Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(k8s): kbom cyclondx support #4252

Closed
wants to merge 10 commits into from
Closed

feat(k8s): kbom cyclondx support #4252

wants to merge 10 commits into from

Conversation

chen-keinan
Copy link
Contributor

@chen-keinan chen-keinan commented May 9, 2023
edited
Loading

Description

support cyclonedx kubernetes bom

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).

usage:

# trivy k8s cluster --format cyclonedx
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:668fc6f2-b892-41e3-89c1-56c9293a93c9",
  "version": 1,
  "metadata": {
    "timestamp": "2023-05-23T12:38:27+00:00",
    "tools": [
      {
        "vendor": "aquasecurity",
        "name": "trivy",
        "version": "dev"
      }
    ],
    "component": {
      "bom-ref": "286a8383-ce31-4e3a-87fb-295c2770c31a",
      "type": "container",
      "name": "kind-kind",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "0"
        }
      ]
    }
  },
  "components": [
    {
      "bom-ref": "1481cb56-7de7-4a02-93aa-bf40fe51c67c",
      "type": "application",
      "name": "etcd-kind-control-plane",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "0"
        }
      ]
    },
    {
      "bom-ref": "pkg:oci/etcd@sha256:05b738aa1bc6355db8a2ee8639f3631b908286e43f584a3d2ee0c472de033c28?repository_url=k8s.gcr.io%2Fetcd&arch=",
      "type": "container",
      "name": "k8s.gcr.io/etcd",
      "version": "sha256:05b738aa1bc6355db8a2ee8639f3631b908286e43f584a3d2ee0c472de033c28",
      "purl": "pkg:oci/etcd@sha256:05b738aa1bc6355db8a2ee8639f3631b908286e43f584a3d2ee0c472de033c28?repository_url=k8s.gcr.io%2Fetcd&arch=",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "k8s.gcr.io/etcd:3.4.13-0"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "oci"
        }
      ]
    },
    {
      "bom-ref": "bcb2a4ba-3eda-46c4-89ff-00151dd7ad4d",
      "type": "application",
      "name": "kube-apiserver-kind-control-plane",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "0"
        }
      ]
    },
    {
      "bom-ref": "pkg:oci/kube-apiserver@sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f?repository_url=k8s.gcr.io%2Fkube-apiserver&arch=",
      "type": "container",
      "name": "k8s.gcr.io/kube-apiserver",
      "version": "sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f",
      "purl": "pkg:oci/kube-apiserver@sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f?repository_url=k8s.gcr.io%2Fkube-apiserver&arch=",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "k8s.gcr.io/kube-apiserver:1.21.1"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "oci"
        }
      ]
    },
    {
      "bom-ref": "94f64d24-67ee-4ab8-a35e-886cc30d3f07",
      "type": "application",
      "name": "kube-controller-manager-kind-control-plane",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "0"
        }
      ]
    },
    {
      "bom-ref": "pkg:oci/kube-controller-manager@sha256:0c6dccae49de8003ee4fa06db04a9f13bb46cbaad03977e6baa21174f2dba2fc?repository_url=k8s.gcr.io%2Fkube-controller-manager&arch=",
      "type": "container",
      "name": "k8s.gcr.io/kube-controller-manager",
      "version": "sha256:0c6dccae49de8003ee4fa06db04a9f13bb46cbaad03977e6baa21174f2dba2fc",
      "purl": "pkg:oci/kube-controller-manager@sha256:0c6dccae49de8003ee4fa06db04a9f13bb46cbaad03977e6baa21174f2dba2fc?repository_url=k8s.gcr.io%2Fkube-controller-manager&arch=",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "k8s.gcr.io/kube-controller-manager:1.21.1"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "oci"
        }
      ]
    },
    {
      "bom-ref": "6d9aefe4-0e56-4a9e-8b4c-83515287a1d3",
      "type": "application",
      "name": "kube-scheduler-kind-control-plane",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "0"
        }
      ]
    },
    {
      "bom-ref": "pkg:oci/kube-scheduler@sha256:8c783dd2520887cc8e7908489ffc9f356c82436ba0411d554237a0b9632c9b87?repository_url=k8s.gcr.io%2Fkube-scheduler&arch=",
      "type": "container",
      "name": "k8s.gcr.io/kube-scheduler",
      "version": "sha256:8c783dd2520887cc8e7908489ffc9f356c82436ba0411d554237a0b9632c9b87",
