Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rename --list-all-pkgs to --scanners sbom #5183

Open
knqyf263 opened this issue Sep 14, 2023 · 2 comments
Open

Rename --list-all-pkgs to --scanners sbom #5183

knqyf263 opened this issue Sep 14, 2023 · 2 comments
Assignees
Labels
scan/sbom Issues relating to SBOM

Comments

@knqyf263
Copy link
Collaborator

Description

Currently, we have the --scanners flag, which supports the following options: vuln, misconf, secret, and license. To align with this structure, I'm considering renaming the --list-all-pkgs flag to --scanners sbom.

This proposed change aims to:

  • Enhance the CLI's intuitiveness by grouping all scanner-related functionalities under the --scanners flag.
  • Provide a more consistent user experience for those familiar with the --scanners flag.

However, I have a concern: while vuln, misconf, secret, and license are directly tied to security issues, the Software Bill of Materials (SBOM) is not directly a security concern. It's more about transparency and understanding the components within a software. By grouping it under the --scanners flag, there might be a potential for confusion among users regarding its purpose.

I'd appreciate feedback from the community on this proposal.

@knqyf263 knqyf263 changed the title Rename --list-all-pkgs flag to --scanners sbom Rename --list-all-pkgs to --scanners sbom Sep 14, 2023
@knqyf263 knqyf263 added the scan/sbom Issues relating to SBOM label Sep 14, 2023
@itaysk
Copy link
Contributor

itaysk commented Apr 7, 2024

some additional consideration: if someone wants to create an [output plugins](https://aquasecurity.github.io/trivy/v0.50/docs/configuration/reporting/#plugin that operates on an SBOM, they can't as of today since the --output flag is used both to control SBOM, and to control the output plugin.
The design of output plugin assumes the plugin input is always a native trivy json, and the plugin should convert to whatever it needs, which is fine, but there's no way for the user to specify that they want to create an SBOM (if they used the output plugin=) option.
in this case, I would expect the sbom output plugin to generate a trivy sbom json. and the plugin to be able to use a trivy library to convert it to the desired SBOM format and process it.

@knqyf263
Copy link
Collaborator Author

I think you're confused with --format and --output. As documented here, --format works with an output plugin.

While the example passes JSON to the plugin, other formats like SBOM can also be passed (e.g., --format cyclonedx).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
scan/sbom Issues relating to SBOM
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants