Can anyone explain why sometimes in my Xray SBOM export I see versions/releases of RPM packages I never installed? For example, I have a ubi8-minimal image and I also have a grafana builder image where I pull in grafana.rpm and build it in my final image. The only notable thing I did to get my final image is a microdnf update and a rpm installing grafana.rpm. In ubi8-minimal, Xray sees that there is a rpm package called audit-libs with version 3.0.7-5.el8 In my release image, Xray also sees audit-libs but there are 3 releases (3.0.7-4.el8, 3.0.7-5.el8, and 3.0.7-2.el8.2).
I checked the running container of the release image using
rpm -qa
and I only see release 3.0.7-5.el8 for audit-libs.
Even Docker Desktop only sees release 3.0.7-5.el8.
There were many RPM packages with this issue.
Why is this the case? It would be nice to know how Artifactory Xray exactly constructs this SBOM but I couldn't find details on that.