You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Syft could read this to determine the contained RPM. syft wouldn't be able to extract as much information as it could from an RPM db, e.g per-file data is not present, but it could extract enough information to enable subsequent CVE checking.
The text was updated successfully, but these errors were encountered:
What would you like to be added:
syft can identify RPM packages in Mariner's distroless container image
Why is this needed:
Enable scanning and subsequent CVE checking of Mariner distroless images
Additional context:
Mariner produces distroless images similar to https://github.com/GoogleContainerTools/distroless but containing Mariner packages.
These images don't contain a full RPM database, but they do contain a manifest file detailing the RPMs in the image. https://github.com/microsoft/CBL-Mariner/blob/main/toolkit/docs/how_it_works/5_misc.md#rpm-manifest-file
Syft could read this to determine the contained RPM. syft wouldn't be able to extract as much information as it could from an RPM db, e.g per-file data is not present, but it could extract enough information to enable subsequent CVE checking.
The text was updated successfully, but these errors were encountered: