DmitriyLewen
DmitriyLewen
Hello @AntonKarasov We merged #6352. These changes should be included into next release. Regards, Dmitriy
Hello @dstrelbytskyi We have a lot of work to do now. When @knqyf263 has time to check this PR, he will merge it.
Hello @knrc > The three registries (google, azure and ECR) are invoked concurrently, which means their state gets overwritten each time while still being used. I'm a little confused Trivy...
I think I understand your logic. But I don't see any place where we use `GetToken` function (or upper function) using goroutines. We also use 1 image. Therefore, if we...
@knrc can you fix linter error?
We already have mapping - https://github.com/aquasecurity/trivy/blob/82214736a943f61c173902808f2887a660543fe2/pkg/licensing/normalize.go#L8-L14. But it looks like we need to supplement our map with pairs from `cycledx-core-java`.
@christiankofler It should work for [all supported SBOM formats](https://aquasecurity.github.io/trivy/v0.49/docs/target/sbom/)
#6240 fixed this problem.
bug(cyclonedx): Trivy image scan reports and counts the same CVE for the same package multiple times
Also there is problem with same jars in different folders. We create only 1 component: `json` report: ```json "Packages": [ { "Name": "com.fasterxml.jackson.core:jackson-databind", "Version": "2.13.4", "Layer": {}, "FilePath": "1/jackson-databind-2.13.4.jar" },...
bug(cyclonedx): Trivy image scan reports and counts the same CVE for the same package multiple times
Hello @LesSyner Thanks for your investigation. > both formats don't show additional 12 critical CVEs I am focusing on fixing CycloneDX logic. After that i will check this case.