feat: add SBOM analyzer #4210

knqyf263 · 2023-05-07T18:41:09Z

Description

Looks for SBOM files in container images, etc.

NOTE: CPE is not supported.

Example

$ trivy image --scanners vuln bitnami/elasticsearch

Before

Details

Java (jar)
==========
Total: 12 (UNKNOWN: 0, LOW: 3, MEDIUM: 4, HIGH: 3, CRITICAL: 2)

┌───────────────────────────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│                          Library                          │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├───────────────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ com.google.guava:guava (guava-27.1-jre.jar)               │ CVE-2020-8908  │ LOW      │ 27.1-jre          │ 30.0          │ guava: local information disclosure via temporary directory │
│                                                           │                │          │                   │               │ created with unsafe permissions                             │
│                                                           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8908                   │
├───────────────────────────────────────────────────────────┤                │          ├───────────────────┤               │                                                             │
│ com.google.guava:guava (guava-28.2-jre.jar)               │                │          │ 28.2-jre          │               │                                                             │
│                                                           │                │          │                   │               │                                                             │
│                                                           │                │          │                   │               │                                                             │
│                                                           │                │          │                   │               │                                                             │
│                                                           │                │          │                   │               │                                                             │
│                                                           │                │          │                   │               │                                                             │
│                                                           │                │          │                   │               │                                                             │
├───────────────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ commons-io:commons-io (commons-io-2.5.jar)                │ CVE-2021-29425 │ MEDIUM   │ 2.5               │ 2.7           │ apache-commons-io: Limited path traversal in Apache Commons │
│                                                           │                │          │                   │               │ IO 2.2 to 2.6                                               │
│                                                           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-29425                  │
├───────────────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ net.minidev:json-smart (nimbus-jose-jwt-9.8.1.jar)        │ CVE-2023-1370  │ HIGH     │ 1.3.2             │ 2.4.9         │ Uncontrolled Resource Consumption vulnerability in          │
│                                                           │                │          │                   │               │ json-smart (Resource Exhaustion)                            │
│                                                           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-1370                   │
├───────────────────────────────────────────────────────────┼────────────────┤          ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.apache.santuario:xmlsec (xmlsec-2.1.4.jar)            │ CVE-2021-40690 │          │ 2.1.4             │ 2.1.7, 2.2.3  │ xml-security: XPath Transform abuse allows for information  │
│                                                           │                │          │                   │               │ disclosure                                                  │
│                                                           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-40690                  │
│                                                           │                │          │                   │               │                                                             │
│                                                           │                │          │                   │               │                                                             │
│                                                           │                │          │                   │               │                                                             │
│                                                           │                │          │                   │               │                                                             │
├───────────────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.bouncycastle:bc-fips (bc-fips-1.0.2.jar)              │ CVE-2020-15522 │ MEDIUM   │ 1.0.2             │ 1.0.2.1       │ bouncycastle: Timing issue within the EC math library       │
│                                                           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-15522                  │
│                                                           ├────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│                                                           │ CVE-2022-45146 │          │                   │ 1.0.2.4       │ Garbage collection issue in BC-FJA in Java 13 and later     │
│                                                           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-45146                  │
├───────────────────────────────────────────────────────────┼────────────────┤          ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.bouncycastle:bcprov-jdk15on (bcprov-jdk15on-1.64.jar) │ CVE-2020-15522 │          │ 1.64              │ 1.66          │ bouncycastle: Timing issue within the EC math library       │
│                                                           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-15522                  │
├───────────────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.yaml:snakeyaml (elasticsearch-x-content-8.7.1.jar)    │ CVE-2022-1471  │ CRITICAL │ 1.33              │ 2.0           │ Constructor Deserialization Remote Code Execution           │
│                                                           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-1471                   │
│                                                           │                │          │                   │               │                                                             │
│                                                           │                │          │                   │               │                                                             │
│                                                           │                │          │                   │               │                                                             │
└───────────────────────────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

After

Details

Java (jar)
==========
Total: 6 (UNKNOWN: 0, LOW: 1, MEDIUM: 3, HIGH: 1, CRITICAL: 1)

