Replies: 4 comments 2 replies
-
@DmitriyLewen Could you take a look when you have time? |
Beta Was this translation helpful? Give feedback.
-
Hello @obormot
This is a bit of an odd use of group field. But i didn't see that Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
-
We use the group field to point at Python virtualenvs (same package may appear in multiple venvs). I don't think this affects the issue in question. |
Beta Was this translation helpful? Give feedback.
-
Experimented with this a bit. Basically having any group name (with forward slash characters or without) breaks things in Trivy 0.50.0. |
Beta Was this translation helpful? Give feedback.
-
Description
A CycloneDX 1.4 spec JSON SBOM file generated outside of Trivy, worked well with 0.49.1 and prior, and is now broken staring with 0.50.0 (zero vulnerabilities returned). Debug output shows sbom parsing errors
Skipping a component with an unsupported type {"name": "/usr/share/python/xyz", "version": "", "type": ""}
while thetype
is actually set tolibrary
.Desired Behavior
Behavior should be consistent with trivy 0.49.1 shown below.
Actual Behavior
Parsing errors resulting in zero vulnerabilities reported against a SBOM.
Reproduction Steps
Target
SBOM
Scanner
Vulnerability
Output Format
Table
Mode
Standalone
Debug Output
Operating System
Ubuntu focal
Version
Checklist
trivy image --reset
Beta Was this translation helpful? Give feedback.
All reactions