zot
zot copied to clipboard
project-zot
[Feat]: support CVE scans using SBOM when available
Is your feature request related to a problem? Please describe.
zot has support for OCI artifacts (v1.1.0) and when a SBOM is pushed, we can leverage the SBOM scanning ability from trivy to do:
- a lightweight scan
- CVE scans even when storage is remote (since no unpacking is needed)
Describe the solution you'd like
If remote storage is detected and a SBOM artifact is found, then use that for CVE scans.
Describe alternatives you've considered
No response
Additional context
No response
- If an SBOM is available via referrer for an image, then "download" it
- Else, cannot scan the image
- If 1. then CVE scan against SBOM
^ first cut, for remote cloud storage case.
Hi @rchincha
I am willing to work on this issue.
From what I can understand, we have a ScanImage method which has been implemented for trivy.
I think the following logic flow will satisfy this requirement:
- Check if we have remote storage.
- If not, proceed to scan as already implemented.
- If we detect remote storage, check for presence of SBOM as reference.
- If we have SBOM as reference, proceed to scan using the SBOM with
trivy- to be implemented - If not, proceed to scan the image as already implemented.
- If we have SBOM as reference, proceed to scan using the SBOM with
Please let me know if I can proceed with the implementation.
Looks fine to me - had to dig through the code to understand why Zot never uses my supplied SBOM for Trivy.
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue was closed because it has been stalled for 5 days with no activity.