-
Notifications
You must be signed in to change notification settings - Fork 551
-
Notifications
You must be signed in to change notification settings - Fork 551
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Different results scanning PHP SBOMs generated by cdxgen and Syft #2037
Labels
bug
Something isn't working
Comments
Look related: anchore/syft#1202, anchore/syft#2981. |
I see the similar problem with SBOMs generated from SBOM by cdxgen: "group": "@colors",
"name": "colors",
"version": "1.5.0", SBOM by Syft: "name": "@colors/colors",
"version": "1.5.0", This leads to a false positive GHSA-gh88-3pxp-6fm8 on scanning cdxgen's SBOM:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
I'm working on detecting vulns in a PHP project and I get quite different results when scanning and I'm not sure if it's expected or there could be something to improve in Grype, Syft or cdxgen. I've created a minimal example to demonstrate the problem.
cdxgen + Grype:
Syft + Grype:
As we can see, completely different vulns are detected.
What you expected to happen:
Same results in two scenarios.
How to reproduce it (as minimally and precisely as possible):
PHP
composer.json
:composer.lock
generated viacomposer update --no-install
:Click me
Commands to generate SBOMs:
Generarted
cdxgen.json
SBOM:Click me
Generated
syft.json
SBOM:Click me
Anything else we need to know?:
It looks like the significant difference between SBOMs is that cdxgen splits the name and group:
OTOH, Syft doesn't:
Other scanners (osv-scanner, Trivy,
composer audit
) detect only Yii2 vulns incomposer.lock
.Environment:
grype version
:The text was updated successfully, but these errors were encountered: