Context
I am looking for an efficient way to display a high-level diff of package (various type) version changes between two OCI images.
Roughly speaking, the output would look like this:
{
"deb": {
"libcrypt": {
"0": ["4.4.27"],
"1": ["4.4.36"]
},
"LibC": {
"0": ["2.35.0"],
"1": ["2.39.0"]
},
"OpenSSL": {
"0": ["3.0.2"],
"1": ["3.0.13"]
},
...
},
...
}Hypothesys
IIUC there are 2 potential workflows and would appreciate your feedback on the best path forward:
- Post-Process Comparison: Generate full SBOM JSON reports (using Syft or Trivy) for both images independently and compute the diff between the two resulting datasets.
- Layer-Based Chaining: Use
diffoci to isolate changed layers/files first, then pipe that specific context to Syft or Trivy for targeted package parsing.
Questions
- Performance: Which design do you anticipate being more performant? I suspect the second approach (differential parsing) might be faster for large images, but I’m curious if there are known pitfalls here.
- Best Practice: To ensure long-term compatibility, would you recommend that users manually pipe the output between these tools (diffoci -> syft), or is there interest in a more native integration?
Thank you for your guidance!
Context
I am looking for an efficient way to display a high-level diff of package (various type) version changes between two OCI images.
Roughly speaking, the output would look like this:
{ "deb": { "libcrypt": { "0": ["4.4.27"], "1": ["4.4.36"] }, "LibC": { "0": ["2.35.0"], "1": ["2.39.0"] }, "OpenSSL": { "0": ["3.0.2"], "1": ["3.0.13"] }, ... }, ... }Hypothesys
IIUC there are 2 potential workflows and would appreciate your feedback on the best path forward:
diffocito isolate changed layers/files first, then pipe that specific context to Syft or Trivy for targeted package parsing.Questions
Thank you for your guidance!