-
QuestionWhen I generate an SBOM from the container image (trivy image --format cyclonedx <container image>), the golang components' versions have a prefixed 'v' like this: {
...
"bom-ref": "pkg:golang/cloud.google.com/go/auth/[email protected]",
"version": "v0.2.2"
...
}When the SBOM is generated from filesystem's go.mod (trivy fs --format cyclonedx --output sbom.json ./go.mod), the 'v' is no longer there, like this: {
...
"bom-ref": "pkg:golang/cloud.google.com/go/auth/[email protected]",
"version": "0.2.2"
...
}When merging both SBOMs to report the container image BOM and the more detailed dependency tree BOM, the components will be duplicated. Is this behavior by design? Is there another way to have a leaner report other than parsing and fixing the SBOM separately? TargetFilesystem ScannerNone Output FormatCycloneDX ModeStandalone Operating SystemLinux / Ubuntu 22.04.5 LTS VersionVersion: 0.56.1
Vulnerability DB:
Version: 2
UpdatedAt: 2024-10-03 18:15:28.620721667 +0000 UTC
NextUpdate: 2024-10-04 18:15:28.620721527 +0000 UTC
DownloadedAt: 2024-10-03 23:49:47.474866778 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2023-10-12 01:06:25.955251423 +0000 UTC
NextUpdate: 2023-10-15 01:06:25.955251023 +0000 UTC
DownloadedAt: 2023-10-12 16:14:20.13451684 +0000 UTC |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Thanks for your report. As discussed here, we're unsure whether the |
Beta Was this translation helpful? Give feedback.
-
|
Created #7711 |
Beta Was this translation helpful? Give feedback.
Thanks for your report. As discussed here, we're unsure whether the
vprefix should be included in SBOM regarding the golang ecosystem, but it must be consistent in Trivy.trivy/pkg/dependency/parser/golang/mod/parse.go
Line 103 in 2d80769