Open knqyf263 opened 1 year ago
some additional consideration: if someone wants to create an [output plugins](https://aquasecurity.github.io/trivy/v0.50/docs/configuration/reporting/#plugin that operates on an SBOM, they can't as of today since the --output
flag is used both to control SBOM, and to control the output plugin.
The design of output plugin assumes the plugin input is always a native trivy json, and the plugin should convert to whatever it needs, which is fine, but there's no way for the user to specify that they want to create an SBOM (if they used the output plugin=) option.
in this case, I would expect the sbom output plugin to generate a trivy sbom json. and the plugin to be able to use a trivy library to convert it to the desired SBOM format and process it.
Description
Currently, we have the
--scanners
flag, which supports the following options: vuln, misconf, secret, and license. To align with this structure, I'm considering renaming the--list-all-pkgs
flag to--scanners sbom
.This proposed change aims to:
However, I have a concern: while vuln, misconf, secret, and license are directly tied to security issues, the Software Bill of Materials (SBOM) is not directly a security concern. It's more about transparency and understanding the components within a software. By grouping it under the --scanners flag, there might be a potential for confusion among users regarding its purpose.
I'd appreciate feedback from the community on this proposal.