search

CISA-SBOM-Community / SBOM-Generation

Reference GitHub Workflows for SBOM generation from the CISA SBOM Generation Reference Implementation Tiger Team
Apache License 2.0
10 stars 2 forks source link

Phase1 Keycloak #23

Closed douglasdennis closed 1 week ago

douglasdennis commented 2 weeks ago

Initial implementation of Trivy scanning Keycloak dependencies. I attempted to follow @vpetersson's example and structure.

The scan takes quite awhile to run, 15 - 20 minutes per BOM format. I believe this is due to the scale of the project but I'm not 100% sure about that. If anyone has any ideas on how to speed it up then I would be more than happy to try them out. It does appear to capture all of the pom files. I was not seeing any of the npm files getting populated in the BOMs either. The BOMs are quite large though, so we may want to reduce what is getting included in them.

I did not implement adding metadata to the BOM. It seemed like from the ticket that the metadata would be addressed in a follow up PR. If I got that wrong then I can go back in and do that.

The only real tweak I made on Viktor's code was to add a summary output on the last build step. It looks like github will let you populate a markdown file with results. I'm currently just dumping the sbomqs output to that file inside of a code block to deal with formatting. Might be nice to add some formatting to that in a later revision.

Closes #16

vpetersson commented 2 weeks ago

Great stuff, @douglasdennis.

With regards to the speed, can you try adding --scanners license? The default value is vuln,secret, but we don't really care about either of those in the scope of this project. I've read that the secret scan can be very slow.

vpetersson commented 2 weeks ago

Also you can try "--offline-scan" as per @idunbarh early findings. I'm not exactly sure what that does to the completeness of the SBOM but worth investigating.

douglasdennis commented 2 weeks ago

Also you can try "--offline-scan" as per @idunbarh early findings. I'm not exactly sure what that does to the completeness of the SBOM but worth investigating.

It looks like --offline-scan generates a much smaller BOM. With --offline-scan the generated BOM is 68,782 lines, without that flag the BOM is 725,988. I'm not sure what the exact difference is but it seems significant.

The license only scanner might be speeding it up a little bit locally but I have to double check how it does on github. I had a suspicion so I hooked up wireshark and I found that trivy makes a lot of calls out to maven central. I suspect that Trivy is using that to get a lot more metadata about the components listed in the pom files, and that these calls are slowing things down.

idunbarh commented 2 weeks ago

Also you can try "--offline-scan" as per @idunbarh early findings. I'm not exactly sure what that does to the completeness of the SBOM but worth investigating.

Trivy will update its vulnerability database, which can take a significant amount of time. The --offline-scan will disable this updating functionality.