Vulnerabilities identified in a scan using Trivy can differ depending on whether an image or an SBOM is used.

[afdesk]

Details

We lose case-sensitivity in PURL used in SBOM and it leads to the wrong results.

Discussed in #4221

^{Originally posted by genos1998 May 8, 2023}
Initially I scanned an open source image for vulnerabilities using the below cmd:
trivy image argoproj/argocd --format=cyclonedx -o argo-trivy-issue-imageScan.json --scanners vuln --timeout 60m

And then I performed another vulnerability scan using the sbom which was generated using the above cmd
trivy sbom argo-trivy-issue-imageScan.json --format=cyclonedx -o argo-trivy-issue-sbomScan.json --scanners vuln

After thorough analysis I found out that there was a difference of 3 vulnerabilities between them:
"CVE-2022-21235", "GHSA-xg2h-wx96-xgxr", "CVE-2021-4238"

Shouldn't the vulnerabilities be same if there was no change made to the sbom or the image