Problem
It seems like the SBOM of Docker Images built with the new Paketo Builders is incomplete. We noticed that the versions for some dependencies are missing when we looked at our trivy reports for the docker image. This yields false positives when scanning the image for security vulnerabilities. I initially thought that this is a bug in trivy and reported it here.
This is how we're building the docker image in our project:
./mvnw -B -ntp spring-boot:build-image
Expected Behaviour
All dependency versions are correctly included in the SBOM of the docker image so that security scanners can produce better results.
Comment From: bclozel
Spring Boot is not generating this SBOM information as this is done by paketo buildpacks. Can you create an issue against the Spring Boot buildpack?