I run trivy for SBOM generation and analyze it with grype, so I found that grype did not find vulnerabilities in the trivy-based SBOM
grype will work best when you use syft’s SBOM
in case you want better results, try to use trivy’s sbom with a known format like spdx, etc.
1 Like
Grype should work with SBOMs generated by other tools. Do you have any example SBOM you could share? As @TimBrown1611 says, it needs to be a standard format: SPDX or CyloneDX (or Syft format)