Why not utilize the existing KBOM?

[y4ney]

Question

Why not utilize the existing KBOM? This project appears to be more mature and it includes more component information and additional details.

Target

Kubernetes

Scanner

None

Output Format

None

Mode

None

Operating System

No response

Version

No response

[itaysk]

Hi, Trivy has many capabilities and there are alternative tools you can choose. For example, when we added SBOM support in Trivy, the Syft tool was already available and offered this functionality, yet we wanted to provide this feature natively to Trivy users.

About kbom - when we started to work on this feature, KSOC's kbom tool didn't exist, and when they launched it was exclusive to their own format, while we thought kbom should be in CycloneDX. Nevertheless we reached out to KSOC team and offered to collaborate but for different reasons it didn't happen. On the flip side, it's good that users have more options to choose from. Our goal is to make Trivy the best oss tool for cloud native security and we hope users appreciate the new features coming out every month.

[y4ney]

I understand your point. I have analyzed the source code of KSOC's kbom and found that they have added support for a greater variety of component types. Furthermore, I'm pleased to inform you that yesterday KSOC's kbom started supporting CycloneDX as well. Thank you very much for providing this information. Trivy is, by far, the best open-source tool for cloud-native security that I have ever used. I truly appreciate the continuous release of new features every month.

[itaysk]

thanks for the kind words.
do you mind sharing what are the component types that you find missing in Trivy?

[y4ney]

KSOC‘s kbom support the compont here:https://github.com/ksoclabs/kbom/blob/main/internal/kube/kube.go ,But it seems that trivy is not missing the component type. I'm sorry that I didn't compare it carefully before.