fix(bitnami): use `purl` to detect `bitnami` pkg name - Githubissues

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

https://aquasecurity.github.io/trivy

Apache License 2.0

22.14k stars 2.18k forks source link

fix(bitnami): use `purl` to detect `bitnami` pkg name #6981

Closed DmitriyLewen closed 2 weeks ago

DmitriyLewen commented 2 weeks ago

Description

We use package name field instead of purl to detect package name to avoid case-insensitive issues: https://github.com/aquasecurity/trivy/blob/c3192f061d7e84eaf38df8df7c879dc00b4ca137/pkg/sbom/io/decode.go#L249-L266

But bitnami is more focused on purl. So After discussion we decided to use purl for bitnami packages. See https://github.com/aquasecurity/trivy/discussions/6954#discussioncomment-9826703

Discussed in https://github.com/aquasecurity/trivy/discussions/6954