Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(report): add support for SPDX #2059

Merged
merged 21 commits into from
May 2, 2022
Merged

feat(report): add support for SPDX #2059

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
8067742
added spdx format support
ShiraCohen33 Apr 27, 2022
57a5276
combined spdx and spdx-json to the same case
ShiraCohen33 Apr 27, 2022
cede86d
delete vendor folder
ShiraCohen33 Apr 27, 2022
4f18de4
added spdx doc
ShiraCohen33 Apr 27, 2022
45c97f6
added usage information
ShiraCohen33 Apr 27, 2022
fec9bb4
fix conflict
ShiraCohen33 Apr 27, 2022
4111f0b
fix error from documentation test
ShiraCohen33 Apr 27, 2022
1de6540
added error handling
ShiraCohen33 Apr 27, 2022
ed510f0
fix linter
ShiraCohen33 Apr 27, 2022
f75604a
changed to SPDX-2.2 version
ShiraCohen33 Apr 28, 2022
04b89f1
changed package spdx identifier to hash function
ShiraCohen33 Apr 28, 2022
67e94ef
deleted result files
ShiraCohen33 Apr 28, 2022
2a292a6
checked return value fo getPackgeID function
ShiraCohen33 Apr 28, 2022
8aa0677
refactor: group imports
knqyf263 Apr 30, 2022
e2cc6de
fix spdx.md file
ShiraCohen33 May 1, 2022
2f1c81f
Merge branch 'support-spdx' of https://github.com/ShiraCohen33/trivy …
ShiraCohen33 May 1, 2022
d334a41
delete replace
ShiraCohen33 May 1, 2022
7227eb1
fix go.mod
ShiraCohen33 May 1, 2022
c49450b
refactor: use exp/slices
knqyf263 May 2, 2022
52c9edb
docs: add SPDX
knqyf263 May 2, 2022
d2e230c
test(report): fix
knqyf263 May 2, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,7 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
- container image, local filesystem and remote git repository
- Supply chain security (SBOM support)
- Support CycloneDX
- Support SPDX

# Integrations
- [GitHub Actions][action]
Expand Down
1 change: 1 addition & 0 deletions docs/docs/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ See [Integrations][integrations] for details.
- remote git repository
- [SBOM][sbom] (Software Bill of Materials) support
- CycloneDX
- SPDX

Please see [LICENSE][license] for Trivy licensing information.

Expand Down
9 changes: 8 additions & 1 deletion docs/docs/references/cli/sbom.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,20 @@ NAME:
USAGE:
trivy sbom [command options] ARTIFACT

DESCRIPTION:
ARTIFACT can be a container image, file path/directory, git repository or container image archive. See examples.

OPTIONS:
--output value, -o value output file name [$TRIVY_OUTPUT]
--clear-cache, -c clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
--ignorefile value specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
--timeout value timeout (default: 5m0s) [$TRIVY_TIMEOUT]
--severity value, -s value severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
--offline-scan do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
--db-repository value OCI repository to retrieve trivy-db from (default: "ghcr.io/aquasecurity/trivy-db") [$TRIVY_DB_REPOSITORY]
--skip-files value specify the file paths to skip traversal (accepts multiple inputs) [$TRIVY_SKIP_FILES]
--skip-dirs value specify the directories where the traversal is skipped (accepts multiple inputs) [$TRIVY_SKIP_DIRS]
--artifact-type value, --type value input artifact type (image, fs, repo, archive) (default: "image") [$TRIVY_ARTIFACT_TYPE]
--sbom-format value, --format value SBOM format (cyclonedx) (default: "cyclonedx") [$TRIVY_SBOM_FORMAT]
--sbom-format value, --format value SBOM format (cyclonedx, spdx, spdx-json) (default: "cyclonedx") [$TRIVY_SBOM_FORMAT]
--help, -h show help (default: false)
```
5 changes: 4 additions & 1 deletion docs/docs/sbom/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
# SBOM

Trivy currently supports the following SBOM formats.

- [CycloneDX][cyclonedx]
- [SPDX][spdx]

To generate SBOM, you can use the `--format` option for each subcommand such as `image` and `fs`.

Expand Down Expand Up @@ -188,4 +190,5 @@ $ trivy sbom --artifact-type repo github.com/aquasecurity/trivy-ci-test
$ trivy sbom --artifact-type archive alpine.tar
```

[cyclonedx]: cyclonedx.md
[cyclonedx]: cyclonedx.md
[spdx]: spdx.md
297 changes: 297 additions & 0 deletions docs/docs/sbom/spdx.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,297 @@
# SPDX

Trivy generates reports in the [SPDX][spdx] format.

