Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(sbom): scan sbom attestation in the rekor record #2699

Merged
merged 50 commits into from Sep 15, 2022

Conversation

otms61
Copy link
Collaborator

@otms61 otms61 commented Aug 14, 2022

Description

$ ./trivy image --debug --sbom-sources rekor otms61/alpine:3.7.3
Result
2022-09-15T23:50:00.441+0900	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2022-09-15T23:50:00.492+0900	DEBUG	cache dir:  /Users/saso/Library/Caches/trivy
2022-09-15T23:50:00.493+0900	INFO	Need to update DB
2022-09-15T23:50:00.493+0900	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-09-15T23:50:00.493+0900	INFO	Downloading DB...
33.94 MiB / 33.94 MiB [-------------------------------------------------------] 100.00% 6.96 MiB p/s 5.1s
2022-09-15T23:50:06.858+0900	DEBUG	Updating database metadata...
2022-09-15T23:50:06.859+0900	DEBUG	DB Schema: 2, UpdatedAt: 2022-09-15 12:07:27.895630861 +0000 UTC, NextUpdate: 2022-09-15 18:07:27.895630361 +0000 UTC, DownloadedAt: 2022-09-15 14:50:06.85897 +0000 UTC
2022-09-15T23:50:06.859+0900	INFO	Vulnerability scanning is enabled
2022-09-15T23:50:06.859+0900	DEBUG	Vulnerability type:  [os library]
2022-09-15T23:50:06.859+0900	INFO	Secret scanning is enabled
2022-09-15T23:50:06.859+0900	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-15T23:50:06.859+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-09-15T23:50:06.873+0900	DEBUG	No secret config detected: trivy-secret.yaml
2022-09-15T23:50:06.874+0900	DEBUG	Image ID: sha256:6d1ef012b5674ad8a127ecfa9b5e6f5178d171b90ee462846974177fd9bdd39f
2022-09-15T23:50:06.874+0900	DEBUG	Diff IDs: [sha256:3fc64803ca2de7279269048fe2b8b3c73d4536448c87c32375b2639ac168a48b]
2022-09-15T23:50:06.874+0900	DEBUG	Search for sha256:92251458088c638061cda8fd8b403b76d661a4dc6b7ee71b6affcf1872557b2b in Rekor
2022-09-15T23:50:07.525+0900	DEBUG	Found matching Rekor entries: [362f8ecba72f4326eb624a7403756250b5f2ad58842a99d1653cd6f147f4ce9eda2da350bd908a55 362f8ecba72f4326414eaca77bd19bf5f378725d7fd79309605a81b69cc0101f5cd3119d0a216523 362f8ecba72f4326f84e923fd86ba36478f36e4fc3dae956c0ee502419d4965512fe79b4c5986ab9 362f8ecba72f4326a160fe63f73e8fb1ece208720ec16c55ec1eb80a8000c140437357318a9690ca]
2022-09-15T23:50:07.525+0900	DEBUG	Inspecting Rekor entry: 362f8ecba72f4326eb624a7403756250b5f2ad58842a99d1653cd6f147f4ce9eda2da350bd908a55
2022-09-15T23:50:08.000+0900	DEBUG	Base Layers: []
2022-09-15T23:50:08.001+0900	DEBUG	Missing image ID in cache: sha256:6d1ef012b5674ad8a127ecfa9b5e6f5178d171b90ee462846974177fd9bdd39f
2022-09-15T23:50:08.001+0900	DEBUG	Missing diff ID in cache: sha256:3fc64803ca2de7279269048fe2b8b3c73d4536448c87c32375b2639ac168a48b
2022-09-15T23:50:08.503+0900	INFO	Detected OS: alpine
2022-09-15T23:50:08.503+0900	INFO	Detecting Alpine vulnerabilities...
2022-09-15T23:50:08.503+0900	DEBUG	alpine: os version: 3.7
2022-09-15T23:50:08.503+0900	DEBUG	alpine: package repository: 3.7
2022-09-15T23:50:08.503+0900	DEBUG	alpine: the number of packages: 13
2022-09-15T23:50:08.504+0900	INFO	Number of language-specific files: 0
2022-09-15T23:50:08.504+0900	WARN	This OS version is no longer supported by the distribution: alpine 3.7.3
2022-09-15T23:50:08.504+0900	WARN	The vulnerability detection may be insufficient because security updates are not provided

otms61/alpine:3.7.3 (alpine 3.7.3)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)

┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
│            │                │          │                   │               │ adjustment im ......                                     │
│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
├────────────┤                │          │                   │               │                                                          │
│ musl-utils │                │          │                   │               │                                                          │
│            │                │          │                   │               │                                                          │
│            │                │          │                   │               │                                                          │
└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@CLAassistant
Copy link

CLAassistant commented Aug 26, 2022

CLA assistant check
All committers have signed the CLA.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

SbomFromFlag = Flag{
Name: "sbom-from",
ConfigName: "scan.sbom-from",
Value: "",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Value: "",
Value: []string{},

Name: "sbom-from",
ConfigName: "scan.sbom-from",
Value: "",
Usage: "comma-separated list of SBOM source (rekor)",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Usage: "comma-separated list of SBOM source (rekor)",
Usage: "EXPERIMENTAL: SBOM sources (rekor)",

Name: "rekor-url",
ConfigName: "scan.rekor-url",
Value: "https://rekor.sigstore.dev",
Usage: "URL of rekor server (default \"https://rekor.sigstore.dev\")",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default value is shown by Cobra.

      --rekor-url string         URL of rekor server (default "https://rekor.sigstore.dev") (default "https://rekor.sigstore.dev")

if err == nil {
return results, nil
}
log.Logger.Debugf("Failed to inspect SBOM Attestation from rekor")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably should distinguish between expected and unexpected errors.

@knqyf263 knqyf263 marked this pull request as ready for review September 15, 2022 14:55
@knqyf263 knqyf263 merged commit 192fd78 into aquasecurity:main Sep 15, 2022
@otms61 otms61 deleted the scan_rekor_attest branch September 16, 2022 00:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Scan SBOM attestation in Rekor
3 participants