Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Raising containers as packages in the final SBOM #3477

Open
spiffcs opened this issue Nov 22, 2024 · 0 comments
Open

Raising containers as packages in the final SBOM #3477

spiffcs opened this issue Nov 22, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@spiffcs
Copy link
Contributor

spiffcs commented Nov 22, 2024

What would you like to be added:
Syft currently inspects and surfaces a number of different packages inside a container given specific cataloger rules.

Some current vulnerability datasets mark the container itself as vulnerable with identifying purls going only as far as the metadata that's found in a docker inspect or skopeo inspect command:

data/rhel/input/csaf/2020/cve-2020-7793.json
218:                "purl": "pkg:oci/distributed-tracing/jaeger-all-in-one-rhel7"
229:                "purl": "pkg:oci/distributed-tracing/jaeger-query-rhel7"

Syft should start surfacing the scanned container as it's own package type in the final SBOM to help with matching against these kinds of vulnerability records.

Why is this needed:
Better cataloging of the actual images being scanned as the "root" or vulnerable node in an SBOM.
@spiffcs spiffcs added the enhancement New feature or request label Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@spiffcs