Generate SBOM in Container Scanning for Grype-based analyzers
Proposal
In Generate SBOM in Container Scanning for Trivy-b... (#396381 - closed), we added support for generating SBOM files in Container Scanning for Trivy-based
analyzers such as the following which use Trivy
by default:
registry.gitlab.com/security-products/container-scanning:5
registry.gitlab.com/security-products/container-scanning:5-fips
registry.gitlab.com/security-products/container-scanning/trivy:5
registry.gitlab.com/security-products/container-scanning/trivy:5-fips
We need to extend this support to our grype-based
analyzers:
registry.gitlab.com/security-products/container-scanning/grype:5
registry.gitlab.com/security-products/container-scanning/grype:5-fips
The implementation in Generate SBOM in Container Scanning for Trivy-b... (#396381 - closed) uses Trivy
to generate the SBOM since we were focused on only adding SBOM support to Trivy
analyzers for the MVC.
grype
is capable of producing SBOMs using grype <image> -o cyclonedx
, however, it only suppots XML
SBOM for the older CycloneDX 1.2 specification
, so we can't use it.
This means that as part of this issue, we need to do either of the following:
- install
trivy
into thegrype-based
analyzers, so we can usetrivy image --format cyclonedx <image>
to generate SBOMs. - install
syft
into thegrype-based
analyzers and usesyft <image> -o cyclonedx-json
to generate SBOMs.
Implementation Plan
-
Update script/setup.sh to download the trivy
orsyft
binary in the setup_grype_files function.The choice of whether to install
trivy
orsyft
will be decided by the outcome of Determine whether to use Trivy or syft for gene... (#398829 - closed). -
Update Gcs::Grype and do the following: -
Add a new method for determining whether SBOM output is supported, the same way this has been done for Gcs::Trivy#scan_sbom_supported -
Add a new method for producing the SBOM file, the same way this has been done for Gcs::Trivy#sbom_scan_command
-
-
Add unit and integration tests to cover the changes