Baseline-skipped issues should be included in SBOMs with an annotation

[audunmo]

Describe the issue Currently, if you generate an SBOM with a baseline, we lose vulnerability information that's "normally" packaged in. What I'd like is the ability to include the vulnerability information in the SBOM, with an annotation that states the vuln was skipped.

Current (undiserable) workaround:

1. Run checkov with baseline to produce feedback to devs (in CI, PR checks etc.)
2. Re-run same check, but without baseline, and with SBOM generation.

Ideally, these would be the same step, such that you don't get a failure from a vuln in the baseline, but it does get put into the SBOM

Additional context This could be configurable behaviour, like a --sbom-include-skipped-baseline. Arguably also a --sbom-include-skipped should exist for the same reason

Risk Accepted is a normal status to use for this kind of skipping in tools like DefectDojo. If we had a way of detecting in the SBOM that a vuln is present but ignored (aka Risk Accepted), this would let us automate setting this status.

[gruebel]

hey @audunmo thanks for reaching out.

Did you try out to use the flag --output-baseline-as-skipped?

[audunmo]

Hey @gruebel , thanks for the response. I'm afk for the 24-48hrs or so, but I believe I did run it with that setting enabled. Iirc, it changed the CLI output only, not the contents of the cyclonedx SBOM

[stale[bot]]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!