Connect components from SBOM input to grype output

I have an SBOM that is generated by some other tool and I’d like to link vulnerabilities which grype finds back to the SBOM generating tool via an some ID.

I’m currently generating cycloneDX SBOM and have tried lots of fields the spec provides, but grype seems to throw everything out in the generated SBOM file and also uses different references, so I have no way to connect the found vulnerabilities to the components in the input SBOM.

Is there some way I can programmatically connect the input components with the output components? (even if hacky)

thanks!

I’ve worked it around now by matching the name + version + purl + the normalized vendor/product part of a cpe. But it is brittle and I’d prefer to just pass some unique ID through.

edit: ah, and I see now that grype merges all components with the same properties into one in the target SBOM, so there doesn’t even exist a one-to-one mapping. So this is probably futile and I need to keep my hack.

so please ignore :slight_smile:

1 Like