Skip to content

Commit

Permalink
feat(sbom): Support license detection for SBOM scan (aquasecurity#6072)
Browse files Browse the repository at this point in the history
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
  • Loading branch information
bedla and DmitriyLewen authored Mar 18, 2024
1 parent ab74caa commit eb3ceb3
Show file tree
Hide file tree
Showing 9 changed files with 329 additions and 22 deletions.
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ trivy [global flags] command [flags] target
* [trivy plugin](trivy_plugin.md) - Manage plugins
* [trivy repository](trivy_repository.md) - Scan a repository
* [trivy rootfs](trivy_rootfs.md) - Scan rootfs
* [trivy sbom](trivy_sbom.md) - Scan SBOM for vulnerabilities
* [trivy sbom](trivy_sbom.md) - Scan SBOM for vulnerabilities and licenses
* [trivy server](trivy_server.md) - Server mode
* [trivy version](trivy_version.md) - Print the version
* [trivy vm](trivy_vm.md) - [EXPERIMENTAL] Scan a virtual machine image
Expand Down
4 changes: 3 additions & 1 deletion docs/docs/references/configuration/cli/trivy_sbom.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
## trivy sbom

Scan SBOM for vulnerabilities
Scan SBOM for vulnerabilities and licenses

```
trivy sbom [flags] SBOM_PATH
Expand Down Expand Up @@ -36,6 +36,7 @@ trivy sbom [flags] SBOM_PATH
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
Expand All @@ -50,6 +51,7 @@ trivy sbom [flags] SBOM_PATH
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,license) (default [vuln])
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
Expand Down
8 changes: 4 additions & 4 deletions docs/docs/scanner/license.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,10 @@ To configure the confidence level, you can use `--license-confidence-level`. Thi

Currently, the standard license scanning doesn't support filesystem and repository scanning.

| License scanning | Image | Rootfs | Filesystem | Repository |
| :-------------------: | :---: | :----: | :--------: | :--------: |
| Standard ||| - | - |
| Full (--license-full) |||||
| License scanning | Image | Rootfs | Filesystem | Repository | SBOM |
|:---------------------:|:-----:|:------:|:----------:|:----------:|:----:|
| Standard ||| - | - ||
| Full (--license-full) ||||| - |

License checking classifies the identified licenses and map the classification to severity.

Expand Down
5 changes: 4 additions & 1 deletion docs/docs/target/sbom.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# SBOM scanning

Trivy can take the following SBOM formats as an input and scan for vulnerabilities.
Trivy can take the following SBOM formats as an input and scan for vulnerabilities and licenses.

- CycloneDX
- SPDX
Expand All @@ -17,6 +17,9 @@ $ trivy sbom /path/to/sbom_file

```

By default, vulnerability scan in SBOM is executed. You can use `--scanners vuln,license`
command property to select also license scan, or `--scanners license` alone.

!!! note
Passing SBOMs generated by tool other than Trivy may result in inaccurate detection
because Trivy relies on custom properties in SBOM for accurate scanning.
Expand Down
25 changes: 24 additions & 1 deletion integration/sbom_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,11 @@ import (
"path/filepath"
"testing"

ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"
)

Expand All @@ -19,6 +19,7 @@ func TestSBOM(t *testing.T) {
input string
format string
artifactType string
scanners string
}
tests := []struct {
name string
Expand Down Expand Up @@ -150,13 +151,28 @@ func TestSBOM(t *testing.T) {
},
},
},
{
name: "license check cyclonedx json",
args: args{
input: "testdata/fixtures/sbom/license-cyclonedx.json",
format: "json",
artifactType: "cyclonedx",
scanners: "license",
},
golden: "testdata/license-cyclonedx.json.golden",
},
}

// Set up testing DB
cacheDir := initDB(t)

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
scanners := "vuln"
if tt.args.scanners != "" {
scanners = tt.args.scanners
}

osArgs := []string{
"--cache-dir",
cacheDir,
Expand All @@ -165,6 +181,8 @@ func TestSBOM(t *testing.T) {
"--skip-db-update",
"--format",
tt.args.format,
"--scanners",
scanners,
}

// Set up the output file
Expand Down Expand Up @@ -223,5 +241,10 @@ func compareSBOMReports(t *testing.T, wantFile, gotFile string, overrideWant typ
}

got := readReport(t, gotFile)
// when running on Windows FS
got.ArtifactName = filepath.ToSlash(filepath.Clean(got.ArtifactName))
for i, result := range got.Results {
got.Results[i].Target = filepath.ToSlash(filepath.Clean(result.Target))
}
assert.Equal(t, want, got)
}
125 changes: 125 additions & 0 deletions integration/testdata/fixtures/sbom/license-cyclonedx.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:c09512e3-47e7-4eff-8f76-5d7ae72b26a5",
"version": 1,
"metadata": {
"timestamp": "2024-03-10T14:57:31+00:00",
"tools": {
"components": [
{
"type": "application",
"group": "aquasecurity",
"name": "trivy",
"version": "dev"
}
]
},
"component": {
"bom-ref": "acc9d4aa-4158-4969-a497-637e114fde0c",
"type": "application",
"name": "C:/Users/bedla.czech/IdeaProjects/sbom-demo",
"properties": [
{
"name": "aquasecurity:trivy:SchemaVersion",
"value": "2"
}
]
}
},
"components": [
{
"bom-ref": "eb56cd49-da98-4b08-bfc8-9880fb063cf1",
"type": "application",
"name": "pom.xml",
"properties": [
{
"name": "aquasecurity:trivy:Class",
"value": "lang-pkgs"
},
{
"name": "aquasecurity:trivy:Type",
"value": "pom"
}
]
},
{
"bom-ref": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.plexus@0.3.0.M1",
"type": "library",
"group": "org.eclipse.sisu",
"name": "org.eclipse.sisu.plexus",
"version": "0.3.0.M1",
"licenses": [
{
"license": {
"name": "EPL-1.0"
}
}
],
"purl": "pkg:maven/org.eclipse.sisu/org.eclipse.sisu.plexus@0.3.0.M1",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "org.eclipse.sisu:org.eclipse.sisu.plexus:0.3.0.M1"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "pom"
}
]
},
{
"bom-ref": "pkg:maven/org.ow2.asm/asm@9.5",
"type": "library",
"group": "org.ow2.asm",
"name": "asm",
"version": "9.5",
"licenses": [
{
"license": {
"name": "BSD-3-Clause"
}
}
],
"purl": "pkg:maven/org.ow2.asm/asm@9.5",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "org.ow2.asm:asm:9.5"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "pom"
}
]
},
{
"bom-ref": "pkg:maven/org.slf4j/slf4j-api@2.0.11",
"type": "library",
"group": "org.slf4j",
"name": "slf4j-api",
"version": "2.0.11",
"licenses": [
{
"license": {
"name": "MIT License"
}
}
],
"purl": "pkg:maven/org.slf4j/slf4j-api@2.0.11",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "org.slf4j:slf4j-api:2.0.11"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "pom"
}
]
}
],
"dependencies": [],
"vulnerabilities": []
}
65 changes: 65 additions & 0 deletions integration/testdata/license-cyclonedx.json.golden
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
{
"SchemaVersion": 2,
"CreatedAt": "2021-08-25T12:20:30.000000005Z",
"ArtifactName": "testdata/fixtures/sbom/license-cyclonedx.json",
"ArtifactType": "cyclonedx",
"Metadata": {
"ImageConfig": {
"architecture": "",
"created": "0001-01-01T00:00:00Z",
"os": "",
"rootfs": {
"type": "",
"diff_ids": null
},
"config": {}
}
},
"Results": [
{
"Target": "OS Packages",
"Class": "license"
},
{
"Target": "pom.xml",
"Class": "license"
},
{
"Target": "Java",
"Class": "license",
"Licenses": [
{
"Severity": "MEDIUM",
"Category": "reciprocal",
"PkgName": "org.eclipse.sisu:org.eclipse.sisu.plexus",
"FilePath": "",
"Name": "EPL-1.0",
"Confidence": 1,
"Link": ""
},
{
"Severity": "LOW",
"Category": "notice",
"PkgName": "org.ow2.asm:asm",
"FilePath": "",
"Name": "BSD-3-Clause",
"Confidence": 1,
"Link": ""
},
{
"Severity": "UNKNOWN",
"Category": "unknown",
"PkgName": "org.slf4j:slf4j-api",
"FilePath": "",
"Name": "MIT License",
"Confidence": 1,
"Link": ""
}
]
},
{
"Target": "Loose File License(s)",
"Class": "license-file"
}
]
}
21 changes: 16 additions & 5 deletions pkg/commands/app.go
Original file line number Diff line number Diff line change
Expand Up @@ -1125,11 +1125,24 @@ func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
reportFlagGroup.DependencyTree = nil // disable '--dependency-tree'
reportFlagGroup.ReportFormat = nil // TODO: support --report summary

scanners := flag.ScannersFlag.Clone()
scanners.Values = xstrings.ToStringSlice(types.Scanners{
types.VulnerabilityScanner,
types.LicenseScanner,
})
scanners.Default = xstrings.ToStringSlice(types.Scanners{
types.VulnerabilityScanner,
})
scanFlagGroup := flag.NewScanFlagGroup()
scanFlagGroup.Scanners = nil // disable '--scanners' as it always scans for vulnerabilities
scanFlagGroup.Scanners = scanners // allow only 'vuln' and 'license' options for '--scanners'
scanFlagGroup.IncludeDevDeps = nil // disable '--include-dev-deps'
scanFlagGroup.Parallel = nil // disable '--parallel'

licenseFlagGroup := flag.NewLicenseFlagGroup()
// License full-scan and confidence-level are for file content only
licenseFlagGroup.LicenseFull = nil
licenseFlagGroup.LicenseConfidenceLevel = nil

sbomFlags := &flag.Flags{
GlobalFlagGroup: globalFlags,
CacheFlagGroup: flag.NewCacheFlagGroup(),
Expand All @@ -1139,11 +1152,12 @@ func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
ScanFlagGroup: scanFlagGroup,
SBOMFlagGroup: flag.NewSBOMFlagGroup(),
VulnerabilityFlagGroup: flag.NewVulnerabilityFlagGroup(),
LicenseFlagGroup: licenseFlagGroup,
}

cmd := &cobra.Command{
Use: "sbom [flags] SBOM_PATH",
Short: "Scan SBOM for vulnerabilities",
Short: "Scan SBOM for vulnerabilities and licenses",
GroupID: groupScanning,
Example: ` # Scan CycloneDX and show the result in tables
$ trivy sbom /path/to/report.cdx
Expand All @@ -1166,9 +1180,6 @@ func NewSBOMCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
return xerrors.Errorf("flag error: %w", err)
}

// Scan vulnerabilities
options.Scanners = types.Scanners{types.VulnerabilityScanner}

return artifact.Run(cmd.Context(), options, artifact.TargetSBOM)
},
SilenceErrors: true,
Expand Down
Loading

0 comments on commit eb3ceb3

Please sign in to comment.