search

redhat-buildpacks / testing

Project aiming to help us to perform e2e tests using Buildpacks
Apache License 2.0
0 stars 3 forks source link

[Suggestion] Have a parameter to generate the SBOM output using a different format (json, table) #43

Open cmoulliard opened 1 year ago

cmoulliard commented 1 year ago

Suggestion

The RHTAP task show-sbon generates the SBOM report using the JSON format.

While this format could be helpful if it can be imported in an application able to proceed it, reading a JSON output as pod's log using the RHTAP UI is not really convenient.

This is why I suggest that we support, part of the pipeline, a new parameter to tell to the tool which format should be used to populate it. We can keep "json" as and add "table" as 2nd option and more.

Json output

grype quay.io/ch007m/quarkus-tekton-hello -o json
{
 "matches": [
  {
   "vulnerability": {
    "id": "CVE-2005-2992",
    "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2005-2992",
    "namespace": "nvd:cpe",
    "severity": "Low",
    "urls": [
     "http://archives.neohapsis.com/archives/fulldisclosure/2005-09/0535.html",
     "http://marc.info/?l=bugtraq&m=112689596714383&w=2",
     "http://securityreason.com/securityalert/11",
     "http://www.debian.org/security/2005/dsa-843"
    ],
    "description": "arc 5.21j and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different type of vulnerability than CVE-2005-2945.",
    "cvss": [
     {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "version": "2.0",
      "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
      "metrics": {
       "baseScore": 2.1,
       "exploitabilityScore": 3.9,
       "impactScore": 2.9
      },
      "vendorMetadata": {}
     }
    ],
...

Table output easily readable

grype quay.io/ch007m/quarkus-tekton-hello -o table
NAME                                                      INSTALLED          FIXED-IN  TYPE          VULNERABILITY   SEVERITY
arc                                                       3.3.1                        java-archive  CVE-2005-2992   Low
arc                                                       3.3.1                        java-archive  CVE-2005-2945   Low
io.smallrye.reactive.smallrye-mutiny-vertx-auth-common    3.5.0                        java-archive  CVE-2022-37832  Critical
io.smallrye.reactive.smallrye-mutiny-vertx-auth-common    3.5.0                        java-archive  CVE-2018-15529  High
io.smallrye.reactive.smallrye-mutiny-vertx-auth-common    3.5.0                        java-archive  CVE-2013-0136   High
io.smallrye.reactive.smallrye-mutiny-vertx-bridge-common  3.5.0                        java-archive  CVE-2022-37832  Critical
...
brianwcook commented 1 year ago

what is it you are looking for in the sbom?

cmoulliard commented 1 year ago

what is it you are looking for in the sbom?

Developers are interested to see the content of the SBOM, if it includes CVEs which imply to bump some dependencies ;-)