-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(sbom): add VEX support #4053
Conversation
zap.Int("version", link.Version())) | ||
continue | ||
} | ||
if vuln.PkgRef == link.Reference() && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I generated cdx sbom of trivy image alpine:3.16.4
. This sbom has the serial number(urn:uuid:d313306a-6869-45b2-a5eb-aa8b048e4d48
).
And scan sbom with the following OpenVEX.
{
"@context": "https://openvex.dev/ns",
"author": "Aqua Security",
"role": "Project Release Bot",
"timestamp": "2023-01-16T19:07:16.853479631-06:00",
"version": "1",
"statements": [
{
"vulnerability": "CVE-2023-0465",
"products": [
"urn:cdx:d313306a-6869-45b2-a5eb-aa8b048e4d48/1#libcrypto1.1@1.1.1t-r0"
],
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path"
}
]
}
This OpenVEX doesn't work well because link.Reference()
returns libcrypto1.1@1.1.1t-r0
, which is part of the urn after the #
, and vuln.PkgRef
is pkg:apk/alpine/libcrypto1.1@1.1.1t-r0?distro=3.16.4
, which is the purl of the component.
It seems that vuln.PkgID
is suitable here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BOM-Link consists of
- serialNumber
- version
- bom-ref
You passed "urn:cdx:d313306a-6869-45b2-a5eb-aa8b048e4d48/1#libcrypto1.1@1.1.1t-r0"
, and libcrypto1.1@1.1.1t-r0
is not BOM-Ref. pkg:apk/alpine/libcrypto1.1@1.1.1t-r0?distro=3.16.4
is correct.
{
"bom-ref": "pkg:apk/alpine/libcrypto1.1@1.1.1t-r0?distro=3.16.4",
"type": "library",
"name": "libcrypto1.1",
"version": "1.1.1t-r0",
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, sorry, I had a misunderstanding about the bom-ref and bom-link. I needed to create the OpenVEX using the target SBOM's bom-ref.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, if I understand correctly.
@@ -0,0 +1,161 @@ | |||
# Vulnerability Exploitability Exchange (VEX) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@knqyf263 did you restructure the docs so SBOMs and related are under "suppy-chain?"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I did in #3977. You can see how it looks now below.
https://aquasecurity.github.io/trivy/dev/docs/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
docs looks good to me
Description
Add
--vex
to filter out vulnerabilitiesNote that this is in the experimental stage and does not yet support many specifications.
Formats
Usage
Related issues
Checklist