Replies: 2 comments 14 replies
-
Hello @bpapez At the moment I assume the following points:
If I'm right, I think best solution for you is to populate Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
14 replies
-
Related issue - aquasecurity/trivy-java-db#28 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
In our project we create the SBOM with the Trivy image scan (format cyclonedy). Since Trivy version 0.49.0 the SBOM is no longer containing several JARs, which use a qualifier other than SNAPSHOT.
Desired Behavior
Dependencies with custom qualifiers in the version should still be detected and listed in the SBOM.
Actual Behavior
For instance jasypt-1.9.3-lite.jar. The log shows
although it exists in a central repository (see link above). It still worked correctly with Trivy 0.48.3.
We have about 30 dependencies like that, which now disappeared from the SBOM. Some of these jars are built by us from forked repositories, where we either backported a patch or where we had to make a JAR work well with OSGI. For that we keep the same version, but we add a custom qualifier, which is a valid practice. Also Dependency Track was able to report vulnerabilities on them, therefore it is important that such files do not get simply removed from the SBOM.
For now we have to stick with Trivy 0.48.3 . Could this get fixed again please or is there an option we could use to still get a correct SBOM with the latest Trivy? I tried
--offline-scan
, but that did not make a difference.Reproduction Steps
Target
Container Image
Scanner
None
Output Format
CycloneDX
Mode
Standalone
Debug Output
Operating System
I use the provided Docker image on different OS
Version
Checklist
trivy image --reset
Beta Was this translation helpful? Give feedback.
All reactions