We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Originally posted by javierfreire September 1, 2023
Trivy generates invalid purls due to a final slash. Example:
pkg:golang/./private_repos/cnrm.googlesource.com/cnrm/@%28devel%29
All the purls are valid
The SPDX generated includes invalid purls like
{ "name": "./private_repos/cnrm.googlesource.com/cnrm/", "SPDXID": "SPDXRef-Package-8af38db75eabab2a", "versionInfo": "(devel)", "supplier": "NOASSERTION", "downloadLocation": "NONE", "licenseConcluded": "NONE", "licenseDeclared": "NONE", "copyrightText": "", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/./private_repos/cnrm.googlesource.com/cnrm/@%28devel%29" } ], "attributionTexts": [ "LayerDigest: sha256:d91b0bf3062475915a26bfbed055cd9544802b07df8fd11b29f47e63932e291d", "LayerDiffID: sha256:aee734b82faf27cee18e8619a5e5bb100ed544eaeaa2d6eebd574b180cc661a7" ], "primaryPackagePurpose": "LIBRARY" },
$ trivy image bitnami/google-cloud-sdk:0.444.0 --format spdx-json
Container Image
None
SPDX
Standalone
$ trivy image bitnami/google-cloud-sdk:0.444.0 --format spdx-json --debug 2023-09-01T10:29:31.871+0200 DEBUG ["cyclonedx" "spdx" "spdx-json" "github"] automatically enables '--list-all-pkgs'. 2023-09-01T10:29:31.871+0200 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"] 2023-09-01T10:29:31.872+0200 DEBUG Ignore statuses {"statuses": null} 2023-09-01T10:29:31.872+0200 INFO "--format spdx" and "--format spdx-json" disable security scanning 2023-09-01T10:29:31.879+0200 DEBUG cache dir: /home/fjavier/.cache/trivy 2023-09-01T10:29:33.665+0200 DEBUG Image ID: sha256:39d35ef16bb0c3f138134016c25ff29a04eab94c7991f30ea0b2e9c7f4912d90 2023-09-01T10:29:33.665+0200 DEBUG Diff IDs: [sha256:aee734b82faf27cee18e8619a5e5bb100ed544eaeaa2d6eebd574b180cc661a7] 2023-09-01T10:29:33.665+0200 DEBUG Base Layers: []
Ubuntu 23.04
Version: 0.45.0 Vulnerability DB: Version: 2 UpdatedAt: 2023-09-01 06:12:26.321581659 +0000 UTC NextUpdate: 2023-09-01 12:12:26.321581259 +0000 UTC DownloadedAt: 2023-09-01 06:46:30.004219829 +0000 UTC Java DB: Version: 1 UpdatedAt: 2023-08-21 00:57:30.973349538 +0000 UTC NextUpdate: 2023-08-24 00:57:30.973348738 +0000 UTC DownloadedAt: 2023-08-21 12:17:26.687255254 +0000 UTC
trivy image --reset
The text was updated successfully, but these errors were encountered:
https://aquasecurity.github.io/trivy/v0.45/community/contribute/discussion/
Sorry, something went wrong.
No branches or pull requests
Discussed in #5084
Originally posted by javierfreire September 1, 2023
Description
Trivy generates invalid purls due to a final slash. Example:
Desired Behavior
All the purls are valid
Actual Behavior
The SPDX generated includes invalid purls like
Reproduction Steps
Target
Container Image
Scanner
None
Output Format
SPDX
Mode
Standalone
Debug Output
Operating System
Ubuntu 23.04
Version
Checklist
trivy image --resetThe text was updated successfully, but these errors were encountered: