Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(CycloneDX): parse framework type as library #7432

Closed
DmitriyLewen opened this issue Sep 2, 2024 Discussed in #7418 · 0 comments · Fixed by #7527
Closed

fix(CycloneDX): parse framework type as library #7432

DmitriyLewen opened this issue Sep 2, 2024 Discussed in #7418 · 0 comments · Fixed by #7527
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@DmitriyLewen
Copy link
Contributor

Description

Trivy currently parses only library components of CycloneDX (see https://cyclonedx.org/docs/1.6/json/#components_items_type).
But there are not many differences between a library and a framework and sometimes it is difficult to choose the right type.
Even CycloneDX docs say: If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is RECOMMENDED.

So we should parse and scan framework components as libraries.

Discussed in #7418
@DmitriyLewen DmitriyLewen added the kind/bug Categorizes issue or PR as related to a bug. label Sep 2, 2024
@DmitriyLewen DmitriyLewen self-assigned this Sep 2, 2024
@DmitriyLewen DmitriyLewen mentioned this issue Sep 17, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(sbom): parse type framework as library when unmarshalling CycloneDX files DmitriyLewen/trivy
1 participant
@DmitriyLewen