Does there exist a "vendor-independent" format to report container content

[rmohr]

Hi,

we are building in kubevirt containers without a base image but which are built out of RPMs (they are built in a reproducible way without dnf and rpm). Therefore we don't have a rpmdb to share for clair and we also don't ship the rpm tool inside the container.

Is there something like an independent json/yaml file format which we could use, so that clair could simploy copy that info out and interpret it?

[jasinner]

I think perhaps an SBOM might be the way to go. Eg. SPDX

[hdonnay]

Yes, something like an SBOM would be the thing to use, although claircore doesn't have any indexers for those at the moment.

The bigger problem to solve would be where the vulnerability data comes from for the packages reported in the SBOM. I think we'd match against the ambient/language-level data we have, which will probably be incorrect if the container has packages from a distributor that does backports and whatnot.

The other thing to think about is the ELF annotations, which should eventually trickle to everything using rpm.