      "purl": "pkg:oci/kube-scheduler@sha256:8c783dd2520887cc8e7908489ffc9f356c82436ba0411d554237a0b9632c9b87?repository_url=k8s.gcr.io%2Fkube-scheduler&arch=",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "k8s.gcr.io/kube-scheduler:1.21.1"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "oci"
        }
      ]
    },
    {
      "bom-ref": "fe4f1c34-5c55-4fe5-9556-f70038a90b77",
      "type": "application",
      "name": "coredns-558bd4d5db-8cn77",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "0"
        }
      ]
    },
    {
      "bom-ref": "pkg:oci/coredns@sha256:1a1f05a2cd7c2fbfa7b45b21128c8a4880c003ca482460081dc12d76bfa863e8?repository_url=k8s.gcr.io%2Fcoredns%2Fcoredns&arch=",
      "type": "container",
      "name": "k8s.gcr.io/coredns/coredns",
      "version": "sha256:1a1f05a2cd7c2fbfa7b45b21128c8a4880c003ca482460081dc12d76bfa863e8",
      "purl": "pkg:oci/coredns@sha256:1a1f05a2cd7c2fbfa7b45b21128c8a4880c003ca482460081dc12d76bfa863e8?repository_url=k8s.gcr.io%2Fcoredns%2Fcoredns&arch=",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "k8s.gcr.io/coredns/coredns:1.8.0"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "oci"
        }
      ]
    },
    {
      "bom-ref": "2a605d68-5155-442e-ae80-d1c6778c09be",
      "type": "application",
      "name": "coredns-558bd4d5db-pg6xc",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "0"
        }
      ]
    },
    {
      "bom-ref": "pkg:oci/coredns@sha256:1a1f05a2cd7c2fbfa7b45b21128c8a4880c003ca482460081dc12d76bfa863e8?repository_url=k8s.gcr.io%2Fcoredns%2Fcoredns&arch=",
      "type": "container",
      "name": "k8s.gcr.io/coredns/coredns",
      "version": "sha256:1a1f05a2cd7c2fbfa7b45b21128c8a4880c003ca482460081dc12d76bfa863e8",
      "purl": "pkg:oci/coredns@sha256:1a1f05a2cd7c2fbfa7b45b21128c8a4880c003ca482460081dc12d76bfa863e8?repository_url=k8s.gcr.io%2Fcoredns%2Fcoredns&arch=",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "k8s.gcr.io/coredns/coredns:1.8.0"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "oci"
        }
      ]
    },
    {
      "bom-ref": "d60fb148-bc97-497c-9000-cc60b6151328",
      "type": "application",
      "name": "kindnet-zghg2",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "0"
        }
      ]
    },
    {
      "bom-ref": "pkg:oci/kindnetd@sha256:f37b7c809e5dcc2090371f933f7acb726bb1bffd5652980d2e1d7e2eff5cd301?repository_url=index.docker.io%2Fkindest%2Fkindnetd&arch=",
      "type": "container",
      "name": "index.docker.io/kindest/kindnetd",
      "version": "sha256:f37b7c809e5dcc2090371f933f7acb726bb1bffd5652980d2e1d7e2eff5cd301",
      "purl": "pkg:oci/kindnetd@sha256:f37b7c809e5dcc2090371f933f7acb726bb1bffd5652980d2e1d7e2eff5cd301?repository_url=index.docker.io%2Fkindest%2Fkindnetd&arch=",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "index.docker.io/kindest/kindnetd:20210326-1e038dc5"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "oci"
        }
      ]
    },
    {
      "bom-ref": "16978941-f6de-4ddc-a94b-1c3deae6ef0a",
      "type": "application",
      "name": "kube-proxy-rfhp4",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "0"
        }
      ]
    },
    {
      "bom-ref": "pkg:oci/kube-proxy@sha256:4bbef4ca108cdc3b99fe23d487fa4fca933a62c4fc720626a3706df9cef63b21?repository_url=k8s.gcr.io%2Fkube-proxy&arch=",
      "type": "container",
      "name": "k8s.gcr.io/kube-proxy",
      "version": "sha256:4bbef4ca108cdc3b99fe23d487fa4fca933a62c4fc720626a3706df9cef63b21",
      "purl": "pkg:oci/kube-proxy@sha256:4bbef4ca108cdc3b99fe23d487fa4fca933a62c4fc720626a3706df9cef63b21?repository_url=k8s.gcr.io%2Fkube-proxy&arch=",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "k8s.gcr.io/kube-proxy:1.21.1"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "oci"
        }
      ]
    },
    {
      "bom-ref": "328ccf02-d289-4ef9-8c66-05e7312772ae",
      "type": "container",
      "name": "kind-control-plane",
      "properties": [
        {
          "name": "aquasecurity:trivy:SchemaVersion",
          "value": "0"
        },
        {
          "name": "aquasecurity:trivy:node_role",
          "value": "master"
