knqyf263
commented
5 years ago @csansone-handy Thank you for telling me. It's interesting. Is there any other tools to support CycloneDX format except for OWASP Dependency Track?
Closed chris-sansone-angi closed 2 years ago
knqyf263
commented
5 years ago @csansone-handy Thank you for telling me. It's interesting. Is there any other tools to support CycloneDX format except for OWASP Dependency Track?
chris-sansone-angi
commented
5 years ago @knqyf263 - here is what we know:
--outputformat option here: https://github.com/RetireJS/retire.js/tree/master/node#usageHowever, I am sure this list will continue to grow. It would be awesome to see Trivy get added to this list!
stevespringett
commented
5 years ago The OSS Review Toolkit now supports CycloneDX https://github.com/heremaps/oss-review-toolkit
It's also being experimented with by the U.S. Government https://github.com/mil-oss/spdx-xsd and received many mentions in last weeks NTIA meeting in D.C. It will also be included in an upcoming NTIA guide to Software Transparency which will likely be published next month and include only a handful of SBOM formats, CycloneDX being one of them. For reference, SPDX (tag/rdf) and SWID are the other formats mentioned in the guide.
stevespringett
commented
5 years ago One other note. Sonatype is developing a schema extension to CycloneDX which would provide the ability to incorporate vulnerability information in the SBOM itself.
So while CycloneDX just lists the individual components, this optional schema would have the capability of including the vulnerability data for each component as well. This might be something trivy could take advantage of.
stevespringett
commented
4 years ago Any update on this?
Since this ticket was created, NTIA has published a series of SBOM related documents, CycloneDX being one of the specs detailed and the only one currently focused specifically on security use-cases. (SPDX v3 will include support for this in the future as well)
Sonatype has now expanded their support for CycloneDX. They now can generate SBOMs on the fly and can analyze SBOMs. Their Jenkins plugin also now supports publishing SBOMs to Nexus IQ Server for analysis. They also have a few open source projects in the works with CycloneDX support planned.
Also of interest is work that OASIS is doing with OpenC2 (comply-to-connect), where SBOMs are retrieved from devices, analyzed, results evaluated, before being allowed to connect. This is a DoD requirement. CycloneDX is currently listed as one of three specs and they have an example (using CycloneDX) of how this may work when complete.
https://twitter.com/stevespringett/status/1207520925056479232 https://github.com/oasis-tcs/openc2-usecases/blob/master/Cybercom-Plugfest/sbom-github.md
gotthardp
commented
4 years ago It feels to me this may be a new project, based on fanal just like trivy is, but producing a BOM instead of scanning for vulnerabilities. Did anyone tried that?
stevespringett
commented
4 years ago @gotthardp It could be it's own project, yes. Having a dedicated project that simply produces a lightweight BOM would be extremely useful, but I haven't tried. Go is foreign to me.
I can also see a case for this being incorporated into Trivy itself, however. The CycloneDX BOM format has support for documenting vulnerabilities. Ideally, CycloneDX BOMs would be generated which would include an inventory of all components from Trivy with an option to include or omit the any vulnerability data.
rrupesh
commented
4 years ago @gotthardp @stevespringett very crude code to get SBOM (OS and APP) from trivy in JSON output. Granted the output doesn't confirm to cyclonedx specs. But, this gets my work done.
stevespringett
commented
3 years ago A list of all known tools that support CycloneDX is here: https://cyclonedx.org/tool-center/ which includes SCA and container security vendors. It would be great to have Trivy and/or Fanal support CycloneDX and hopefully to feed those requirements back to the commercial Aquasec products as well.
VinodAnandan
commented
3 years ago Hi Team, Any update on this?
knqyf263
commented
3 years ago We don't have time to work on it now, so we welcome contributions from anyone who is interested.
msymons
commented
3 years ago As a non-developer, I am afraid that I cannot contribute code. However, I can say that cyclonedx support would be really useful, as we are already using Trivy and yet also using solutiions that expect to import in cyclonedx format.
jonaz
commented
2 years ago It feels to me this may be a new project, based on
fanaljust liketrivyis, but producing a BOM instead of scanning for vulnerabilities. Did anyone tried that?
We have started looking into this. Have anyone else begun?
knqyf263
commented
2 years ago It's been a while, but we finally added support for CycloneDX 🚀 https://github.com/aquasecurity/trivy/discussions/1760
Trivy seems like an awesome product. However, one place where it falls short is that the vulnerability check is only done one time and that is at the time of the scan (e.g. in the CI/CD pipeline). In today's world there is a need to continually analyze our systems and determine if there are any NEW vulnerabilities that have been released since our previous scan was conducted. With Trivy this would require scanning the Docker image over and over again which takes time.
The OWASP Dependency Track project takes a slightly different approach. You collect the software bill-of-materials (SBoM) that comprise your application in a canonicalized/standardized format (CycloneDX) and then feed this SBoM to OWASP Dependency Track. OWASP Dependency Track does the magic of continuously scanning your SBoM and matching it against several different databases of known vulnerabilities.
Would it be possible to add an option to Trivy or fanal to emit the software bill-of-materials (SBoM) that were seen in the Docker container in the CycloneDX format instead of using Trivy to do the vulnerability scanning? This would allow users to upload this SBoM to other places to manage the list of dependencies they use and track vulnerabilities (e.g. in OWASP Dependency Track).
Note: I wasn't sure whether or not to open this enhancement request here or in the fanal project. I opened it here because I did not see any issues in the fanal project