I have an SBOM that is generated by some other tool and I’d like to link vulnerabilities which grype finds back to the SBOM generating tool via an some ID.
I’m currently generating cycloneDX SBOM and have tried lots of fields the spec provides, but grype seems to throw everything out in the generated SBOM file and also uses different references, so I have no way to connect the found vulnerabilities to the components in the input SBOM.
Is there some way I can programmatically connect the input components with the output components? (even if hacky)
thanks!