Consider supporting generic vulnerability scanners #1677
Comments
|
More generally, this can be an architectural opportunity to decouple vulnerability detection from the API server. Even existing scanners like OSS Index could be decoupled in this way. |
|
I'm planning to use Trivy to generate SBOMs. Trivy can add the results of its own security vulnerability scan to the CycloneDX formated SBOM. However, when I import this SBOM file into DT only the components are imported. Vulns detected by Trivy don't make it into DT. That's very unfortunate, as Trivy detected more vulns than DT. It would be great to see this happen. What does it take to push this issue forward? |
|
@nscuro We need to think of a few different scenarios:
IMO, I think 1 and 3 will likely be the most used. |
Do you solve this problem? |
|
any update? |
|
any update on this? It is very unfotunate that DT cannot read vulnerabilities from trivy generated SBOM :/ |
|
Hi @stevespringett / @nscuro, |
The issue is still open and implementation is definitely planned.
While this is a separate issue, are you able to share the BOM in question so we can investigate why DT doesn't find as many vulnerabilities? |
Do you have any tentative release date?
I think 783 is either same or related. BOM I have used is myserver.web.txt. Vulnerabilities from 'vulnerabilities' section of BOM are not processed even though they are present in vulnerabilities DB.
Audit tab of DT show following. DT Configurations:
Let me know if you need any more details. |
|
While trivy support is highly appreciated - I will try it soon - what about the initial question? We can already generate SBOMs with grype that include the results, but unfortunately dependency track does not consider them (which would be ok, if depednecy track would find the same issues like grype, which is not the case) . Are there plans to investigate / support this BOMs (with scan results) somewhere in the future ? |
|
Cant that be achieved with vex upload? |
|
@fnxpt DT currently only imports analyses from VEX for vulnerabilities that have already been identified. Importing vulnerabilities themselves does currently not work, for neither VEX nor VDR. Ideally, importing a BOM with embedded VEX or VDR should:
And all of this should be atomic. |
|
I might be able to create a PR to support vulnerability importation from VEX |
Our current plan is to run trivy in pipeline independently and upload SBOM generated to DT for further analysis. Trying to understand if we shouldn't be taking this approach and wait for #3251 and use integrated analyzer instead. Please help. |
|
@iamrahul127 my 2 cents in this... |
We currently support multiple sources of vulnerability intelligence, among them the NVD, OSS Index, GHSA and VulnDB. In some cases, we perform the actual vulnerability scanning (e.g. NVD, GHSA), in others this is done by the sources themselves (e.g. OSS Index).
There are more great scanning tools out there, like Aqua's Trivy or Anchore's Grype, that we could also integrate with. Trivy will soon support scanning of CycloneDX SBOMs (aquasecurity/trivy#2203), and it already supports VEX output (aquasecurity/trivy#1832).
Given most tools are intended to be invoked via CLI, integration with DT may require a thin web API layer that exposes the functionality via REST or gRPC.
Instead of hardcoding integrations in DT, we could allow for configuration of generic scanners that accept CycloneDX SBOMs and return CycloneDX VEX documents. Users could then decide to only rely on Trivy, or any other arbitrary combination of scanners.
Supporting tools like Trivy may also be beneficial for environments that are not supposed to have direct internet access (https://aquasecurity.github.io/trivy/v0.28.1/docs/advanced/air-gap/).
The text was updated successfully, but these errors were encountered: