wave
wave copied to clipboard
seqeralabs
Add Trivy SBOM scan for wave build containers
from @ewels Seeing more and more people ask about SBOM documents for pipelines / containers (software bill of materials). It looks like Trivy can generate SBOMs. Is this something that we could get Wave to do automatically for every build? Then host it the same way that we do for the security scan results? https://www.aquasec.com/blog/software-supply-chain-security-trivy-sbom/
Likely this can be implemented following the same "pattern" for the build logs:
- the command for the creation of the SBOM is included in the job carrying out the Trivy scan
- when the scan complete the SBOM file is collected and uploaded to a bucket, similarly to a log
- The endpoint
/builds/{id}/sbomis added to retrieve the sbom content, similar to the logs one
Working on this issue now, getting error with the sbom command, researching on that:
Does this require a separate job or it can be done along with the scan?
We can use existing scan job.
we need to add --list-all-pkgs flag in our existing scan command which will also add sbom in the output json
like this
docker run --rm aquasec/trivy:0.55.0 -q image --format json --list-all-pkgs ubuntu:20.04
it will have new package section which will contain
"Results": [
{
"Target": "ubuntu:20.04 (ubuntu 20.04)",
"Class": "os-pkgs",
"Type": "ubuntu",
"Packages": [
{
"ID": "[email protected]",
"Name": "adduser",
"Identifier": {
"PURL": "pkg:deb/ubuntu/[email protected]?arch=all\u0026distro=ubuntu-20.04",
"UID": "5122302fc4653274"
},
"Version": "3.118ubuntu2",
"Arch": "all",
"SrcName": "adduser",
"SrcVersion": "3.118ubuntu2",
"Licenses": [
"GPL-2.0"
],
"Maintainer": "Ubuntu Core Developers \[email protected]\u003e",
"DependsOn": [
"[email protected]",
"passwd@1:4.8.1-1ubuntu5.20.04.5"
],
There are two main industry standards for SBOMs:
- Software Package Data Exchange (SPDX and SPDX Lite), an ISO standard hosted by the Linux Foundation, which outlines the components, licenses, and copyrights associated with a software package.
- CycloneDX, an open source, lightweight SBOM standard, which is used in application security and supply chain analysis and originated from the Open Web Application Security Project (OWASP).
Can both of them be created with the same scan command?
no we need to provide the specific format for it in case of CycloneDX, we get vulnerabilities too, but not in the case of SPDX
if we want SPDX, then we need two jobs
there is PR which add support for security scan in SPDX, but i don't see it in the results https://github.com/aquasecurity/trivy/pull/7213
examples:
-
CycloneDX
docker run --rm aquasec/trivy:0.55.0 -q image --format cyclonedx --list-all-pkgs --scanners vuln ubuntu:20.04 -
spdx
docker run --rm aquasec/trivy:0.55.0 -q image --format spdx --list-all-pkgs --scanners vuln ubuntu:20.04
docker run --rm aquasec/trivy:0.55.0 -q image --format spdx-json --list-all-pkgs --scanners vuln ubuntu:20.04
correction: SPDX also contains vulnerabilities, but format is different:
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:deb/ubuntu/[email protected]?arch=amd64\u0026distro=ubuntu-24.04"
},
{
"referenceCategory": "SECURITY",
"referenceType": "advisory",
"referenceLocator": "https://avd.aquasec.com/nvd/cve-2016-20013"
}
],
Any idea what other services provide? eg. Docker / Quay etc? Could do worse than comparing ourselves against them.
