Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add Rekor SBOM attestation scanning #2893

Merged
merged 2 commits into from Sep 16, 2022
Merged

Conversation

knqyf263
Copy link
Collaborator

Description

Add Rekor SBOM attestation scanning

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

Signed-off-by: knqyf263 <knqyf263@gmail.com>
@knqyf263 knqyf263 self-assigned this Sep 16, 2022
@knqyf263
Copy link
Collaborator Author

@otms61 Could you take a look?

2022-09-15T22:16:09.791+0300 INFO Secret scanning is enabled
2022-09-15T22:16:09.791+0300 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-15T22:16:09.791+0300 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-09-15T22:16:15.183+0300 INFO Detected OS: alpine
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The following sentence is not in the log, so it seems to be executed in trivy when there is a bug.

  • Detected SBOM format: cyclonedx-json
  • Found SBOM (cyclonedx) attestation in Rekor
$ trivy image --sbom-sources rekor otms61/alpine:3.7.3
2022-09-16T17:37:13.258+0900	INFO	Vulnerability scanning is enabled
2022-09-16T17:37:13.258+0900	INFO	Secret scanning is enabled
2022-09-16T17:37:13.258+0900	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-16T17:37:13.258+0900	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2022-09-16T17:37:14.827+0900	INFO	Detected SBOM format: cyclonedx-json
2022-09-16T17:37:14.901+0900	INFO	Found SBOM (cyclonedx) attestation in Rekor
2022-09-16T17:37:14.903+0900	INFO	Detected OS: alpine
2022-09-16T17:37:14.903+0900	INFO	Detecting Alpine vulnerabilities...
2022-09-16T17:37:14.907+0900	INFO	Number of language-specific files: 0
2022-09-16T17:37:14.908+0900	WARN	This OS version is no longer supported by the distribution: alpine 3.7.3
2022-09-16T17:37:14.908+0900	WARN	The vulnerability detection may be insufficient because security updates are not provided

otms61/alpine:3.7.3 (alpine 3.7.3)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2)

┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                          Title                           │
├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ musl       │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3         │ 1.1.18-r4     │ musl libc through 1.1.23 has an x87 floating-point stack │
│            │                │          │                   │               │ adjustment im ......                                     │
│            │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-14697               │
├────────────┤                │          │                   │               │                                                          │
│ musl-utils │                │          │                   │               │                                                          │
│            │                │          │                   │               │                                                          │
│            │                │          │                   │               │                                                          │
└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

@knqyf263 knqyf263 marked this pull request as ready for review September 16, 2022 08:57
@knqyf263 knqyf263 merged commit 585985e into main Sep 16, 2022
@knqyf263 knqyf263 deleted the docs_rekor_attestation branch September 16, 2022 12:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants