Skip to content

Commit

Permalink
feat(sbom): Support license detection for SBOM scan
Browse files Browse the repository at this point in the history
  • Loading branch information
bedla committed Feb 18, 2024
1 parent 32a02a9 commit 0ecb5d7
Show file tree
Hide file tree
Showing 9 changed files with 3,503 additions and 14 deletions.
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ trivy [global flags] command [flags] target
* [trivy plugin](trivy_plugin.md) - Manage plugins
* [trivy repository](trivy_repository.md) - Scan a repository
* [trivy rootfs](trivy_rootfs.md) - Scan rootfs
* [trivy sbom](trivy_sbom.md) - Scan SBOM for vulnerabilities
* [trivy sbom](trivy_sbom.md) - Scan SBOM for vulnerabilities and licenses
* [trivy server](trivy_server.md) - Server mode
* [trivy version](trivy_version.md) - Print the version
* [trivy vm](trivy_vm.md) - [EXPERIMENTAL] Scan a virtual machine image
Expand Down
4 changes: 3 additions & 1 deletion docs/docs/references/configuration/cli/trivy_sbom.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
## trivy sbom

Scan SBOM for vulnerabilities
Scan SBOM for vulnerabilities and licenses

```
trivy sbom [flags] SBOM_PATH
Expand Down Expand Up @@ -36,6 +36,7 @@ trivy sbom [flags] SBOM_PATH
--ignore-policy string specify the Rego file path to evaluate each vulnerability
--ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--list-all-pkgs enabling the option will output all packages regardless of vulnerability
Expand All @@ -50,6 +51,7 @@ trivy sbom [flags] SBOM_PATH
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--reset remove all caches and database
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
--scanners strings comma-separated list of what security issues to detect (vuln,license) (default [vuln])
--server string server address in client mode
-s, --severity strings severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
--show-suppressed [EXPERIMENTAL] show suppressed vulnerabilities
Expand Down
8 changes: 4 additions & 4 deletions docs/docs/scanner/license.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,10 @@ To configure the confidence level, you can use `--license-confidence-level`. Thi

Currently, the standard license scanning doesn't support filesystem and repository scanning.

| License scanning | Image | Rootfs | Filesystem | Repository |
| :-------------------: | :---: | :----: | :--------: | :--------: |
| Standard ||| - | - |
| Full (--license-full) |||||
| License scanning | Image | Rootfs | Filesystem | Repository | SBOM |
|:---------------------:|:-----:|:------:|:----------:|:----------:|:----:|
| Standard ||| - | - ||
| Full (--license-full) ||||| - |

License checking classifies the identified licenses and map the classification to severity.

Expand Down
5 changes: 4 additions & 1 deletion docs/docs/target/sbom.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# SBOM scanning

Trivy can take the following SBOM formats as an input and scan for vulnerabilities.
Trivy can take the following SBOM formats as an input and scan for vulnerabilities and licenses.

- CycloneDX
- SPDX
Expand All @@ -17,6 +17,9 @@ $ trivy sbom /path/to/sbom_file

```

By default, vulnerability scan in SBOM is executed. You can use `--scanners vuln,license`
command property to select also license scan, or `--scanners license` alone.

!!! note
Passing SBOMs generated by tool other than Trivy may result in inaccurate detection
because Trivy relies on custom properties in SBOM for accurate scanning.
Expand Down
19 changes: 18 additions & 1 deletion integration/sbom_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/types"
)

Expand All @@ -19,6 +18,7 @@ func TestSBOM(t *testing.T) {
input string
format string
artifactType string
scanners string
}
tests := []struct {
name string
Expand Down Expand Up @@ -150,13 +150,28 @@ func TestSBOM(t *testing.T) {
},
},
},
{
name: "license check cyclonedx json",
args: args{
input: "testdata/fixtures/sbom/license-cyclonedx.json",
format: "json",
artifactType: "spdx",
scanners: "license",
},
golden: "testdata/license-cyclonedx.json.golden",
},
}

// Set up testing DB
cacheDir := initDB(t)

for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
scanners := "vuln"
if tt.args.scanners != "" {
scanners = tt.args.scanners
}

osArgs := []string{
"--cache-dir",
cacheDir,
Expand All @@ -165,6 +180,8 @@ func TestSBOM(t *testing.T) {
"--skip-db-update",
"--format",
tt.args.format,
"--scanners",
scanners,
}

// Set up the output file
Expand Down
Loading

0 comments on commit 0ecb5d7

Please sign in to comment.