You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The value of the location field in the JSON report is the location of the component on the local system. When scanning an SBOM, it is unlikely that the product referenced in the SBOM will be installed on the system where cve-bin-tool is being run. The location of the component MAY be included in the SBOM (CycloneDX has an evidence attribute which can include the file path of the component) but it is highly unlikely to be the same as is installed on the system being used.
Why?
The approach followed gives misleading results. For instance, scanning a SBOM for an application deployed using Python 3.9 produces locations for the components installed on the current system(a Python 3.10).
Anything else?
Suggest populating the location is made optional for SBOMs (with a default of False)
The text was updated successfully, but these errors were encountered:
Description
The value of the location field in the JSON report is the location of the component on the local system. When scanning an SBOM, it is unlikely that the product referenced in the SBOM will be installed on the system where cve-bin-tool is being run. The location of the component MAY be included in the SBOM (CycloneDX has an evidence attribute which can include the file path of the component) but it is highly unlikely to be the same as is installed on the system being used.
Why?
The approach followed gives misleading results. For instance, scanning a SBOM for an application deployed using Python 3.9 produces locations for the components installed on the current system(a Python 3.10).
Anything else?
Suggest populating the location is made optional for SBOMs (with a default of False)
The text was updated successfully, but these errors were encountered: