-
Notifications
You must be signed in to change notification settings - Fork 549
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include Syft's cyclonedx component properties in Grype output #951
Comments
Hi @xtreme-conor-nosal -- is the main gist of this ask to be able to match Grype CycloneDX results against elements in a Syft SBOM? In other words: if we added a file path would this allow you do do what you need -- or could there be a package ID that matches, which might be easier? |
Using If I run |
Thanks @xtreme-conor-nosal, so if only the location information was included in the Grype output, would that be sufficient for your use case here? I ask because that would be a fairly simple change to make, whereas including all the properties would be a much bigger lift. |
Yes, having location would be a good first step. |
Given Grype has the two use cases of generating the sbom internally via Syft vs reading an sbom from stdin (that may or may not come from Syft), what do you think about a second ticket for preserving any extra properties that appear in a provided sbom (in addition to this ticket focusing on properties generated by Grype)? |
This might be tricky to do... for CycloneDX -> CycloneDX it might be fairly straightforward, but mapping other arbitrary properties between formats might be a lot more work to determine where to put said properties. |
Yeah, I was thinking it might need to be constrained to the cases where the input and output formats match, and even then could represent a sizeable code diff. |
A second field that might be worth prioritizing is |
Hey @xtreme-conor-nosal check out #1038 and the enhancements made there. Using grype standalone now should give you the same output as if you had used syft. We updated grype to just consume our formatting library from syft. If you have questions, comments, or improvements let me know and I can follow up! |
grype currently produces CYCLONE-DX SBOM that are not compliant with the cyclone-dx tooling libraries. Rather than write the logic in two places, this PR moves grype to use syft's formatting functions as a library to produce valid CYCLONE-DX SBOM components along with the discovered vulnerabilities. For more context on impacted issues: #796 #951
What would you like to be added:
Syft's cyclonedx output was improved in anchore/syft#710.
I would like Grype to offer the same level of detail as Syft.
Why is this needed:
The current cyclonedx or vex outputs don't contain full information to aid in triage. I need to cross-reference grype cyclonedx against syft json to find additional metadata (e.g. file path containing a go module, which syft encodes as
properties
).Additional context:
Syft component encoding:
https://github.com/anchore/syft/blob/main/syft/formats/common/cyclonedxhelpers/component.go#L30
Grype:
https://github.com/anchore/grype/blob/main/grype/presenter/cyclonedx/document.go#L48
https://github.com/anchore/grype/blob/main/grype/presenter/cyclonedxvex/document.go#L67
The text was updated successfully, but these errors were encountered: