grype scan by sbom file is generated by syft different with scanning directly container

[waovu]

grype scan by sbom file is generated by syft different with scanning directly container

grype scan sbom file and directly ccontainer should be same

Environment:

• grype version: 0.55.0
• syft version : 0.65.0
• OS (e.g: cat /etc/os-release or similar):

[kzantow]

I suspect we're losing the file overlap relationships in CycloneDX format.

As a workaround, you could use a Syft format SBOM (e.g. using syft -o json), and it should produce the same result as the direct scan.

[waovu]

@katgurdak yeap, If scan with json output, result will be same. but with cycloneDx format, it's difference

[dwertent]

@kzantow Does this mean there is an issue with the JSON output format?

[kzantow]

Apologies for the delay getting back here -- I don't think this is an issue with CycloneDX in Grype, it's an issue that CycloneDX doesn't support certain types of relationships, so outputting a Syft SBOM in CycloneDX is lossy and can lead to worse results in Grype. There isn't a specific thing we can do to fix this until CycloneDX supports at least type on the relationships, but there is indication that won't happen. Regardless, if CycloneDX does get enhanced enough to support what Syft and Grype need here, any change will require an update in the forrmat conversion that Syft has, and nothing will be needed here, in Grype. As such I'm going to close this issue. Please let me know if there is anything I've missed here!