From eb5101ec4d2a11467d6042d2b9d2270685ea813d Mon Sep 17 00:00:00 2001 From: Teppei Fukuda Date: Thu, 15 Sep 2022 22:17:57 +0300 Subject: [PATCH 1/2] docs: add Rekor SBOM attestation scanning Signed-off-by: knqyf263 --- docs/docs/attestation/rekor.md | 56 ++++++++++++++++++++++++++++ docs/docs/attestation/sbom.md | 1 + docs/tutorials/kubernetes/kyverno.md | 2 +- mkdocs.yml | 1 + pkg/flag/scan_flags.go | 4 +- 5 files changed, 61 insertions(+), 3 deletions(-) create mode 100644 docs/docs/attestation/rekor.md diff --git a/docs/docs/attestation/rekor.md b/docs/docs/attestation/rekor.md new file mode 100644 index 00000000000..3a8d97f9cea --- /dev/null +++ b/docs/docs/attestation/rekor.md @@ -0,0 +1,56 @@ +# Scan SBOM attestation in Rekor + +!!! warning "EXPERIMENTAL" + This feature might change without preserving backwards compatibility. + +Trivy can retrieve SBOM attestation of the specified container image in the [Rekor][rekor] instance and scan it for vulnerabilities. + +## Prerequisites +1. SBOM attestation stored in Rekor + - See [the "Keyless signing" section][sbom-attest] if you want to upload your SBOM attestation to Rekor. + + +## Scanning +You need to pass `--sbom-sources rekor` so that Trivy will look for SBOM attestation in Rekor. + +!!! note + `--sbom-sources` can be used only with `trivy image` at the moment. + +```bash +$ trivy image --sbom-sources rekor otms61/alpine:3.7.3 [~/src/github.com/aquasecurity/trivy] +2022-09-15T22:16:09.791+0300 INFO Vulnerability scanning is enabled +2022-09-15T22:16:09.791+0300 INFO Secret scanning is enabled +2022-09-15T22:16:09.791+0300 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning +2022-09-15T22:16:09.791+0300 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection +2022-09-15T22:16:15.183+0300 INFO Detected OS: alpine +2022-09-15T22:16:15.183+0300 INFO Detecting Alpine vulnerabilities... +2022-09-15T22:16:15.219+0300 INFO Number of language-specific files: 0 +2022-09-15T22:16:15.235+0300 WARN This OS version is no longer supported by the distribution: alpine 3.7.3 +2022-09-15T22:16:15.235+0300 WARN The vulnerability detection may be insufficient because security updates are not provided + +otms61/alpine:3.7.3 (alpine 3.7.3) +================================== +Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2) + +┌────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐ +│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ +├────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤ +│ musl │ CVE-2019-14697 │ CRITICAL │ 1.1.18-r3 │ 1.1.18-r4 │ musl libc through 1.1.23 has an x87 floating-point stack │ +│ │ │ │ │ │ adjustment im ...... │ +│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-14697 │ +├────────────┤ │ │ │ │ │ +│ musl-utils │ │ │ │ │ │ +│ │ │ │ │ │ │ +│ │ │ │ │ │ │ +└────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘ + +``` + +If you have your own Rekor instance, you can specify the URL via `--rekor-url`. + +```bash +$ trivy image --sbom-sources rekor --rekor-url https://my-rekor.dev otms61/alpine:3.7.3 +``` + +[rekor]: https://github.com/sigstore/rekor +[sbom-attest]: sbom.md#keyless-signing \ No newline at end of file diff --git a/docs/docs/attestation/sbom.md b/docs/docs/attestation/sbom.md index 87e545b4a20..58bbdc2cf3e 100644 --- a/docs/docs/attestation/sbom.md +++ b/docs/docs/attestation/sbom.md @@ -48,6 +48,7 @@ You can use Cosign to sign without keys by authenticating with an OpenID Connect ```bash # The cyclonedx type is supported in Cosign v1.10.0 or later. $ trivy image --format cyclonedx -o sbom.cdx.json +# The following command uploads SBOM attestation to the public Rekor instance. $ COSIGN_EXPERIMENTAL=1 cosign attest --type cyclonedx --predicate sbom.cdx.json ``` diff --git a/docs/tutorials/kubernetes/kyverno.md