Replies: 1 comment
-
For libpak based buildpacks, there is a feature request to add this. You can 👍 to vote for that if it is needed. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
In order to attribute which buildpack layer contributed a vulnerable package, the cnb-sboms layer should include CylconeDX documents as well as Syft to allow users to use either Grype or Trivy to scan the SBOM. Some layers (e.g. paketo-buildpacks_ca-certificates, paketo-buildpacks_spring-boot). Some layers do include a CDX document for instance
paketo-buildpacks_bellsoft-liberica
.Beta Was this translation helpful? Give feedback.
All reactions