search

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.
https://cve-bin-tool.readthedocs.io/en/latest/
GNU General Public License v3.0
1.15k stars 446 forks source link

feat: Adding purl entries to generated SBOM through purl2cpe ? #3317

Open ffontaine opened 10 months ago

ffontaine commented 10 months ago

Description

It would be very useful to generate SBOM with purl entries through purl2cpe which is licensed under MIT. My basic idea would be to fill purl entries depending on what is returned by purl2cpe database. Here is an example:

sqlite> select distinct purl from purl2cpe where cpe like "%d-bus_project:d-bus%";
pkg:deb/debian/dbus
pkg:deb/ubuntu/dbus
pkg:github/freedesktop/dbus
pkg:rpm/fedora/dbus

Why?

With purl, SBOM managers will retrieve useful upstream information: latest version, repository activity, etc.

Environment context (optional)

Currently, cve-bin-tool is used during our pentests to detect vulnerable components and ask manufacturers to upgrade them. We're now starting to also use cve-bin-tool to generate SBOM. Hopefully, SBOM should help the project manager to handle CVEs through out the product lifecycle. Ideally, SBOM should be provided by manufacturers but for the moment, cve-bin-tool generates better SBOM than the manufacturer ...

Anything else?

I'm not sure where purl2cpe should be integrated: in cve-bin-tool or in lib4sbom?

terriko commented 10 months ago

This sounds like a good idea.

For sbom generation: we're leaning heavily on lib4sbom so it'd be good to have it in there.

But I think we're going to internally want purl for the language parsers as well, so it probably makes sense to integrate it or something similar as part of the parsers too.

anthonyharrison commented 10 months ago

2685 also suggests using purl to improve product management. Note there is not a 1-1 mapping of cpe to purl (or vice versa!). so there will need to be some decisions taken as regards which purl entry to use.

purls can be added to sbom generation as external references. Adding this to the SBOM generation within cve-bin-tool is relatively easy as lib4sbom already handles purls (and cpes) as external references.

anthonyharrison commented 10 months ago

Having spent a bit more time looking at this, I think this is an awesome idea. I note that there is a utility which loads the data into an sqllite database which means we could just include a pre-poulated database with an install of cve-bin-tool.

We then need to be add some queries to see if the cpe and/or purl entries in a SBOM match and then work out how we map this information into the existing database

ffontaine commented 10 months ago

Thanks @anthonyharrison, I also worked a bit on the subject. I'll send you a PR so you can take a look at it and hopefully improve it ;-). I also sent a question to purl2cpe to seek advise on the best way to use their project: https://github.com/scanoss/purl2cpe/issues/10

ffontaine commented 10 months ago

Here is a first iteration: https://github.com/anthonyharrison/lib4sbom/pull/16.