        },
        {
          "name": "aquasecurity:trivy:host_name",
          "value": "kind-control-plane"
        },
        {
          "name": "aquasecurity:trivy:kernel_version",
          "value": "6.2.15-300.fc38.aarch64"
        },
        {
          "name": "aquasecurity:trivy:operating_system",
          "value": "linux"
        },
        {
          "name": "aquasecurity:trivy:architecture",
          "value": "arm64"
        }
      ]
    },
    {
      "bom-ref": "51be7d52-287e-47d8-96d3-510e789d4f09",
      "type": "operating-system",
      "name": "ubuntu",
      "version": "21.04",
      "properties": [
        {
          "name": "aquasecurity:trivy:Type",
          "value": "ubuntu"
        },
        {
          "name": "aquasecurity:trivy:Class",
          "value": "os-pkgs"
        }
      ]
    },
    {
      "bom-ref": "pkg:golang/kubelet@1.21.1",
      "type": "library",
      "name": "kubelet",
      "version": "1.21.1",
      "purl": "pkg:golang/kubelet@1.21.1",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "golang"
        }
      ]
    },
    {
      "bom-ref": "pkg:golang/containerd@1.5.2",
      "type": "library",
      "name": "containerd",
      "version": "1.5.2",
      "purl": "pkg:golang/containerd@1.5.2",
      "properties": [
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "golang"
        }
      ]
    },
    {
      "bom-ref": "931db6ee-7b84-45c7-9788-ef1ba307d07b",
      "type": "application",
      "name": "node-core-components",
      "properties": [
        {
          "name": "aquasecurity:trivy:Type",
          "value": "golang"
        },
        {
          "name": "aquasecurity:trivy:Class",
          "value": "lang-pkgs"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "1481cb56-7de7-4a02-93aa-bf40fe51c67c",
      "dependsOn": [
        "pkg:oci/etcd@sha256:05b738aa1bc6355db8a2ee8639f3631b908286e43f584a3d2ee0c472de033c28?repository_url=k8s.gcr.io%2Fetcd&arch="
      ]
    },
    {
      "ref": "bcb2a4ba-3eda-46c4-89ff-00151dd7ad4d",
      "dependsOn": [
        "pkg:oci/kube-apiserver@sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f?repository_url=k8s.gcr.io%2Fkube-apiserver&arch="
      ]
    },
    {
      "ref": "94f64d24-67ee-4ab8-a35e-886cc30d3f07",
      "dependsOn": [
        "pkg:oci/kube-controller-manager@sha256:0c6dccae49de8003ee4fa06db04a9f13bb46cbaad03977e6baa21174f2dba2fc?repository_url=k8s.gcr.io%2Fkube-controller-manager&arch="
      ]
    },
    {
      "ref": "6d9aefe4-0e56-4a9e-8b4c-83515287a1d3",
      "dependsOn": [
        "pkg:oci/kube-scheduler@sha256:8c783dd2520887cc8e7908489ffc9f356c82436ba0411d554237a0b9632c9b87?repository_url=k8s.gcr.io%2Fkube-scheduler&arch="
      ]
    },
    {
      "ref": "fe4f1c34-5c55-4fe5-9556-f70038a90b77",
      "dependsOn": [
        "pkg:oci/coredns@sha256:1a1f05a2cd7c2fbfa7b45b21128c8a4880c003ca482460081dc12d76bfa863e8?repository_url=k8s.gcr.io%2Fcoredns%2Fcoredns&arch="
      ]
    },
    {
      "ref": "2a605d68-5155-442e-ae80-d1c6778c09be",
      "dependsOn": [
        "pkg:oci/coredns@sha256:1a1f05a2cd7c2fbfa7b45b21128c8a4880c003ca482460081dc12d76bfa863e8?repository_url=k8s.gcr.io%2Fcoredns%2Fcoredns&arch="
      ]
    },
    {
      "ref": "d60fb148-bc97-497c-9000-cc60b6151328",
      "dependsOn": [
        "pkg:oci/kindnetd@sha256:f37b7c809e5dcc2090371f933f7acb726bb1bffd5652980d2e1d7e2eff5cd301?repository_url=index.docker.io%2Fkindest%2Fkindnetd&arch="
      ]
    },
    {
      "ref": "16978941-f6de-4ddc-a94b-1c3deae6ef0a",
      "dependsOn": [
        "pkg:oci/kube-proxy@sha256:4bbef4ca108cdc3b99fe23d487fa4fca933a62c4fc720626a3706df9cef63b21?repository_url=k8s.gcr.io%2Fkube-proxy&arch="
      ]
    },
    {
      "ref": "328ccf02-d289-4ef9-8c66-05e7312772ae",
      "dependsOn": [
        "51be7d52-287e-47d8-96d3-510e789d4f09",
        "931db6ee-7b84-45c7-9788-ef1ba307d07b"
      ]
    },
    {
      "ref": "51be7d52-287e-47d8-96d3-510e789d4f09",
      "dependsOn": null
    },
    {
      "ref": "931db6ee-7b84-45c7-9788-ef1ba307d07b",
      "dependsOn": [
        "pkg:golang/containerd@1.5.2",
        "pkg:golang/kubelet@1.21.1"
      ]
    }
  ]
}

