Replies: 2 comments 2 replies
-
Hello @candrews It looks like we have incorrectly identified package from your binary. Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
2 replies
-
Hello @candrews Created #5449 for this issue. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
The CycloneDX sbom produced by Trivy for (at least some) go binaries is invalid. It expresses a dependency on
pkg:/
which doesn't make sense. When Trivy itself tries to scan this sbom (usingtrivy sbom
) it fails with an error.Desired Behavior
The sbom produced by
trivy image --format cyclonedx
should only contain valid dependencies (and notpkg:/
).Actual Behavior
A few excerpts of the sbom:
debug.txt
Reproduction Steps
Target
Container Image
Scanner
Vulnerability
Output Format
CycloneDX
Mode
Standalone
Debug Output
debug.txt
Operating System
Linux
Version
Beta Was this translation helpful? Give feedback.
All reactions