Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
22.14k
stars
2.18k
forks
source link
fix(bitnami): use `purl` to detect `bitnami` pkg name #6981
Closed
DmitriyLewen closed 2 weeks ago
Description
We use package name field instead of purl to detect package name to avoid case-insensitive issues: https://github.com/aquasecurity/trivy/blob/c3192f061d7e84eaf38df8df7c879dc00b4ca137/pkg/sbom/io/decode.go#L249-L266
But
bitnami
is more focused onpurl
. So After discussion we decided to usepurl
forbitnami
packages. See https://github.com/aquasecurity/trivy/discussions/6954#discussioncomment-9826703Discussed in https://github.com/aquasecurity/trivy/discussions/6954