┌───────────────────────────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│                          Library                          │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├───────────────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ com.google.guava:guava (guava-28.2-jre.jar)               │ CVE-2020-8908  │ LOW      │ 28.2-jre          │ 30.0          │ guava: local information disclosure via temporary directory │
│                                                           │                │          │                   │               │ created with unsafe permissions                             │
│                                                           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8908                   │
├───────────────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.apache.santuario:xmlsec (xmlsec-2.1.4.jar)            │ CVE-2021-40690 │ HIGH     │ 2.1.4             │ 2.1.7, 2.2.3  │ xml-security: XPath Transform abuse allows for information  │
│                                                           │                │          │                   │               │ disclosure                                                  │
│                                                           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-40690                  │
├───────────────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.bouncycastle:bc-fips (bc-fips-1.0.2.jar)              │ CVE-2020-15522 │ MEDIUM   │ 1.0.2             │ 1.0.2.1       │ bouncycastle: Timing issue within the EC math library       │
│                                                           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-15522                  │
│                                                           ├────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│                                                           │ CVE-2022-45146 │          │                   │ 1.0.2.4       │ Garbage collection issue in BC-FJA in Java 13 and later     │
│                                                           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-45146                  │
├───────────────────────────────────────────────────────────┼────────────────┤          ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.bouncycastle:bcprov-jdk15on (bcprov-jdk15on-1.64.jar) │ CVE-2020-15522 │          │ 1.64              │ 1.66          │ bouncycastle: Timing issue within the EC math library       │
│                                                           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-15522                  │
├───────────────────────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ org.yaml:snakeyaml (elasticsearch-x-content-8.7.1.jar)    │ CVE-2022-1471  │ CRITICAL │ 1.33              │ 2.0           │ Constructor Deserialization Remote Code Execution           │
│                                                           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-1471                   │
└───────────────────────────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Missing JARs in SBOM

Following JAR files exist in bitnami/elasticsearch, but it is not included in opt/bitnami/elasticsearch/.spdx-elasticsearch.spdx.

opt/bitnami/elasticsearch/modules/x-pack-watcher/guava-27.1-jre.jar
opt/bitnami/elasticsearch/lib/tools/security-cli/commons-io-2.5.jar
etc.

Related issues

Scan manifest for self-packaged software #2839

Checklist

I've read the guidelines for contributing to this repository.
I've followed the conventions in the PR title.
I've added tests that prove my fix is effective or that my feature works.
I've updated the documentation with the relevant information (if needed).
I've added usage information (if the PR introduces new options)
I've included a "before" and "after" example to the description (if the PR is a user interface change).

agomezmoron · 2023-05-18T09:27:43Z

Hi @knqyf263 ,

We fixed that in our pipelines internally and now the latest bitnami/elasticsearch container has the proper files in the /opt/bitnami/elasticsearch/.sped-elasticsearch.spdx.

$ docker run --rm -it -u root --entrypoint=/bin/bash bitnami/elasticsearch:8.7.1-debian-11-r7
root@af2e2aef648e:/opt/bitnami/elasticsearch# cat .spdx-elasticsearch.spdx | grep -i guava-2
                    "fileName": "modules/x-pack-security/guava-28.2-jre.jar",
                    "fileName": "modules/x-pack-watcher/guava-27.1-jre.jar",
root@af2e2aef648e:/opt/bitnami/elasticsearch# cat .spdx-elasticsearch.spdx | grep -i commons.io
            "name": "commons-io:commons-io",
                    "referenceLocator": "pkg:maven/commons-io/commons-io@2.11.0"
                    "fileName": "modules/ingest-attachment/commons-io-2.11.0.jar",
            "name": "commons-io:commons-io",
                    "referenceLocator": "pkg:maven/commons-io/commons-io@2.5"
                    "fileName": "lib/tools/security-cli/commons-io-2.5.jar",

Thanks!

knqyf263 · 2023-05-18T11:06:24Z

@agomezmoron Great! Thanks for updating! I'll be back to this PR next week and wrap it up.

pkg/fanal/analyzer/language/java/jar/jar.go

carrodher · 2023-05-31T17:35:06Z

Hi, JFYI, the bitnami/vulndb repo was made public

pkg/sbom/spdx/unmarshal.go

pkg/fanal/analyzer/sbom/sbom.go

pkg/fanal/analyzer/sbom/sbom_test.go

pkg/fanal/analyzer/sbom/sbom.go

Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>

pkg/fanal/analyzer/sbom/sbom.go

ChristianCiach · 2023-06-02T09:51:05Z

docs/docs/supply-chain/sbom.md

+Trivy can take SBOM documents as input for scanning.
+See [here](../target/sbom.md) for more details.
+
+Also, Trivy searches for SBOM files in container images.


I think it should be clarified that this currently only works for Bitnami images.

