Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make spdx SBOMs readable by trivy scanner #1038

Merged
merged 7 commits into from
Nov 28, 2024
Merged

Make spdx SBOMs readable by trivy scanner #1038

merged 7 commits into from
Nov 28, 2024

Conversation

josegomezr
Copy link
Contributor

Before:

trivy sbom --format template --template '{{ $vuln := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- $vuln = add $vuln 1 }}{{- end -}}{{- end -}}Vuln count: {{ $vuln }}'  /home/scc/code/obs-build/obs-sbom.spdx.json
2024-11-18T17:50:14+01:00       INFO    [vuln] Vulnerability scanning is enabled
2024-11-18T17:50:15+01:00       INFO    Detected SBOM format    format="spdx-json"
2024-11-18T17:50:18+01:00       WARN    [sbom] Ignore the OS package as no OS is detected.      file_path="/home/scc/code/obs-build/obs-sbom.spdx.json"
2024-11-18T17:50:18+01:00       INFO    Number of language-specific files       num=1
2024-11-18T17:50:18+01:00       INFO    [gobinary] Detecting vulnerabilities...
2024-11-18T17:50:18+01:00       WARN    Version matching error  err="version error (go1.17.9): malformed version: go1.17.9"
# the same, but 103 times more
2024-11-18T17:50:18+01:00       WARN    Version matching error  err="version error (go1.17.9): malformed version: go1.17.9"
Vuln count: 0

After:

trivy sbom --format template --template '{{ $vuln := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- $vuln = add $vuln 1 }}{{- end -}}{{- end -}}Vuln count: {{ $vuln }}'  /home/scc/code/obs-build/obs-sbom.spdx.json
2024-11-18T17:57:43+01:00       INFO    [vuln] Vulnerability scanning is enabled
2024-11-18T17:57:44+01:00       INFO    Detected SBOM format    format="spdx-json"
2024-11-18T17:57:47+01:00       INFO    Detected OS     family="sles" version="15.4"
2024-11-18T17:57:47+01:00       WARN    Unsupported os  family="sles"
2024-11-18T17:57:47+01:00       INFO    Number of language-specific files       num=1
2024-11-18T17:57:47+01:00       INFO    [gobinary] Detecting vulnerabilities...
2024-11-18T17:57:47+01:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/dev/docs/scanner/vulnerability#severity-selection for details.
Vuln count: 56

mlschroe
mlschroe reviewed Nov 21, 2024
View reviewed changes
Build/IntrospectGolang.pm Outdated Show resolved Hide resolved
@josegomezr
Copy link
Contributor Author

After testing a bleeding edge trivy build after aquasecurity/trivy#7965 and the code on this PR, trivy scanner can finally detect the OS on the generated SPDX and CycloneDX reports properly, including the lifecycle information!

$ ../trivy/main sbom  --format template --template '{{ $vuln := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- $vuln = add $vuln 1 }}{{- end -}}{{- end -}}Vuln count: {{ $vuln }}' obs-sbom.cdx.json 
2024-11-22T22:10:06+01:00       INFO    [vuln] Vulnerability scanning is enabled
2024-11-22T22:10:06+01:00       INFO    Detected SBOM format    format="cyclonedx-json"
2024-11-22T22:10:06+01:00       WARN    Third-party SBOM may lead to inaccurate vulnerability detection
2024-11-22T22:10:06+01:00       WARN    Recommend using Trivy to generate SBOMs
2024-11-22T22:10:06+01:00       INFO    Detected OS     family="sles" version="15.4"
2024-11-22T22:10:06+01:00       INFO    [sles] Detecting vulnerabilities...     os_version="15.4" pkg_num=370
2024-11-22T22:10:06+01:00       INFO    Number of language-specific files       num=1
2024-11-22T22:10:06+01:00       INFO    [gobinary] Detecting vulnerabilities...
2024-11-22T22:10:06+01:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/dev/docs/scanner/vulnerability#severity-selection for details.
2024-11-22T22:10:06+01:00       WARN    This OS version is no longer supported by the distribution      family="sles" version="15.4"
2024-11-22T22:10:06+01:00       WARN    The vulnerability detection may be insufficient because security updates are not provided
Vuln count: 487

$ ../trivy/main sbom  --format template --template '{{ $vuln := 0 }}{{- range . }}{{- range .Vulnerabilities }}{{- $vuln = add $vuln 1 }}{{- end -}}{{- end -}}Vuln count: {{ $vuln }}' obs-sbom.spdx.json 
2024-11-22T22:10:12+01:00       INFO    [vuln] Vulnerability scanning is enabled
2024-11-22T22:10:13+01:00       INFO    Detected SBOM format    format="spdx-json"
2024-11-22T22:10:16+01:00       INFO    Detected OS     family="sles" version="15.4"
2024-11-22T22:10:16+01:00       INFO    [sles] Detecting vulnerabilities...     os_version="15.4" pkg_num=370
2024-11-22T22:10:16+01:00       INFO    Number of language-specific files       num=1
2024-11-22T22:10:16+01:00       INFO    [gobinary] Detecting vulnerabilities...
2024-11-22T22:10:16+01:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/dev/docs/scanner/vulnerability#severity-selection for details.
2024-11-22T22:10:16+01:00       WARN    This OS version is no longer supported by the distribution      family="sles" version="15.4"
2024-11-22T22:10:16+01:00       WARN    The vulnerability detection may be insufficient because security updates are not provided
Vuln count: 487

mlschroe
mlschroe reviewed Nov 27, 2024
View reviewed changes
Build/IntrospectGolang.pm Outdated Show resolved Hide resolved
mlschroe
mlschroe reviewed Nov 27, 2024
View reviewed changes
generate_sbom
primaryPackagePurpose => 'OPERATING-SYSTEM',
skip_external_refs => 1
}, undef, undef, {});

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's more clean to not call spdx_encode_pkg but just do the stuff we need for the operating system entry here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even if the filesystem entry is reflected exactly as a package inside the OS?

@josegomezr josegomezr force-pushed the make_spdx_readable_by_trivy branch from 5d8f14c to 542b23b Compare November 27, 2024 16:34
@mlschroe mlschroe merged commit 1c94d8c into openSUSE:master Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mlschroe mlschroe mlschroe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@josegomezr @mlschroe