Generate SBOM in Container Scanning for Trivy-based analyzers
Proposal
The purpose of this issue is to add a new Gcs::Plugin::SBOMScan class which will use trivy to generate SBOMs from within Container Scanning.
We've compared the SBOM generating capabilities of trivy and syft here, and while it seems that syft might be a better choice, it requires installing an extra tool.
In order to implement this feature quicker, we should use trivy as the initial tool for generating SBOMs, since it's already installed. This will allow us to create the framework in Container Scanning for generating SBOMs, and then we can switch out the tool with syft later on.
Implementation Plan
-
Add a new
Gcs::Plugin::SBOMScanclass which callstrivy image --format cyclonedx <image-name>and outputs a new report. For the MVC, we will only be adding SBOM support fortrivyand notgrype.The
trivyscanner currently produces two reports:gl-container-scanning-report.jsongl-dependency-scanning-report.json
The
Gcs::Plugin::SBOMScanplugin should produce a third report, in the same directory as the above two reports:gl-sbom-container-scanning.cdx.json
-
Add tests to cover these changes.
-
Add a new
CycloneDX Software Bill of Materialssection to the Container Scanning Documentation, using the Dependency Scanning SBOM documentation as a starting point. -
Record a demo of the feature
Demo
(Post POC completion)