I came here from reading the release notes that just state:

9ef0113 feat: add SBOM analyzer (#4210)

This got me excited, because we could use this for our own images, but unfortunately this currently only works for this hardcoded directory.

Why do you think it works with the hardcoded directory?

I am referring to this discussion: https://github.com/aquasecurity/trivy/pull/4210/files#r1212955004

Even in current main, the sbom.go only checks the hardcoded path /opt/bitnami for spdx-SBOMs:

// For Bitnami images if strings.HasPrefix(input.FilePath, "opt/bitnami/") {

Or am I reading this wrong and other paths/formats are somehow implicitly supported?

No, it is just rewriting file paths for Bitnami. SBOM itself is analyzed anyway.

Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>

feat: add SBOM analyzer

757a436

knqyf263 self-assigned this May 7, 2023

knqyf263 commented May 31, 2023

View reviewed changes

pkg/fanal/analyzer/language/java/jar/jar.go Outdated Show resolved Hide resolved

knqyf263 added 2 commits June 1, 2023 10:34

Merge branch 'main' into sbom_analyzer

bd5aa1d

test(sbom): add SPDX tests

1c03982

DmitriyLewen reviewed Jun 1, 2023

View reviewed changes

pkg/fanal/analyzer/sbom/sbom.go Outdated Show resolved Hide resolved

knqyf263 added 5 commits June 1, 2023 15:52

feat: filter out files listed in SBOM

db18245

Merge branch 'main' into sbom_analyzer

3c22633

refactor: replace v2_3 with spdx

9e237b9

test(spdx): add a case with no relationships

f6934d5

test(sbom): add a CycloneDX case

c6c2727

knqyf263 force-pushed the sbom_analyzer branch from c3e514d to c6c2727 Compare June 1, 2023 13:19

knqyf263 and others added 2 commits June 1, 2023 16:22

feat: add more file extensions

373cbe6

Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>

fix tests

8717a01

knqyf263 marked this pull request as ready for review June 2, 2023 04:14

DmitriyLewen and others added 5 commits June 2, 2023 10:20

refactor use lo.Filter in spdx.getPackageFilePaths

fc8875e

revert fc8875e

ea33604

disable SBOM analyzer for fs and repo modes

3997788

docs: add SBOM searching

dd90f77

docs: fix some warnings

f8b13e8

knqyf263 requested review from AnaisUrlichs and itaysk as code owners June 2, 2023 05:46

DmitriyLewen reviewed Jun 2, 2023

View reviewed changes

pkg/fanal/analyzer/sbom/sbom.go Outdated Show resolved Hide resolved

fix Required func, add test

0b9daa2

DmitriyLewen approved these changes Jun 2, 2023

View reviewed changes

knqyf263 mentioned this pull request Jun 2, 2023

Add package source files #4539

Open

knqyf263 merged commit 9ef0113 into aquasecurity:main Jun 2, 2023

ChristianCiach reviewed Jun 2, 2023

View reviewed changes

knqyf263 deleted the sbom_analyzer branch June 2, 2023 10:24

AnaisUrlichs pushed a commit to AnaisUrlichs/trivy that referenced this pull request Aug 10, 2023

feat: add SBOM analyzer (aquasecurity#4210)

761f38c

Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add SBOM analyzer #4210

feat: add SBOM analyzer #4210

knqyf263 commented May 7, 2023 •

edited

Loading

agomezmoron commented May 18, 2023

knqyf263 commented May 18, 2023

carrodher commented May 31, 2023

ChristianCiach Jun 2, 2023

knqyf263 Jun 2, 2023

ChristianCiach Jun 2, 2023 •

edited

Loading

knqyf263 Jun 2, 2023

feat: add SBOM analyzer #4210

feat: add SBOM analyzer #4210

Conversation

knqyf263 commented May 7, 2023 • edited Loading

Description

Example

Before

After

Missing JARs in SBOM

Related issues

Checklist

agomezmoron commented May 18, 2023

knqyf263 commented May 18, 2023

carrodher commented May 31, 2023

ChristianCiach Jun 2, 2023

Choose a reason for hiding this comment

knqyf263 Jun 2, 2023

Choose a reason for hiding this comment

ChristianCiach Jun 2, 2023 • edited Loading

Choose a reason for hiding this comment

knqyf263 Jun 2, 2023

Choose a reason for hiding this comment

knqyf263 commented May 7, 2023 •

edited

Loading

ChristianCiach Jun 2, 2023 •

edited

Loading