trivy-operator icon indicating copy to clipboard operation
trivy-operator copied to clipboard
verified publisher icon aquasecurity

No sbom generation for containers being analyzed by jobs where at least one image has a ClusterSbomReport

Open festeveira opened this issue 5 months ago • 0 comments

What steps did you take and what happened:

Running trivy-operator in a kubernetes cluster with sbom cache enabled. After some scans some ClusterSbomReports are present. Consequently, when trivy-operator scans a pod with more that one container where one image does not have a corresponding ClusterSbomReport, and at least one image has a corresponding ClusterSbomReport, the generated pod spec includes the label reused-report: "true" which causes no sbom reports to be generated from the scan result, for the image with no sbom report.

What did you expect to happen:

Scan job generating sbom reports for all images, regardless of some scans re-using sbom reports.

Anything else you would like to add:

After reading the code for a bit I believe the problem is related to these lines of code:

  • https://github.com/aquasecurity/trivy-operator/blob/baa8f8eac80782428922a86d4c6c8d6762554604/pkg/vulnerabilityreport/controller/scanjob.go#L313
  • https://github.com/aquasecurity/trivy-operator/blob/baa8f8eac80782428922a86d4c6c8d6762554604/pkg/vulnerabilityreport/controller/scanjob.go#L333

Environment:

  • Trivy-Operator version (use trivy-operator version): 0.28.0
  • Kubernetes version (use kubectl version): v1.32.7
  • OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): Debian 12

festeveira avatar Nov 15 '25 18:11 festeveira