scratch-node icon indicating copy to clipboard operation
scratch-node copied to clipboard
verified publisher icon astefanutti

SBOM scan

Open origooo opened this issue 2 years ago • 3 comments

Hi,

I'm fairly new to the concept of distroless images and I cannot seem to understand the following: How would one go about to do an SBOM scan with e.g. anchore/syft?

origooo avatar Aug 08 '23 09:08 origooo

That's a good question. We would have to check how these tools analyse the container images, but in case of scratch-node used as a base image, the SBOM would be that of the packaged Node app, and I imagine it'd be technically possible to generate the SBOM from it.

astefanutti avatar Aug 08 '23 12:08 astefanutti

Thanks for the quick reply. I found out a few things and I'll try to summarise them here. Ask me to clarify if needed, because this issue kinda changed direction.

First off, I started testing both anchore/syft and anchore/grype today.

In short, syft can be used to generate an SBOM file which can be fed into grype. This step is not really necessary since grype also uses syft to create an SBOM file prior to performing a vulnerability scan. Unless my image's/application's dependency tree change, that step can be sped up by feeding an SBOM file instead of having grype recreate it.

So the SBOM file will indeed include the packages I've installed. Both syft and grype catches the same packages so all seem to be fine.

A more accurate question with this in mind, would be if, and how, we can get syft and grype to pick up the binaries contained within the scratch image?

Correct me if I'm wrong, but these binaries are

bin/node
dev/console
etc/hostname
etc/hosts

origooo avatar Aug 08 '23 12:08 origooo

Yes, the main binary is bin/node which is a static build of Node.js. I'd be curious to know how these tools handle base Node.js images. Maybe it could be applicable to scratch-node as well.

astefanutti avatar Aug 08 '23 14:08 astefanutti