Docker Image PURLs - Scan Not working in CBOMKit UI

[aman-agrawal]

I passed different formats to scan docker images in CBOMKit UI, but none is working.
Please tell whether docker purls are supported or not.
If not, are you planning to support this, till when ?
If yes, please share the right format to scan public/private docker images from dockerhub.

Formats I tried for public dockerhub repo :
pkg:docker/repository/name@tag
pkg:docker/docker.io/repository/name@tag
eg. pkg:docker/docker.io/aman1603/testcbom@latest

[san-zrl]

Hi @aman-agrawal,

There's no support for docker purls in CBOMKit since its main purpose is to scan source code. We currently try to resolve pkg:maven and pkg:pypi purls to repo urls. Resolution is based on Google's deps.dev service.

That said, there is another tool for detecting cryptographic assets in container images. Please check it out: https://github.com/IBM/cbomkit-theia.

[security-prince]

Hi @aman-agrawal,

There's no support for docker purls in CBOMKit since its main purpose is to scan source code. We currently try to resolve pkg:maven and pkg:pypi purls to repo urls. Resolution is based on Google's deps.dev service.

That said, there is another tool for detecting cryptographic assets in container images. Please check it out: https://github.com/IBM/cbomkit-theia.

@san-zrl isn't cbomkit-theia included with cbomkit?

[san-zrl]

Hi @aman-agrawal - no, cbomkit-theia is a stand-alone project that was created as a result of a student's master thesis. We have to plan or timeline to make is part of cbomkit.