From ab37b6a4263bc6c5f3a47db307c28a982c9f4531 Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Wed, 2 Oct 2024 15:24:58 +0400 Subject: [PATCH] docs: add a note Signed-off-by: knqyf263 --- docs/docs/coverage/others/rpm.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/docs/coverage/others/rpm.md b/docs/docs/coverage/others/rpm.md index 2709d2d70da7..092cd4396b07 100644 --- a/docs/docs/coverage/others/rpm.md +++ b/docs/docs/coverage/others/rpm.md @@ -18,9 +18,13 @@ Trivy analyzes RPM archives matching `*.rpm`. This feature is currently disabled by default but can be enabled with an environment variable, `TRIVY_EXPERIMENTAL_RPM_ARCHIVE`. ```shell -TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms -f cyclonedx -o rpms.cdx.json +TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms --format cyclonedx --output rpms.cdx.json ``` +!!! note + Currently, it works with `--format cyclonedx`, `--format spdx` or `--format spdx-json`. + + ## Vulnerability Since RPM files don't have OS information, you need to generate SBOM, fill in the OS information manually and then scan the SBOM for vulnerabilities.