syft: SBOM creator
grype: Vulnerability scanner using SBOM
vunnel : Tool for create vulnerability DB for grype
Install
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
How to use
Test Environment
# date Fri May 31 11:13:20 UTC 2024 # lsb_release -a Distributor ID: Debian Description: Debian GNU/Linux trixie/sid Codename: trixie
Create Fake Vulnerability
# apt list --installed | grep xz xz-utils/testing,now 5.6.1+really5.4.5-1 amd64 [installed] # cp /var/lib/dpkg/status ~ # sed -e 's/5.4.5-1/5.6.0/g' -i /var/lib/dpkg/status # apt list --installed | grep xz xz-utils/now 5.6.0 amd64 [installed,upgradable to: 5.6.1+really5.4.5-1]
Create SBOM
# SBOM=~/sbom.json # syft dir:/ -o cyclonedx-json > $SBOM # syft dir:/ -o cyclonedx-json > ~/sbom2.json ✔ Indexed file system / ✔ Cataloged contents ... ├── ✔ Packages [912 packages] ├── ✔ File digests [30,806 files] ├── ✔ File metadata [30,806 locations] └── ✔ Executables [1,670 executables]
Generate Security Report
# SBOM=~/sbom.json # REPORT=~/report.txt # grype sbom:$SBOM -o table > $REPORT ✔ Vulnerability DB [no update available] ✔ Scanned for vulnerabilities [367 vulnerability matches] ├── by severity: 6 critical, 31 high, 75 medium, 14 low, 314 negligible (357 unknown) └── by status: 406 fixed, 391 not-fixed, 430 ignored # cat $REPORT | head -n 1; cat $REPORT | grep xz NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY xz-utils 5.4.5-1 5.6.1+really5.4.5-1 deb CVE-2024-3094 Critical
Security DB
DB sources
# pip3 install vunnel # vunnel list alpine amazon chainguard debian github mariner nvd oracle rhel sles ubuntu wolfi
Glance of DB file
# ls -alh ~/.cache/grype/db/5 total 1.2G 139 metadata.json 1.2K provider-metadata.json 1.2G vulnerability.db # file ~/.cache/grype/db/5/vulnerability.db SQLite 3.x database
Etc
https://github.com/anchore/syft