Skip to content

Generate SBOM in Container Scanning for Trivy-based analyzers

Proposal

The purpose of this issue is to add a new Gcs::Plugin::SBOMScan class which will use trivy to generate SBOMs from within Container Scanning.

We've compared the SBOM generating capabilities of trivy and syft here, and while it seems that syft might be a better choice, it requires installing an extra tool.

In order to implement this feature quicker, we should use trivy as the initial tool for generating SBOMs, since it's already installed. This will allow us to create the framework in Container Scanning for generating SBOMs, and then we can switch out the tool with syft later on.

Implementation Plan

  1. Add a new Gcs::Plugin::SBOMScan class which calls trivy image --format cyclonedx <image-name> and outputs a new report. For the MVC, we will only be adding SBOM support for trivy and not grype.

    The trivy scanner currently produces two reports:

    • gl-container-scanning-report.json
    • gl-dependency-scanning-report.json

    The Gcs::Plugin::SBOMScan plugin should produce a third report, in the same directory as the above two reports:

    • gl-sbom-container-scanning.cdx.json
  2. Add tests to cover these changes.

  3. Add a new CycloneDX Software Bill of Materials section to the Container Scanning Documentation, using the Dependency Scanning SBOM documentation as a starting point.

  4. Record a demo of the feature

Demo

(Post POC completion)

Screen_Recording_2023-03-21_at_12.05.08_PM

Edited by Adam Cohen