Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make spdx SBOMs readable by trivy scanner #1038

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Make spdx SBOMs readable by trivy scanner #1038

wants to merge 6 commits into from

Conversation

josegomezr
Copy link

Before:

trivy sbom --format template --template '{{ $vuln := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- $vuln = add $vuln 1 }}{{- end -}}{{- end -}}Vuln count: {{ $vuln }}'  /home/scc/code/obs-build/obs-sbom.spdx.json
2024-11-18T17:50:14+01:00       INFO    [vuln] Vulnerability scanning is enabled
2024-11-18T17:50:15+01:00       INFO    Detected SBOM format    format="spdx-json"
2024-11-18T17:50:18+01:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="/home/scc/code/obs-build/obs-sbom.spdx.json"
2024-11-18T17:50:18+01:00       INFO    Number of language-specific files       num=1
2024-11-18T17:50:18+01:00       INFO    [gobinary] Detecting vulnerabilities...
2024-11-18T17:50:18+01:00       WARN    Version matching error  err="version error (go1.17.9): malformed version: go1.17.9"
# the same, but 103 times more
2024-11-18T17:50:18+01:00       WARN    Version matching error  err="version error (go1.17.9): malformed version: go1.17.9"
Vuln count: 0

After:

trivy sbom --format template --template '{{ $vuln := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- $vuln = add $vuln 1 }}{{- end -}}{{- end -}}Vuln count: {{ $vuln }}'  /home/scc/code/obs-build/obs-sbom.spdx.json
2024-11-18T17:57:43+01:00       INFO    [vuln] Vulnerability scanning is enabled
2024-11-18T17:57:44+01:00       INFO    Detected SBOM format    format="spdx-json"
2024-11-18T17:57:47+01:00       INFO    Detected OS     family="sles" version="15.4"
2024-11-18T17:57:47+01:00       WARN    Unsupported os  family="sles"
2024-11-18T17:57:47+01:00       INFO    Number of language-specific files       num=1
2024-11-18T17:57:47+01:00       INFO    [gobinary] Detecting vulnerabilities...
2024-11-18T17:57:47+01:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/dev/docs/scanner/vulnerability#severity-selection for details.
Vuln count: 56

@josegomezr
Copy link
Author

After testing a bleeding edge trivy build after aquasecurity/trivy#7965 and the code on this PR, trivy scanner can finally detect the OS on the generated SPDX and CycloneDX reports properly, including the lifecycle information!

$ ../trivy/main sbom  --format template --template '{{ $vuln := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- $vuln = add $vuln 1 }}{{- end -}}{{- end -}}Vuln count: {{ $vuln }}' obs-sbom.cdx.json 
2024-11-22T22:10:06+01:00       INFO    [vuln] Vulnerability scanning is enabled
2024-11-22T22:10:06+01:00       INFO    Detected SBOM format    format="cyclonedx-json"
2024-11-22T22:10:06+01:00       WARN    Third-party SBOM may lead to inaccurate vulnerability detection
2024-11-22T22:10:06+01:00       WARN    Recommend using Trivy to generate SBOMs
2024-11-22T22:10:06+01:00       INFO    Detected OS     family="sles" version="15.4"
2024-11-22T22:10:06+01:00       INFO    [sles] Detecting vulnerabilities...     os_version="15.4" pkg_num=370
2024-11-22T22:10:06+01:00       INFO    Number of language-specific files       num=1
2024-11-22T22:10:06+01:00       INFO    [gobinary] Detecting vulnerabilities...
2024-11-22T22:10:06+01:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/dev/docs/scanner/vulnerability#severity-selection for details.
2024-11-22T22:10:06+01:00       WARN    This OS version is no longer supported by the distribution      family="sles" version="15.4"
2024-11-22T22:10:06+01:00       WARN    The vulnerability detection may be insufficient because security updates are not provided
Vuln count: 487

$ ../trivy/main sbom  --format template --template '{{ $vuln := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- $vuln = add $vuln 1 }}{{- end -}}{{- end -}}Vuln count: {{ $vuln }}' obs-sbom.spdx.json 
2024-11-22T22:10:12+01:00       INFO    [vuln] Vulnerability scanning is enabled
2024-11-22T22:10:13+01:00       INFO    Detected SBOM format    format="spdx-json"
2024-11-22T22:10:16+01:00       INFO    Detected OS     family="sles" version="15.4"
2024-11-22T22:10:16+01:00       INFO    [sles] Detecting vulnerabilities...     os_version="15.4" pkg_num=370
2024-11-22T22:10:16+01:00       INFO    Number of language-specific files       num=1
2024-11-22T22:10:16+01:00       INFO    [gobinary] Detecting vulnerabilities...
2024-11-22T22:10:16+01:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/dev/docs/scanner/vulnerability#severity-selection for details.
2024-11-22T22:10:16+01:00       WARN    This OS version is no longer supported by the distribution      family="sles" version="15.4"
2024-11-22T22:10:16+01:00       WARN    The vulnerability detection may be insufficient because security updates are not provided
Vuln count: 487

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mlschroe mlschroe mlschroe left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@josegomezr @mlschroe