Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

discover sbom in OCI registry #3735

Closed
itaysk opened this issue Mar 1, 2023 · 4 comments · Fixed by #3768
Closed

discover sbom in OCI registry #3735

itaysk opened this issue Mar 1, 2023 · 4 comments · Fixed by #3768
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/sbom Issues relating to SBOM target/container-image Issues relating to container image scanning
Milestone
v0.39.0

Comments

@itaysk
Copy link
Contributor

itaysk commented Mar 1, 2023

when scanning a container image, trivy should check if there's an associated SBOM in the registry, and if so, use it instead of analyzing the image, similar to how trivy image --sbom-source rekor works. This should be possible with the new OCI Reference types specs.
opencontainers/image-spec#934
@itaysk itaysk added kind/feature Categorizes issue or PR as related to a new feature. scan/vulnerability Issues relating to vulnerability scanning target/container-image Issues relating to container image scanning labels Mar 1, 2023
@itaysk itaysk added this to the v0.39.0 milestone Mar 1, 2023
@itaysk itaysk mentioned this issue Mar 1, 2023
Closed
@itaysk itaysk added scan/sbom Issues relating to SBOM and removed scan/vulnerability Issues relating to vulnerability scanning labels Mar 1, 2023
@knqyf263 knqyf263 mentioned this issue Mar 5, 2023
Merged
10 tasks
@MPV MPV mentioned this issue Nov 12, 2023
Closed
@caozhuozi
Copy link

caozhuozi commented Dec 30, 2024
edited
Loading

What would happen if multiple SBOM are attached? Which one will be used?

According to the implementation #3768, is the first one returned by the referres API will be used?

@caozhuozi
Copy link

caozhuozi commented Dec 30, 2024
edited
Loading

Typically, an image's sbom will be expired in terms of vulnerabilities. So there will be situations where we regularly attach the SBOM for images.

If so, It is more reasonable to use the latest one by default?

@itaysk
Copy link
Contributor Author

itaysk commented Dec 30, 2024
edited
Loading

thanks for the suggestion. If I recall correctly, we did discuss this already when building the feature and the challange was that there's no native creation date field in the artifact spec, only an annotation that CAN be added by the artifact submitter. Trivy's referrer plugin does populate this annotation, and therefore supports sorting artifacts by creation date. If you have a good suggestion for how to handle this or want to discuss this further, please open a new feature enhancement discussion.

@caozhuozi
Copy link

@itaysk Thank you for providing the detailed background to this question! 💗

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/sbom Issues relating to SBOM target/container-image Issues relating to container image scanning
Projects
None yet
Milestone
v0.39.0
Development

Successfully merging a pull request may close this issue.

feat(image): discover SBOM in OCI referrers knqyf263/trivy
2 participants
@itaysk @caozhuozi