Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs(sbom): add SPDX scanning #2885

Merged
merged 2 commits into from Sep 16, 2022
Merged

docs(sbom): add SPDX scanning #2885

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
245091f
docs(sbom): add SPDX scanning
knqyf263 Sep 15, 2022
2ffa522
docs: reflect comments
knqyf263 Sep 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/docs/sbom/cyclonedx.md
View file
Open in desktop
@@ -1,7 +1,7 @@
# CycloneDX

## Reporting
Trivy generates JSON reports in the [CycloneDX][cyclonedx] format.
## Generating
Trivy can generate SBOM in the [CycloneDX][cyclonedx] format.
Note that XML format is not supported at the moment.

You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `cyclonedx` with the `--format` option.
Expand Down
31 changes: 12 additions & 19 deletions docs/docs/sbom/index.md
View file
Open in desktop
@@ -1,6 +1,6 @@
# SBOM

## Reporting
## Generating
Trivy can generate the following SBOM formats.

- [CycloneDX][cyclonedx]
Expand Down Expand Up @@ -181,34 +181,27 @@ $ trivy fs --format cyclonedx --output result.json /app/myproject
Trivy also can take the following SBOM formats as an input and scan for vulnerabilities.

- CycloneDX
- SPDX
- SPDX JSON
- CycloneDX-type attestation

To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM.

```bash
$ trivy sbom /path/to/cyclonedx.json

cyclonedx.json (alpine 3.7.1)
=========================
Total: 3 (CRITICAL: 3)

┌─────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl │ CVE-2018-14618 │ CRITICAL │ 7.61.0-r0 │ 7.61.1-r0 │ curl: NTLM password overflow via integer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-14618 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libbz2 │ CVE-2019-12900 │ CRITICAL │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │
├─────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ sqlite-libs │ CVE-2019-8457 │ CRITICAL │ 3.21.0-r1 │ 3.25.3-r1 │ sqlite: heap out-of-bound read in function rtreenode() │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-8457 │
└─────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
```

See [here][cyclonedx] for the detail.

!!! note
CycloneDX XML and SPDX are not supported at the moment.
CycloneDX XML is not supported at the moment.

```bash
$ trivy sbom /path/to/spdx.json
```

See [here][spdx] for the detail.


You can also scan an SBOM attestation.
In the following example, [Cosign][Cosign] can get an attestation and trivy scan it. You must create CycloneDX-type attestation before trying the example. To learn more about how to create an CycloneDX-Type attestation and attach it to an image, see the [SBOM attestation page][sbom_attestation].
Expand Down
49 changes: 48 additions & 1 deletion docs/docs/sbom/spdx.md
View file
Open in desktop
@@ -1,6 +1,7 @@
# SPDX

Trivy generates reports in the [SPDX][spdx] format.
## Generating
Trivy can generate SBOM in the [SPDX][spdx] format.

You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `spdx` with the `--format` option.

Expand Down Expand Up @@ -294,4 +295,50 @@ $ cat result.spdx.json | jq .

</details>

## Scanning
Trivy can take the SPDX SBOM as an input and scan for vulnerabilities.
To scan SBOM, you can use the `sbom` subcommand and pass the path to your SPDX report.
The input format is automatically detected.

The following formats are supported:

- Tag-value (`--format spdx`)
- JSON (`--format spdx-json`)

```bash
$ trivy image --format spdx-json --output spdx.json alpine:3.16.0
$ trivy sbom spdx.json
2022-09-15T21:32:27.168+0300 INFO Vulnerability scanning is enabled
2022-09-15T21:32:27.169+0300 INFO Detected SBOM format: spdx-json
2022-09-15T21:32:27.210+0300 INFO Detected OS: alpine
2022-09-15T21:32:27.210+0300 INFO Detecting Alpine vulnerabilities...
2022-09-15T21:32:27.211+0300 INFO Number of language-specific files: 0

spdx.json (alpine 3.16.0)
=========================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 1)

┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ busybox │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │
│ │ │ │ │ │ denial of service... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-2097 │ MEDIUM │ 1.1.1o-r0 │ 1.1.1q-r0 │ openssl: AES OCB fails to encrypt some bytes │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-2097 │
├──────────────┤ │ │ │ │ │
│ libssl1.1 │ │ │ │ │ │
│ │ │ │ │ │ │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ ssl_client │ CVE-2022-30065 │ HIGH │ 1.35.0-r13 │ 1.35.0-r15 │ busybox: A use-after-free in Busybox's awk applet leads to │
│ │ │ │ │ │ denial of service... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-30065 │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ zlib │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1 │ 1.2.12-r2 │ zlib: a heap-based buffer over-read or buffer overflow in │
│ │ │ │ │ │ inflate in inflate.c... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-37434 │
└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
```

[spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf