syft: SBOM creator for files and containers
grype: Vulnerability scanner using SBOM
vunnel : Tool for create vulnerability DB for grype
Install
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
How to Use
Test Environment
# date Fri May 31 11:13:20 UTC 2024 # lsb_release -a Distributor ID: Debian Description: Debian GNU/Linux trixie/sid Codename: trixie
Create Fake Vulnerability
# apt list --installed | grep xz xz-utils/testing,now 5.6.1+really5.4.5-1 amd64 [installed] # cp /var/lib/dpkg/status ~ # sed -e 's/5.4.5-1/5.6.0/g' -i /var/lib/dpkg/status # apt list --installed | grep xz xz-utils/now 5.6.0 amd64 [installed,upgradable to: 5.6.1+really5.4.5-1]
Create SBOM
# SBOM=~/sbom.json # syft dir:/ -o cyclonedx-json | jq > $SBOM ✔ Indexed file system / ✔ Cataloged contents ... ├── ✔ Packages [912 packages] ├── ✔ File digests [30,806 files] ├── ✔ File metadata [30,806 locations] └── ✔ Executables [1,670 executables]
Generate Security Report
# SBOM=~/sbom.json # REPORT=~/report.txt # grype sbom:$SBOM -o table > $REPORT ✔ Vulnerability DB [no update available] ✔ Scanned for vulnerabilities [367 vulnerability matches] ├── by severity: 6 critical, 31 high, 75 medium, 14 low, 314 negligible (357 unknown) └── by status: 406 fixed, 391 not-fixed, 430 ignored # cat $REPORT | head -n 1; cat $REPORT | grep xz NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY xz-utils 5.4.5-1 5.6.1+really5.4.5-1 deb CVE-2024-3094 Critical
Security DB
DB sources
# pip3 install vunnel # vunnel list alpine amazon chainguard debian github mariner nvd oracle rhel sles ubuntu wolfi
Glance at SBOM
# cat $SBOM | jq '.components | map(select(.["bom-ref"] | test("xz")))'
[
{
"bom-ref": "pkg:deb/debian/xz-utils@5.6.0?arch=amd64&distro=debian&package-id=62e574a06bd69f92",
"type": "library",
"publisher": "Jonathan Nieder <jrnieder@gmail.com>",
"name": "xz-utils",
"version": "5.6.0",
"licenses": [
{"license": {"id": "GPL-2.0-only"}},
{"license": {"id": "GPL-2.0-or-later"}},
{"license": {"id": "GPL-3.0-only"}},
{"license": {"id": "LGPL-2.0-only"}},
{"license": {"id": "LGPL-2.1-only"}},
{"license": {"id": "LGPL-2.1-or-later"}},
{"license": {"name": "Autoconf"}},
{"license": {"name": "PD"}},
{"license": {"name": "PD-debian"}},
{"license": {"name": "config-h"}},
{"license": {"name": "noderivs"}},
{"license": {"name": "permissive-fsf"}},
{"license": {"name": "permissive-nowarranty"}},
{"license": {"name": "probably-PD"}}
],
"cpe": "cpe:2.3:a:xz-utils:xz-utils:5.6.0:*:*:*:*:*:*:*",
"purl": "pkg:deb/debian/xz-utils@5.6.0?arch=amd64&distro=debian",
"properties": [
{"name": "syft:package:foundBy", "value": "dpkg-db-cataloger"},
{"name": "syft:package:type", "value": "deb"},
{"name": "syft:package:metadataType", "value": "dpkg-db-entry"},
{"name": "syft:cpe23", "value": "cpe:2.3:a:xz-utils:xz_utils:5.6.0:*:*:*:*:*:*:*"},
{"name": "syft:cpe23", "value": "cpe:2.3:a:xz_utils:xz-utils:5.6.0:*:*:*:*:*:*:*"},
{"name": "syft:cpe23", "value": "cpe:2.3:a:xz_utils:xz_utils:5.6.0:*:*:*:*:*:*:*"},
{"name": "syft:cpe23", "value": "cpe:2.3:a:xz:xz-utils:5.6.0:*:*:*:*:*:*:*"},
{"name": "syft:cpe23", "value": "cpe:2.3:a:xz:xz_utils:5.6.0:*:*:*:*:*:*:*"},
{"name": "syft:location:0:path", "value": "usr/share/doc/xz-utils/copyright"},
{"name": "syft:location:1:path", "value": "var/lib/dpkg/info/xz-utils.md5sums"},
{"name": "syft:location:2:path", "value": "var/lib/dpkg/status"},
{"name": "syft:metadata:installedSize", "value": "1258"}
]
}
]
Glance of DB file
# ls -alh ~/.cache/grype/db/5 total 1.2G 139 metadata.json 1.2K provider-metadata.json 1.2G vulnerability.db # file ~/.cache/grype/db/5/vulnerability.db SQLite 3.x database
Notice
라이센스 정보가 제대로 출력되지 않는 경우도 있음
Etc
https://github.com/anchore/syft