You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Github SBOMs are not compatible with industry standard tool Grype to detect vulnerabilities.
Consider the Zarf project (link) for which we extract one SBOM from GitHub's own service, and one from the code of their latest release.
Running Grype on the self-produced SBOM yields a few found vulnerabilities:
Actual Behavior
Running Grype on the SBOM from GitHub's finds no vulnerabilities:
Expected Behavior
Running Grype on the GitHub' SBOM finds the vulnerabilities
Cause
This is because the Github SBOMs do not follow the same naming convention as Grype. It appends "go:" to all component names, which are then not recognized by Grype.
eg one contained within the project "github.com/mholt/archiver/v3".
Solution
If we manually remove the prefix "go:" in the dependency name from Github SBOM, save the file and run Grype again, the vulnerability is found.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
GitHub Community
-
Github SBOMs are not compatible with industry standard tool Grype to detect vulnerabilities.
Consider the Zarf project (link) for which we extract one SBOM from GitHub's own service, and one from the code of their latest release.
Running Grype on the self-produced SBOM yields a few found vulnerabilities:
Actual Behavior
Running Grype on the SBOM from GitHub's finds no vulnerabilities:
Expected Behavior
Running Grype on the GitHub' SBOM finds the vulnerabilities
Cause
This is because the Github SBOMs do not follow the same naming convention as Grype. It appends "go:" to all component names, which are then not recognized by Grype.
eg one contained within the project "github.com/mholt/archiver/v3".
Solution
If we manually remove the prefix "go:" in the dependency name from Github SBOM, save the file and run Grype again, the vulnerability is found.
Beta Was this translation helpful? Give feedback.
All reactions