Skip to content

Operating System Vulnerability Reporting

Grype and trivy will not report any operating system vulnerabilities (yum, apt, apk ect), unless a specific distribution is provided. This is to prevent a large number of false positives.

This information can be provided in the SBOM as a component of type operating-system.
If your SBOM is generated by newer versions of trivy or syft it should already contain this information and no further action is required.

This component will look something like this 

    {
      "bom-ref": "ab16d2bb-90f7-4049-96ce-8c473ba13bd2",
      "type": "operating-system",
      "name": "rocky",
      "version": "8.7",
    }

If this information does not exist in your SBOM you can provide it to hoppr-cop in the following ways:

  • As a CLI argument --os-distro
  • As an environment variable OS_DISTROBUTION
  • by setting the class attributes on the TrivyScanner and GrypeScanner classes

Unfortunately there is not a clearly defined taxonomy for operating system. These are some validated example values for the os-distro argument.

  • rocky:8.7
  • rhel:9
  • ubuntu:22.04
  • debian:bookworm/sid