-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
image cache not shared between scanning and sbom #3456
Comments
Thanks for the report. We'll look into it. |
@afdesk I'm suspect on cache as the cache key is calculated according to enabled analyzers. We might enable different analyzers. Could you take a look? |
@knqyf263 yes, sure. I'll take a look at this issue today. |
@victornoel thanks for the report! @knqyf263 you're right as usual, there is a problem with enabled analyzers. there is a solution - using the same security checks: $ trivy image --debug --security-checks vuln python:3.4-alpine
$ trivy image --debug --format cyclonedx --output sbom.json --security-checks vuln python:3.4-alpine the second call used the cache in my case. |
i caught it. The second run uses the cache: $ trivy image --debug python:3.4-alpine
$ trivy image --debug --format cyclonedx --output sbom.json --security-checks vuln,secret python:3.4-alpine @victornoel could you confirm it? @knqyf263 should we change it? |
@afdesk are you proposing to enable vuln/secret by default with BOM? Ideally, I would expect that the cache is used to infer dependencies, so it's not dependent on the security checks, but I may be missing some intricacies of how things work and maybe this does not make sense? |
This issue is stale because it has been labeled with inactivity. |
This issue is stale because it has been labeled with inactivity. |
Hi @victornoel . The key for storing artifacts in the cache is calculated depending on the analyzers used. The cache will be reused if you disable the secret scanner when scanning an image or enable it when creating cyclonedx. For example:
or
|
@nikpivkin ok, this makes sense, thank you for the explanation! I think we can close this, right? Feel free to reopen if not :) |
Description
Trivy does not seem to reuse the cache from one execution of
image
command for scanning vulnerabilities with a second execution ofimage
commands to generate a SBOM.Example
As you can see, while the second call seems to be reusing the cache results, the third one does not and thus will try to fetch dependencies if required (I'm experiencing this with an image with a lot of jars :).
Output of
trivy -v
:The text was updated successfully, but these errors were encountered: