scan C/C++ components in CycloneDX SBOM #1791
Replies: 2 comments 1 reply
-
|
@douglasclarke thank you for your interests in OSV-Scanner! We have documentation about scanning SBOM: https://google.github.io/osv-scanner/usage/scan-source#specify-sbom - does this answer you question? |
Beta Was this translation helpful? Give feedback.
-
|
Not that I see. I am looking for the specifics of how to reference a GitHub reference in the cyclone SBOM to match against the GIT affected vulnerabilities in OSV. Was assuming based on the PURL spec that pkg:github/namespace/name@tag would be the correct reference in the SBOM. |
Beta Was this translation helpful? Give feedback.
-
|
We don't support PURLs in the format you specified today unfortunately. The OSV API only supports querying by git commit hashes (google/osv.dev#3331 (comment)). This might work if there was a full commit hash we can extract from the encoded PURL. That said, we might be able to make |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
If I have a product built using a number of GitHub hosted C/C++ projects. They are included under the vendored pattern discussed in blog post. I would like to produce an SBOM including these dependencies such that osv-scanner would report vulnerabilities for the C/C++ packages in use.
Does osv-scanner have an expected format for the component in a cylconedx SBOM (eg. purl format) that would result in the components being correctly scanned for vulnerabilities?
Beta Was this translation helpful? Give feedback.
All reactions