Hi! We have been used v5 version, but decided to test v6. I tried scan different projects and saw interesting things.
- GO project. For example, I scanned "trivy" repository by v5 and v6. First of all I saw that v6 found more feeds than v5. But I checked the precision of that and saw some of purls in SBOM doesn't really exists in repository. Maybe I am wrong and don't know all nuances but what I see for example:
pkg:golang/github.com/BurntSushi/toml@v1.2.1 this package I saw in SBOM of v6 depscan, but it absent in v5 SBOM. Then I saw this key in object of this bom's purl:
"properties": [
{
"name": "SrcFile",
"value": "pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20230219131432-590b1dfb6edd/go.mod"
},
{
"name": "SrcFile",
"value": "pkg/fanal/analyzer/language/golang/mod/testdata/pkg/mod/github.com/aquasecurity/go-dep-parser@v0.0.0-20220406074731-71021a481237/go.mod"
}
]
And go to these files to check the presense of this package there but I saw only this:
module github.com/aquasecurity/go-dep-parser
go 1.18
I checked go.mod and go.sum files and didn't see this package.
Can we consider this finding as FP ?
-
Python project. The second interesting thing about scanning the Ansible project is that version 6 also found more findings, but the reason (I think) in that it found findings even for package versions are absent in the SBOM file. These findings are absent in version 5. My guess is that it now finds findings even for packages for which versions aren't specified. However, if a version isn't specified, it's usually assumed that the package is the latest version, whereas here we have findings even for very old package versions (which aren't actually included in the project and SBOM file).
-
Java project. I scanned opensource vulnerable app "vulnado" and v5 found more findings than v6 version. All findings of v5 is correct.
-
JS project. I scanned "cypress" repository and v5 found 50 more findings than v6 (the purls of these findings are presense in both SBOMs files (v5 and v6)).
-
I noticed that some information like licenses, properties of object in components, occurrences in evidence of components are removed from VDR report and presense in SBOM only. Is this a conscious decision?
If you need additional info or checks or artifacts from scans, I can attach
Hi! We have been used v5 version, but decided to test v6. I tried scan different projects and saw interesting things.
pkg:golang/github.com/BurntSushi/toml@v1.2.1 this package I saw in SBOM of v6 depscan, but it absent in v5 SBOM. Then I saw this key in object of this bom's purl:
And go to these files to check the presense of this package there but I saw only this:
I checked go.mod and go.sum files and didn't see this package.
Can we consider this finding as FP ?
Python project. The second interesting thing about scanning the Ansible project is that version 6 also found more findings, but the reason (I think) in that it found findings even for package versions are absent in the SBOM file. These findings are absent in version 5. My guess is that it now finds findings even for packages for which versions aren't specified. However, if a version isn't specified, it's usually assumed that the package is the latest version, whereas here we have findings even for very old package versions (which aren't actually included in the project and SBOM file).
Java project. I scanned opensource vulnerable app "vulnado" and v5 found more findings than v6 version. All findings of v5 is correct.
JS project. I scanned "cypress" repository and v5 found 50 more findings than v6 (the purls of these findings are presense in both SBOMs files (v5 and v6)).
I noticed that some information like licenses, properties of object in components, occurrences in evidence of components are removed from VDR report and presense in SBOM only. Is this a conscious decision?
If you need additional info or checks or artifacts from scans, I can attach