Open tomasr opened 3 weeks ago
Hi @tomasr -- Grype is always going to use the internal Syft representation. If you ingest an SBOM, this gets converted to that representation anyway.
What versions of Syft and Grype are you using?
Grype 0.78.0 Syft 1.6.0
Might help if I offer a repro. Here's an easy one:
.nuget
file to .zip
and expand it on a folder, let's say c:\temp\librdkafka
grype dir:C:\temp\librdkafka\runtimes
Output here looks like this:
Now first run syft to generate an SPDX SBOM of the exact same files, and scan it with grype:
Output is clearly different.
What would you like to be added:
This is probably a weird question, but when running
grype dir:<somedir>
, I understand grype is essentially running syft under the hood to produce the source SBOM (or similar). Can you control what format is used for this intermediate representation?Why is this needed:
My reason for asking is this: I have some dependencies in a folder.
If I run:
I get:
If I first generate an SBOM using syft in
cyclonedx-json
format, then ingest it withgrype sbom:.\sbom.json
I get the exact same result.However, if I first generate an SBOM using syft in SPDX format, then ingest it with grype I get:
So obviously the source SBOM format (or whatever the internal syft is producing over it) is somehow relevant to getting usable results?
Additional context: