CVEs : SBOM Generation and CVE Detection

Container Images

See CVEs.Trivy (MD|HTML)

Filesystem Binaries

For binary files, use syft for SBOM generation, and grype for the final CVEs report, both in CycloneDX format.

Example : Scan kubectl plugins of ~/.krew/bin/

# Install the tools
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh |
    sudo sh -s -- -b /usr/local/bin
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh |
    sudo sh -s -- -b /usr/local/bin

# Generate TABLE of plugin CVEs from grype scan of syft SBOM
plugin=tree
syft scan file:~/.krew/bin/kubectl-$plugin -o cyclonedx-json |
    grype

# Same, but capture SBOM and CycloneDX files (JSON)
syft scan file:~/.krew/bin/kubectl-$plugin --output cyclonedx-json="kubectl-$plugin.sbom.json"
grype sbom:kubectl-$plugin.sbom.json --output cyclonedx-json --file kubectl-$plugin.cdx.json

# All plugins (pipe method fails at grype unless out to table and no options)
for plugin in ~/.krew/bin/*; do 
    bin=$(basename "$plugin")
    echo "=== @ $bin"
    syft scan file:"$plugin" --output cyclonedx-json="$bin.sbom.json"
    grype sbom:"$bin.sbom.json" -o cyclonedx-json --file "$bin.cdx.json"
    rm "$bin.sbom.json"
done |& tee krew-cves.log

Like other similar tools, grype has a flag to fail on any CVE finding that is equal to or greater than a declared severity, e.g., HIGH.

This allows for implementing a CVEs policy on any or all containers of a K8s cluster, and doing so with a purpose-built admission controller.

OWASP Dependency-Check

Dependency-Check is a Software Composition Analysis (SCA) tool that uses National Vulnerability Database (NVD), which is best accessed using an API key (Request API Key).

We have not found a use case for this tool.

Example filesystem scan for CVEs that returns nothing whatsoever:

bash dependency-check.sh ... --nvdApiKey YOUR_API_KEY 

bash dependency-check.sh -s ~/.krew/store/**/**/kubectl-*  --out krew-report.json --format JSON --project "Krew Plugins Audit"