[REQ] Patch from Trivy SBOM scan results

[duffney]

What kind of request is this?

Improvement of existing experience

What is your request or suggestion?

Trivy allows you to generate an SBOM for a container image and then use the SBOM to produce a vulnerability report. My request is that Copa be able to use the vulnerability report generated by the trivy sbom command to patch the container image instead of relying on scans of the container image directly.

Here's an example:

# generate sbom in spdx format
trivy image --format spdx-json --output spdx.json alpine:3.16.0
# create vuln report from sbom
trivy sbom spdx.json --exit-code 0 --format json --output ./patch-from-sbom.json
# patch container image from sbom report
copa patch -i ${IMAGE} -r ./patch-from-sbom.json -t v0.1-alpha-1

Currently, when I follow this path I get the following error:

Error: failed to solve: failed to load cache key: no match for platform in manifest: not found

Are you willing to submit PRs to contribute to this feature request?

• Yes, I am willing to implement it.

[sozercan]

@duffney can you tell a bit more about this? any distinctions or advantages over using trivy report?

[duffney]

I was envisioning using the SBOM to patch images instead of scanning results. If the SBOM was already available in the referrers of the container image, it would make scanning unnecessary. One of the promises of an SBOM is to assist with vuln management, but after a bit more research it might be a bit early. However, it could make a good backlog feature. :)

[sozercan]

it would make scanning unnecessary

wouldn't you still need to scan it (what trivy sbom does)? it just scans the sbom, rather than the image itself

[duffney]

That's correct. However, the report that trivy generates with trivy sbom is in a slightly different format and Copa can't use it to patch. So, another trivy scan report would need to be created in order to use Copa.