Replies: 1 comment
-
Any thoughts on this matter? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi!
I was experimenting with scanning of various OS images and came across this case. I got Fedora official docker image
docker pull fedora
made SBOM of it
docker run -v /dir/app aquasec/trivy rootfs app/fedora-fs/ --format cyclonedx --scanners vuln -q > image.cyclonedx
and then scan resulting SBOM
docker run -v /dir:/app aquasec/trivy sbom app/image.cyclonedx --format json -q > image-rootfs.json
As I can see here Trivy doesn't support Fedora. And I expected it at least to show me warning message about unsupported OS or even fail on some step (on scan, for example). Instead, I got valid SBOM with Fedora's packages and short scan results' json without
Results
section and any mention of unsupported OS.Here it is:
It's interesting that running
image
command shows the desired warning:The main question here is: Do I have a way to distinguish between scanning of unsupported OS and scan result without vulnerabilities?
Beta Was this translation helpful? Give feedback.
All reactions