CVEs : SBOM Generation / CVE Detection

Container Images

Trivy

# Generate SBOM of OCI image
image=openeuler/openeuler:24.03-lts-sp2
trivy image --scanners vuln --format spdx-json -o sbom.sdx.json $image
# or
trivy image --scanners vuln --format cyclonedx -o sbom.cdx.json $image 

# Scan/Audit SBOM file for CVEs of declared severities
sbom=sbom.cdx
trivy sbom --severity CRITICAL,HIGH --format json -o $sbom.audit.json $sbom.json

See CVEs.Trivy (MD|HTML)

Syft / Grype

• syft (SBOM)

• grype (CVEs)

  # Install 
  curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh |
  sudo sh -s -- -b /usr/local/bin
  curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh |
  sudo sh -s -- -b /usr/local/bin
  

  syft $img -o json |grype --fail-on high
  

  img=openeuler/openeuler:24.03-lts-sp2
  sbom="${img////}"
  name_tag="${sbom//:/_}"
  sbom="$name_tag.sbom.json"
  
  # Capture CycloneDX SBOM
  syft $img --output cyclonedx-json="$sbom"
  
  # Scan the SBOM 
  grype $sbom --output cyclonedx-json --file $name_tag.cdx.json
  
  

• --output, -o : json, cyclonedx-json, spdx-json

Filesystem Binaries

For binary files, use syft for SBOM generation, and grype for the final CVEs report, both in CycloneDX format.

Example : Scan kubectl plugins of ~/.krew/bin/

# Install the tools
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh |
    sudo sh -s -- -b /usr/local/bin
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh |
    sudo sh -s -- -b /usr/local/bin

# Generate TABLE of plugin CVEs from grype scan of syft SBOM
plugin=tree
syft scan file:~/.krew/bin/kubectl-$plugin -o cyclonedx-json |
    grype

# Same, but capture SBOM and CycloneDX files (JSON)
syft scan file:~/.krew/bin/kubectl-$plugin --output cyclonedx-json="kubectl-$plugin.sbom.json"
grype sbom:kubectl-$plugin.sbom.json --output cyclonedx-json --file kubectl-$plugin.cdx.json

# All plugins (pipe method fails at grype unless out to table and no options)
for plugin in ~/.krew/bin/*; do 
    bin=$(basename "$plugin")
    echo "=== @ $bin"
    syft scan file:"$plugin" --output cyclonedx-json="$bin.sbom.json"
    grype sbom:"$bin.sbom.json" -o cyclonedx-json --file "$bin.cdx.json"
    rm "$bin.sbom.json"
done |& tee krew-cves.log

Like other similar tools, grype has a flag to fail on any CVE finding that is equal to or greater than a declared severity, e.g., HIGH.

This allows for implementing a CVEs policy on any or all containers of a K8s cluster, and doing so with a purpose-built admission controller.

OWASP Dependency-Check

Dependency-Check is a Software Composition Analysis (SCA) tool that uses National Vulnerability Database (NVD), which is best accessed using an API key (Request API Key).

We have not found a use case for this tool.

Example filesystem scan for CVEs that returns nothing whatsoever:

bash dependency-check.sh ... --nvdApiKey YOUR_API_KEY 

bash dependency-check.sh -s ~/.krew/store/**/**/kubectl-*  --out krew-report.json --format JSON --project "Krew Plugins Audit"