API Verbose Output - Identify Components not scanned or those scanned without any findings #3357
colinkmorgan
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
One of the challenges with SBOM scanning (and most tools) is that it is not always clear what the tool is doing, so end users just have to trust that it is functioning properly. For example, for a given scan of an SBOM, vulnerabilities may be returned for n number of components; however, the user is not able to tell if every component was successfully scanned because the output only provides identified vulns.
Is there a way, via the API, to have more verbose output to help track whether or not a component was "scanned"? I did a quick test with an incorrect and correct PURL for a package and when the PURL was incorrect (but still in the right format) there was just no output. When it was the correct PURL, vulnerabilities were provided (pkg:npm/[email protected] vs pkg:npm/[email protected]).
I did some further testing with the osv-scanner and see there are some error messages provided when there is no CPE or PURL ("Neither CPE nor PURL found for package:") and then the osv-scanner will identify how many packages were found and how many were scanned, but it's not necessarily broken down by individual packages, so you could see what was scanned and what wasn't.
For reference, I work in the healthcare/medical device sector and SBOMs are becoming ever more challenging to successfully run and manage, while also being mandatory for the US FDA.
Does anyone have any thoughts on this topic?
Beta Was this translation helpful? Give feedback.
All reactions