grype icon indicating copy to clipboard operation
grype copied to clipboard

Published 20 hours ago verified publisher icon anchore

OWASP dependency track is not listing vulnerabilities (cyclone dx format) from grype , syft is working however

Open usmankhanisb opened this issue 2 years ago • 3 comments

What happened: OWASP dependency track is not listing vulnerabilities (cyclone dx format) from grype , syft is working however . Grype cyclonedx sbom only listing components.

What you expected to happen: List vulnerabilties correctly so that various dashboard tools like depenendcy track can enlist vulnerabilties. just syft generated SBOM (cyclonedx format. ) How to reproduce it (as minimally and precisely as possible): genrate SBOM cyclonedx from both of the tools (syft and grype) and play them in depenedncy track and you will see the issue use it for OWASP DVWA project. generate sbom for entire all layers of docker image. Anything else we need to know?: syft and grype xml generation is not consistent.

Environment: MAC, docker compose, OWASP DVWA

  • Output of grype version: xml
  • OS (e.g: cat /etc/os-release or similar): MAC OS

usmankhanisb avatar Jun 21 '22 08:06 usmankhanisb

Thanks for the comment @usmankhanisb - looks like we need to get grype generating the latest version of cyclonedx as well as update it so it has parity with the syft format. Apologies for the lag between the tools.

How to reproduce easily:

grype alpine:latest -o cyclonedx > bom.xml
syft alpine:latest -o cyclonedx-xml > syft.bom

Not the version differences in the schema. Larger images would also show other delta points since the schema has changed. We probably also want to discuss keeping the formatting options up to date between the tools to reduce confusion and keep the API closer together.

spiffcs avatar Jun 21 '22 17:06 spiffcs

Happy to pick up this issue if @spiffcs you want to assign me to it. I believe that the json output is currently 1.4, but I can update the presenters to be 1.4 for the xml

cpendery avatar Jun 22 '22 13:06 cpendery

Thanks @cpendery! I'm working on this today, but I really appreciate the offer.

spiffcs avatar Jun 22 '22 15:06 spiffcs

@usmankhanisb @cpendery feel free to check out the tip of main on grype after #1038 has merged - grype is now using syft's formatting library which consumes the official upstream cyclonedx tooling.

If you see other compatibility errors let us know! There is also a test now that checks against the official tooling to make sure syft/grype are producing valid outputs for the respective formats

spiffcs avatar Dec 22 '22 16:12 spiffcs