spiffcs
commented
2 years ago Thanks for the comment @usmankhanisb - looks like we need to get grype generating the latest version of cyclonedx as well as update it so it has parity with the syft format. Apologies for the lag between the tools.
How to reproduce easily:
grype alpine:latest -o cyclonedx > bom.xml
syft alpine:latest -o cyclonedx-xml > syft.bom Not the version differences in the schema. Larger images would also show other delta points since the schema has changed. We probably also want to discuss keeping the formatting options up to date between the tools to reduce confusion and keep the API closer together.
cpendery
What happened: OWASP dependency track is not listing vulnerabilities (cyclone dx format) from grype , syft is working however . Grype cyclonedx sbom only listing components.
What you expected to happen: List vulnerabilties correctly so that various dashboard tools like depenendcy track can enlist vulnerabilties. just syft generated SBOM (cyclonedx format. ) How to reproduce it (as minimally and precisely as possible): genrate SBOM cyclonedx from both of the tools (syft and grype) and play them in depenedncy track and you will see the issue use it for OWASP DVWA project. generate sbom for entire all layers of docker image. Anything else we need to know?: syft and grype xml generation is not consistent.
Environment: MAC, docker compose, OWASP DVWA
grype version: xmlcat /etc/os-releaseor similar): MAC OS