Support for common platform enumerations (CPEs) in SBOM files #5209
Replies: 6 comments 7 replies
-
I don't think such CPE is defined. It just generates CPE-ish strings. We're not sure if it is useful to generate non-existent CPEs. |
Beta Was this translation helpful? Give feedback.
-
This was just an example so please treat it as such. |
Beta Was this translation helpful? Give feedback.
-
I am also running into this issue. The naming problem is very hard, but adding CPE to trivy would be helpful. |
Beta Was this translation helpful? Give feedback.
-
Good idea @wkoot but please remember trivy can also produce SBOM with list of components without checking vulnerabilities so using only link between cpe and purl in each CVE can be only partial idea. |
Beta Was this translation helpful? Give feedback.
-
There is this old MR for adding NVD CPE details in Trivy DB : aquasecurity/trivy-db#114 |
Beta Was this translation helpful? Give feedback.
-
I'd also be interested in this to get Trivy's cyclonedx SBOMs to work in our vuln tracking tool. Seems like it did generate CPEs once (#2597), but incorrectly? |
Beta Was this translation helpful? Give feedback.
-
Currently trivy doesn't include common platform enumerations (CPEs) info in the SBOM files generated [trivy only generates package urls (purls) for components]. This is an issue for some tools like Dependency-Track which use these fields to find vulnerabilities. As a result SBOM files uploaded to Dependency-Track result in no vulnerabilities found. By contrast other tools like syft include these fields and Dependency-Track can find vulnerabilities.
Do you have plans to include common platform enumerations (CPEs) in SBOM files generated by trivy?
Example:
trivy image -f cyclonedx ubuntu:22.04
syft -o cyclonedx-json ubuntu:22.04
Beta Was this translation helpful? Give feedback.
All reactions