@chen-keinan chen-keinan changed the title feat: kbom cyclondx support feat(k8s): kbom cyclondx support May 9, 2023
@chen-keinan chen-keinan mentioned this pull request May 9, 2023
Closed
4 tasks
@chen-keinan chen-keinan force-pushed the feat/kbom-cyclondx branch 3 times, most recently from d872a05 to 93aa983 Compare May 15, 2023 08:26
@chen-keinan chen-keinan force-pushed the feat/kbom-cyclondx branch 5 times, most recently from f49035b to b673977 Compare May 22, 2023 05:36
@chen-keinan chen-keinan marked this pull request as ready for review May 22, 2023 05:39
@chen-keinan
feat: generate kbom cyclondx report
cfbabd1 
Signed-off-by: chenk <hen.keinan@gmail.com>
@chen-keinan
feat: generate kbom cyclondx report
a616521 
Signed-off-by: chenk <hen.keinan@gmail.com>
@chen-keinan
feat: generate kbom cyclondx report
d2ab625 
Signed-off-by: chenk <hen.keinan@gmail.com>
@chen-keinan
feat: kbom cyclondx support
18cc012 
Signed-off-by: chenk <hen.keinan@gmail.com>
@chen-keinan
feat: kbom cyclondx support
d46ec5c 
Signed-off-by: chenk <hen.keinan@gmail.com>
@chen-keinan
feat: kbom cyclondx support
5e8aa7d 
Signed-off-by: chenk <hen.keinan@gmail.com>
@chen-keinan
feat: kbom cyclondx support
4ceffdc 
Signed-off-by: chenk <hen.keinan@gmail.com>
@chen-keinan
docs: k8s kbom generation
5319f77 
Signed-off-by: chenk <hen.keinan@gmail.com>
@chen-keinan
chore: update sumdb
c4a26da 
Signed-off-by: chenk <hen.keinan@gmail.com>
@chen-keinan
chore: formatting
de4aa21 
Signed-off-by: chenk <hen.keinan@gmail.com>
AnaisUrlichs
AnaisUrlichs reviewed May 30, 2023
View reviewed changes
docs/docs/supply-chain/sbom.md
@@ -17,6 +17,10 @@ $ trivy image --format spdx-json --output result.json alpine:3.15
$ trivy fs --format cyclonedx --output result.json /app/myproject
```

```
$ trivy k8s cluster --format cyclonedx --output result.json
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the kbom creation referenced in the Kubernetes scanning docs? It is a bit unclear what the difference here is between kbom and sbom

Copy link
Contributor

@itaysk itaysk May 30, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

KBOM is BOM for the cluster (what your k8s is made of). SBOM is usually BOM for the image (what your application is made of). agree if can be clarified in the docs

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe providing a sentence or two of clarification e.g. "SBOMs for Kubernetes i.e. KBOM
A KBOM specifies XXX" @chen-keinan what do you think?

@knqyf263 knqyf263 mentioned this pull request May 30, 2023
Merged
6 tasks
@chen-keinan
Copy link
Contributor Author

Duplicate #4557

@chen-keinan chen-keinan closed this Jun 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AnaisUrlichs AnaisUrlichs AnaisUrlichs left review comments

@josedonizetti josedonizetti Awaiting requested review from josedonizetti

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

@itaysk itaysk Awaiting requested review from itaysk

Assignees

@chen-keinan chen-keinan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cycloneDX - kubernetes bill of materials support
3 participants
@chen-keinan @itaysk @AnaisUrlichs