Wrong image digest set as version in cyclonedx output

[cjnosal]

What happened:
When generating a cyclonedx report of an image the manifest digest is set in bom.metadata.component.version (though the name is set to image@${image digest})

What you expected to happen:
bom.metadata.component.version should match the image digest

How to reproduce it (as minimally and precisely as possible):

DIGEST=$(crane digest nginx:1.16)
grype nginx@$DIGEST -o cyclonedx

Anything else we need to know?:

Environment:

• Output of grype version: 0.21.0
• OS (e.g: cat /etc/os-release or similar): ubuntu bionic

[luhring]

Adding a link to the related (and currently ongoing) thread in our community Slack: https://anchorecommunity.slack.com/archives/C027JE5M345/p1629141976015600

We can update this issue when we get more clarity on an acceptable path forward.

[luhring]

Follow up on this — there's a few action items to note:

Re: wrong digest in CycloneDX (this issue)

Confirmed. In CycloneDX output, Grype sets the bom.metadata.component.version field to what stereoscope has determined is the "manifest digest" (link to code).

Example output:

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.2" xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0" version="1" serialNumber="urn:uuid:6bc35dd2-bc2d-4fb7-b7a0-6babeab88eec">
  <metadata>
    ...
    <component type="container">
      <name>ubuntu@sha256:626ffe58f6e7566e00254b638eb7e0f3b11d4da9675088f4781a50ae288f3322</name>
-->   <version>sha256:5c163b73006137467cde89dafc24d7a071f0a312757c2cd90933c052e399cc51</version>
    </component>
  </metadata>
...

The problem is that, currently, this ManifestDigest value from stereoscope cannot be relied on as the image's real manifest digest. This is because there's a case where stereoscope doesn't actually have access to the OCI manifest from the registry — when we're retrieving a container image from the Docker daemon — and so stereoscope creates a new OCI manifest on the fly.

Stereoscope shouldn't do this. I've opened an issue in stereoscope for more context and discussion: anchore/stereoscope#83. Once that issue is completed, we should update Syft and Grype to use the latest of stereoscope. We'll keep this issue (grype#435) open until that's done and the solution is verified in Grype.

Re: lack of transparency about image digest selection

In the Slack discussion, a separate concern was identified:

Our tools are not being transparent in their output about how they selected the exact image to scan, in the case where the user requested a scan of an image without referring to exactly one manifest digest — i.e. they specified a manifest list digest, or an image tag.

For this, I've opened a dedicated issue: #485

[kzantow]

We should definitely make sure that these values match, that both represent the image at the version that was pulled.