Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: [bug description] Location field for component when scanning a SBOM maybe inaccurate #4676

Open
anthonyharrison opened this issue Jan 6, 2025 · 1 comment
Labels
enhancement New feature or request

Comments

@anthonyharrison
Copy link
Contributor

Description

The value of the location field in the JSON report is the location of the component on the local system. When scanning an SBOM, it is unlikely that the product referenced in the SBOM will be installed on the system where cve-bin-tool is being run. The location of the component MAY be included in the SBOM (CycloneDX has an evidence attribute which can include the file path of the component) but it is highly unlikely to be the same as is installed on the system being used.

Why?

The approach followed gives misleading results. For instance, scanning a SBOM for an application deployed using Python 3.9 produces locations for the components installed on the current system(a Python 3.10).

Anything else?

Suggest populating the location is made optional for SBOMs (with a default of False)

@anthonyharrison anthonyharrison added the enhancement New feature or request label Jan 6, 2025
@terriko
Copy link
Contributor

terriko commented Jan 7, 2025

I think this is a duplicate of #4396 But yes, definitely needs fixing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants