[Feat]: support CVE scans using SBOM when available

[rchincha]

Is your feature request related to a problem? Please describe.

zot has support for OCI artifacts (v1.1.0) and when a SBOM is pushed, we can leverage the SBOM scanning ability from trivy to do:

1. a lightweight scan
2. CVE scans even when storage is remote (since no unpacking is needed)

Describe the solution you'd like

If remote storage is detected and a SBOM artifact is found, then use that for CVE scans.

Describe alternatives you've considered

No response

Additional context

No response

[rchincha]

trivy sbom <sbom-file>

[rchincha]

1. If an SBOM is available via referrer for an image, then "download" it
2. Else, cannot scan the image
3. If 1. then CVE scan against SBOM

^ first cut, for remote cloud storage case.

[ADorigi]

Hi @rchincha

I am willing to work on this issue.

From what I can understand, we have a ScanImage method which has been implemented for trivy.

I think the following logic flow will satisfy this requirement:

• Check if we have remote storage.
  • If not, proceed to scan as already implemented.
  • If we detect remote storage, check for presence of SBOM as reference.
  • If we have SBOM as reference, proceed to scan using the SBOM with trivy - to be implemented
  • If not, proceed to scan the image as already implemented.

Please let me know if I can proceed with the implementation.