather than write the logic in two places, this PR moves grype to use syft's formatting functions as a library to produce valid CYCLONE-DX SBOM components along with the discovered vulnerabilities. For more context on impacted issues: #796 #951
What happened:
OWASP dependency track is not listing vulnerabilities (cyclone dx format) from grype , syft is working however . Grype cyclonedx sbom only listing components.
What you expected to happen:
List vulnerabilties correctly so that various dashboard tools like depenendcy track can enlist vulnerabilties. just syft generated SBOM (cyclonedx format. )
How to reproduce it (as minimally and precisely as possible):
genrate SBOM cyclonedx from both of the tools (syft and grype) and play them in depenedncy track and you will see the issue
use it for OWASP DVWA project. generate sbom for entire all layers of docker image.
Anything else we need to know?:
syft and grype xml generation is not consistent.
Environment: MAC, docker compose, OWASP DVWA
grype version
: xmlcat /etc/os-release
or similar): MAC OSThe text was updated successfully, but these errors were encountered: