Open munishchouhan opened 6 months ago
pditommaso
commented
6 months ago Likely this can be implemented following the same "pattern" for the build logs:
/builds/{id}/sbom is added to retrieve the sbom content, similar to the logs one 
munishchouhan
commented
4 months ago Working on this issue now, getting error with the sbom command, researching on that:
pditommaso
commented
3 months ago pditommaso
commented
2 months ago Does this require a separate job or it can be done along with the scan?
munishchouhan
commented
2 months ago Does this require a separate job or it can be done along with the scan?
We can use existing scan job.
we need to add --list-all-pkgs flag in our existing scan command which will also add sbom in the output json
munishchouhan
commented
2 months ago like this
docker run --rm aquasec/trivy:0.55.0 -q image --format json --list-all-pkgs ubuntu:20.04
it will have new package section which will contain
"Results": [
{
"Target": "ubuntu:20.04 (ubuntu 20.04)",
"Class": "os-pkgs",
"Type": "ubuntu",
"Packages": [
{
"ID": "adduser@3.118ubuntu2",
"Name": "adduser",
"Identifier": {
"PURL": "pkg:deb/ubuntu/adduser@3.118ubuntu2?arch=all\u0026distro=ubuntu-20.04",
"UID": "5122302fc4653274"
},
"Version": "3.118ubuntu2",
"Arch": "all",
"SrcName": "adduser",
"SrcVersion": "3.118ubuntu2",
"Licenses": [
"GPL-2.0"
],
"Maintainer": "Ubuntu Core Developers \u003cubuntu-devel-discuss@lists.ubuntu.com\u003e",
"DependsOn": [
"debconf@1.5.73",
"passwd@1:4.8.1-1ubuntu5.20.04.5"
], Nice. @ewels is what you were expecting by this?
munishchouhan
commented
2 months ago There are two main industry standards for SBOMs:
pditommaso
commented
2 months ago Can both of them be created with the same scan command?
munishchouhan
commented
2 months ago Can both of them be created with the same scan command?
no we need to provide the specific format for it in case of CycloneDX, we get vulnerabilities too, but not in the case of SPDX
if we want SPDX, then we need two jobs
there is PR which add support for security scan in SPDX, but i don't see it in the results https://github.com/aquasecurity/trivy/pull/7213
examples:
CycloneDX
docker run --rm aquasec/trivy:0.55.0 -q image --format cyclonedx --list-all-pkgs --scanners vuln ubuntu:20.04
spdx
docker run --rm aquasec/trivy:0.55.0 -q image --format spdx --list-all-pkgs --scanners vuln ubuntu:20.04
docker run --rm aquasec/trivy:0.55.0 -q image --format spdx-json --list-all-pkgs --scanners vuln ubuntu:20.04
munishchouhan
commented
2 months ago correction: SPDX also contains vulnerabilities, but format is different:
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:deb/ubuntu/libc-bin@2.39-0ubuntu8.2?arch=amd64\u0026distro=ubuntu-24.04"
},
{
"referenceCategory": "SECURITY",
"referenceType": "advisory",
"referenceLocator": "https://avd.aquasec.com/nvd/cve-2016-20013"
}
],
ewels
commented
2 months ago Any idea what other services provide? eg. Docker / Quay etc? Could do worse than comparing ourselves against them.
from @ewels Seeing more and more people ask about SBOM documents for pipelines / containers (software bill of materials). It looks like Trivy can generate SBOMs. Is this something that we could get Wave to do automatically for every build? Then host it the same way that we do for the security scan results? https://www.aquasec.com/blog/software-supply-chain-security-trivy-sbom/