b/docs/tutorials/kubernetes/kyverno.md index 5c4fe1f613e..c46adc39fa8 100644 --- a/docs/tutorials/kubernetes/kyverno.md +++ b/docs/tutorials/kubernetes/kyverno.md @@ -8,7 +8,7 @@ This tutorial details ### Prerequisites 1. [Attestation of the vulnerability scan uploaded][vuln-attestation] -3. A running Kubernetes cluster that kubectl is connected to +2. A running Kubernetes cluster that kubectl is connected to ### Kyverno Policy to check attestation diff --git a/mkdocs.yml b/mkdocs.yml index 744d037b256..c106522c5a9 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -98,6 +98,7 @@ nav: - Attestation: - SBOM: docs/attestation/sbom.md - Cosign Vulnerability Scan Record: docs/attestation/vuln.md + - SBOM Attestation in Rekor: docs/attestation/rekor.md - Advanced: - Modules: docs/advanced/modules.md - Plugins: docs/advanced/plugins.md diff --git a/pkg/flag/scan_flags.go b/pkg/flag/scan_flags.go index ffcb0240b12..2b51dff6d2d 100644 --- a/pkg/flag/scan_flags.go +++ b/pkg/flag/scan_flags.go @@ -42,13 +42,13 @@ var ( Name: "sbom-sources", ConfigName: "scan.sbom-sources", Value: []string{}, - Usage: "EXPERIMENTAL: SBOM sources (rekor)", + Usage: "[EXPERIMENTAL] try to retrieve SBOM from the specified sources (rekor)", } RekorURLFlag = Flag{ Name: "rekor-url", ConfigName: "scan.rekor-url", Value: "https://rekor.sigstore.dev", - Usage: "EXPERIMENTAL: URL of Rekor server", + Usage: "[EXPERIMENTAL] address of rekor STL server", } ) From 303b03bf13d0036cea383e07350ae051d26c72b3 Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Fri, 16 Sep 2022 11:51:57 +0300 Subject: [PATCH 2/2] docs: update the command output --- docs/docs/attestation/rekor.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/docs/docs/attestation/rekor.md b/docs/docs/attestation/rekor.md index 3a8d97f9cea..1b934a38017 100644 --- a/docs/docs/attestation/rekor.md +++ b/docs/docs/attestation/rekor.md @@ -18,15 +18,17 @@ You need to pass `--sbom-sources rekor` so that Trivy will look for SBOM attesta ```bash $ trivy image --sbom-sources rekor otms61/alpine:3.7.3 [~/src/github.com/aquasecurity/trivy] -2022-09-15T22:16:09.791+0300 INFO Vulnerability scanning is enabled -2022-09-15T22:16:09.791+0300 INFO Secret scanning is enabled -2022-09-15T22:16:09.791+0300 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning -2022-09-15T22:16:09.791+0300 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection -2022-09-15T22:16:15.183+0300 INFO Detected OS: alpine -2022-09-15T22:16:15.183+0300 INFO Detecting Alpine vulnerabilities... -2022-09-15T22:16:15.219+0300 INFO Number of language-specific files: 0 -2022-09-15T22:16:15.235+0300 WARN This OS version is no longer supported by the distribution: alpine 3.7.3 -2022-09-15T22:16:15.235+0300 WARN The vulnerability detection may be insufficient because security updates are not provided +2022-09-16T17:37:13.258+0900 INFO Vulnerability scanning is enabled +2022-09-16T17:37:13.258+0900 INFO Secret scanning is enabled +2022-09-16T17:37:13.258+0900 INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning +2022-09-16T17:37:13.258+0900 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection +2022-09-16T17:37:14.827+0900 INFO Detected SBOM format: cyclonedx-json +2022-09-16T17:37:14.901+0900 INFO Found SBOM (cyclonedx) attestation in Rekor +2022-09-16T17:37:14.903+0900 INFO Detected OS: alpine +2022-09-16T17:37:14.903+0900 INFO Detecting Alpine vulnerabilities... +2022-09-16T17:37:14.907+0900 INFO Number of language-specific files: 0 +2022-09-16T17:37:14.908+0900 WARN This OS version is no longer supported by the distribution: alpine 3.7.3 +2022-09-16T17:37:14.908+0900 WARN The vulnerability detection may be insufficient because security updates are not provided otms61/alpine:3.7.3 (alpine 3.7.3) ==================================