RPM Archives¶
EXPERIMENTAL
This feature might change without preserving backwards compatibility.
Trivy supports the following scanners for RPM archives.
Scanner | Supported |
---|---|
SBOM | ✓ |
Vulnerability | ✓1 |
License | ✓ |
The table below outlines the features offered by Trivy.
SBOM¶
Trivy analyzes RPM archives matching *.rpm
.
This feature is currently disabled by default but can be enabled with an environment variable, TRIVY_EXPERIMENTAL_RPM_ARCHIVE
.
TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms --format cyclonedx --output rpms.cdx.json
Note
Currently, it works with --format cyclonedx
, --format spdx
or --format spdx-json
.
Vulnerability¶
Since RPM files don't have OS information, you need to generate SBOM, fill in the OS information manually and then scan the SBOM for vulnerabilities.
For example:
$ TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./rpms -f cyclonedx -o rpms.cdx.json
$ jq '(.components[] | select(.type == "operating-system")) |= (.name = "redhat" | .version = "7.9")' rpms.cdx.json > rpms-res.cdx.json
$ trivy sbom ./rpms-res.cdx.json
License¶
If licenses are included in the RPM archive, Trivy extracts it.
-
Need to generate SBOM first and add OS information to that SBOM ↩