As it stands, we're using trivy as the sbom scanner in insights-handler, but generating sboms with syft on the remote side.
This has lead to issues with format incompatibilities across the two tools - specifically, an update to the cyclonedx format wasn't tracked in both tools and lead to a fatal crash in the handler.
This brings the insights generation in line, tooling wise, by replacing grype with trivy for sbom generation.
As it stands, we're using trivy as the sbom scanner in insights-handler, but generating sboms with
syft
on the remote side.This has lead to issues with format incompatibilities across the two tools - specifically, an update to the cyclonedx format wasn't tracked in both tools and lead to a fatal crash in the handler.
This brings the insights generation in line, tooling wise, by replacing grype with trivy for sbom generation.