From 018eda618b739fd7129f5a2af7af386a5916aec6 Mon Sep 17 00:00:00 2001 From: Teppei Fukuda Date: Fri, 16 Sep 2022 10:20:40 +0300 Subject: [PATCH] docs(sbom): add SPDX scanning (#2885) --- docs/docs/sbom/cyclonedx.md | 4 +-- docs/docs/sbom/index.md | 31 +++++++++-------------- docs/docs/sbom/spdx.md | 49 ++++++++++++++++++++++++++++++++++++- 3 files changed, 62 insertions(+), 22 deletions(-) diff --git a/docs/docs/sbom/cyclonedx.md b/docs/docs/sbom/cyclonedx.md index 18f3dfcfe2b..535b07e8879 100644 --- a/docs/docs/sbom/cyclonedx.md +++ b/docs/docs/sbom/cyclonedx.md @@ -1,7 +1,7 @@ # CycloneDX -## Reporting -Trivy generates JSON reports in the [CycloneDX][cyclonedx] format. +## Generating +Trivy can generate SBOM in the [CycloneDX][cyclonedx] format. Note that XML format is not supported at the moment. You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option. diff --git a/docs/docs/sbom/index.md b/docs/docs/sbom/index.md index 924ed0551f1..564d7de2cd4 100644 --- a/docs/docs/sbom/index.md +++ b/docs/docs/sbom/index.md @@ -1,6 +1,6 @@ # SBOM -## Reporting +## Generating Trivy can generate the following SBOM formats. - [CycloneDX][cyclonedx] @@ -181,34 +181,27 @@ $ trivy fs --format cyclonedx --output result.json /app/myproject Trivy also can take the following SBOM formats as an input and scan for vulnerabilities. - CycloneDX +- SPDX +- SPDX JSON - CycloneDX-type attestation To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM. ```bash $ trivy sbom /path/to/cyclonedx.json - -cyclonedx.json (alpine 3.7.1) -========================= -Total: 3 (CRITICAL: 3) - -┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐ -│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ -├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ curl │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │ -├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ libbz2 │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │ -├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ sqlite-libs │ CVE-2019-8457 │ CRITICAL │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │ -│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │ -└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘ ``` +See [here][cyclonedx] for the detail. !!! note - CycloneDX XML and SPDX are not supported at the moment. + CycloneDX XML is not supported at the moment. + +```bash +$ trivy sbom /path/to/spdx.json +``` + +See [here][spdx] for the detail. + You can also scan an SBOM attestation. In the following example, [Cosign][Cosign] can get an attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [SBOM attestation page][sbom_attestation]. diff --git a/docs/docs/sbom/spdx.md b/docs/docs/sbom/spdx.md index 4868f136c86..3616c762782 100644 --- a/docs/docs/sbom/spdx.md +++ b/docs/docs/sbom/spdx.md @@ -1,6 +1,7 @@ # SPDX -Trivy generates reports in the [SPDX][spdx] format. +## Generating +Trivy can generate SBOM in the [SPDX][spdx] format. You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `spdx` with the `--format` option. @@ -294,4 +295,50 @@ $ cat result.spdx.json | jq . +## Scanning +Trivy can take the SPDX SBOM as an input and scan for vulnerabilities. +To scan SBOM, you can use the `sbom` subcommand and pass the path to your SPDX report. +The input format is automatically detected. + +The following formats are supported: + +- Tag-value (`--format spdx`) +- JSON (`--format spdx-json`) + +```bash +$ trivy image --format spdx-json --output spdx.json alpine:3.16.0 +$ trivy sbom spdx.json +2022-09-15T21:32:27.168+0300 INFO Vulnerability scanning is enabled +2022-09-15T21:32:27.169+0300 INFO Detected SBOM format: spdx-json +2022-09-15T21:32:27.210+0300 INFO Detected OS: alpine +2022-09-15T21:32:27.210+0300 INFO Detecting Alpine vulnerabilities... +2022-09-15T21:32:27.211+0300 INFO Number of language-specific files: 0 + +spdx.json (alpine 3.16.0) +========================= +Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1) + +┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐ +│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ +├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤ +│ busybox │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │ +│ │ │ │ │ │ denial of service... │ +│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │ +├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤ +│ libcrypto1.1 │ CVE-2022-2097 │ MEDIUM │ 1.1.1o-r0 │ 1.1.1q-r0 │ openssl: AES OCB fails to encrypt some bytes │ +│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2097 │ +├──────────────┤ │ │ │ │ │ +│ libssl1.1 │ │ │ │ │ │ +│ │ │ │ │ │ │ +├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤ +│ ssl_client │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │ +│ │ │ │ │ │ denial of service... │ +│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │ +├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤ +│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1 │ 1.2.12-r2 │ zlib: a heap-based buffer over-read or buffer overflow in │ +│ │ │ │ │ │ inflate in inflate.c... │ +│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │ +└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘ +``` + [spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf