question: sbom generated by apko is not detected by trivy
tuananh opened this issue · comments
using the following command to scan
if sbom is found, trivy will use sbom instead. https://github.com/aquasecurity/trivy/blob/main/docs/docs/target/container_image.md#sbom
trivy image <myimage> --sbom-sources oci
output
2024-02-21T03:36:59.853Z INFO Vulnerability scanning is enabled
2024-02-21T03:36:59.853Z INFO Secret scanning is enabled
2024-02-21T03:36:59.853Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-02-21T03:36:59.853Z INFO Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-02-21T03:37:01.150Z INFO Detected OS: alpine
2024-02-21T03:37:01.150Z WARN This OS version is not on the EOL list: alpine 3.20
2024-02-21T03:37:01.150Z INFO Detecting Alpine vulnerabilities...
2024-02-21T03:37:01.153Z INFO Number of language-specific files: 0
I was expecting to see trivy able to find sbom and use that instead. however, it's still pulling image. if sbom is found, it will look sth like this
$ trivy image --sbom-sources oci ghcr.io/knqyf263/oci-referrers
2023-03-05T17:36:55.278+0200 INFO Vulnerability scanning is enabled
2023-03-05T17:36:58.103+0200 INFO Detected SBOM format: cyclonedx-json
2023-03-05T17:36:58.129+0200 INFO Found SBOM (cyclonedx) in the OCI referrers
...
ghcr.io/knqyf263/oci-referrers (alpine 3.16.2)
==============================================
Total: 17 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 9, CRITICAL: 3)
is there any thing specific about sbom generated by apko?
cc @imjasonh
i compared sbom generated by trivy and by apko.
turns out, trivy was expecting the container image artifact to contain a package (alpine os).
and relationship of apko image , contain the said OS.
i tried adding os package and 1 relationship and it seems to work.
// packages
{
"name": "alpine",
"SPDXID": "SPDXRef-OperatingSystem-b234ff30fe4ada0f",
"versionInfo": "3.20.0_alpha20231219",
"downloadLocation": "NONE",
"filesAnalyzed": false,
"primaryPackagePurpose": "OPERATING-SYSTEM"
},
...
// relationship
{
"spdxElementId": "SPDXRef-Package-sha256-e13d8a4cf521332118ed60c661913f2f083790d8aa598b14f7617427996d631d",
"relatedSpdxElement": "SPDXRef-OperatingSystem-b234ff30fe4ada0f",
"relationshipType": "CONTAINS"
},
@imjasonh should we fix this in apko or in trivy? I'm leaning toward trivy but wdyt?
also posted to trivy for discussion aquasecurity/trivy#6172
@imjasonh @jonjohnsonjr friendly ping :)
trivy maintainer suggest that we implement the fix in here. to add a new element type (operating-system) like this
https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field
right now, for spdx we have container image
contains package
.
should we update it to
container image
containsos
os
containspackage
what do you think? if it's ok, i will send a PR over.