You can use the regular subcommands (like `image`, `fs` and `rootfs`) and specify `spdx` with the `--format` option.

```
$ trivy image --format spdx --output result.spdx alpine:3.15
```

<details>
<summary>Result</summary>

```
$ cat result.spdx
SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: alpine:3.15
DocumentNamespace: http://aquasecurity.github.io/trivy/container_image/alpine:3.15-bebf6b19-a94c-4e2c-af44-065f63923f48
Creator: Organization: aquasecurity
Creator: Tool: trivy
Created: 2022-04-28T07:32:57.142806Z

##### Package: zlib

PackageName: zlib
SPDXID: SPDXRef-12bc938ac028a5e1
PackageVersion: 1.2.12-r0
FilesAnalyzed: false
PackageLicenseConcluded: Zlib
PackageLicenseDeclared: Zlib

##### Package: apk-tools

PackageName: apk-tools
SPDXID: SPDXRef-26c274652190d87f
PackageVersion: 2.12.7-r3
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only

##### Package: libretls

PackageName: libretls
SPDXID: SPDXRef-2b021966d19a8211
PackageVersion: 3.3.4-r3
FilesAnalyzed: false
PackageLicenseConcluded: ISC AND (BSD-3-Clause OR MIT)
PackageLicenseDeclared: ISC AND (BSD-3-Clause OR MIT)

##### Package: busybox

PackageName: busybox
SPDXID: SPDXRef-317ce3476703f20d
PackageVersion: 1.34.1-r5
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only

##### Package: libcrypto1.1

PackageName: libcrypto1.1
SPDXID: SPDXRef-34f407fb4dbd67f4
PackageVersion: 1.1.1n-r0
FilesAnalyzed: false
PackageLicenseConcluded: OpenSSL
PackageLicenseDeclared: OpenSSL

##### Package: libc-utils

PackageName: libc-utils
SPDXID: SPDXRef-4bbc1cb449d54083
PackageVersion: 0.7.2-r3
FilesAnalyzed: false
PackageLicenseConcluded: BSD-2-Clause AND BSD-3-Clause
PackageLicenseDeclared: BSD-2-Clause AND BSD-3-Clause

##### Package: alpine-keys

PackageName: alpine-keys
SPDXID: SPDXRef-a3bdd174be1456b6
PackageVersion: 2.4-r1
FilesAnalyzed: false
PackageLicenseConcluded: MIT
PackageLicenseDeclared: MIT

##### Package: ca-certificates-bundle

PackageName: ca-certificates-bundle
SPDXID: SPDXRef-ac6472ba26fb991c
PackageVersion: 20211220-r0
FilesAnalyzed: false
PackageLicenseConcluded: MPL-2.0 AND MIT
PackageLicenseDeclared: MPL-2.0 AND MIT

##### Package: libssl1.1

PackageName: libssl1.1
SPDXID: SPDXRef-b2d1b1d70fe90f7d
PackageVersion: 1.1.1n-r0
FilesAnalyzed: false
PackageLicenseConcluded: OpenSSL
PackageLicenseDeclared: OpenSSL

##### Package: scanelf

PackageName: scanelf
SPDXID: SPDXRef-c617077ba6649520
PackageVersion: 1.3.3-r0
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only

##### Package: musl

PackageName: musl
SPDXID: SPDXRef-ca80b810029cde0e
PackageVersion: 1.2.2-r7
FilesAnalyzed: false
PackageLicenseConcluded: MIT
PackageLicenseDeclared: MIT

##### Package: alpine-baselayout

PackageName: alpine-baselayout
SPDXID: SPDXRef-d782e64751ba9faa
PackageVersion: 3.2.0-r18
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only

##### Package: musl-utils

PackageName: musl-utils
SPDXID: SPDXRef-e5e8a237f6162e22
PackageVersion: 1.2.2-r7
FilesAnalyzed: false
PackageLicenseConcluded: MIT BSD GPL2+
PackageLicenseDeclared: MIT BSD GPL2+

##### Package: ssl_client

PackageName: ssl_client
SPDXID: SPDXRef-fdf0ce84f6337be4
PackageVersion: 1.34.1-r5
FilesAnalyzed: false
PackageLicenseConcluded: GPL-2.0-only
PackageLicenseDeclared: GPL-2.0-only
```

</details>

SPDX-JSON format is also supported by using `spdx-json` with the `--format` option.

```
$ trivy image --format spdx-json --output result.spdx.json alpine:3.15
```

<details>
<summary>Result</summary>

```
$ cat result.spdx.json | jq .
{
"SPDXID": "SPDXRef-DOCUMENT",
"creationInfo": {
"created": "2022-04-28T08:16:55.328255Z",
"creators": [
"Tool: trivy",
"Organization: aquasecurity"
]
},
"dataLicense": "CC0-1.0",
"documentNamespace": "http://aquasecurity.github.io/trivy/container_image/alpine:3.15-d9549e3a-a4c5-4ee3-8bde-8c78d451fbe7",
"name": "alpine:3.15",
"packages": [
{
"SPDXID": "SPDXRef-12bc938ac028a5e1",
"filesAnalyzed": false,
"licenseConcluded": "Zlib",
"licenseDeclared": "Zlib",
"name": "zlib",
"versionInfo": "1.2.12-r0"
},
{
"SPDXID": "SPDXRef-26c274652190d87f",
"filesAnalyzed": false,
"licenseConcluded": "GPL-2.0-only",
"licenseDeclared": "GPL-2.0-only",
"name": "apk-tools",
"versionInfo": "2.12.7-r3"
},
{
"SPDXID": "SPDXRef-2b021966d19a8211",
"filesAnalyzed": false,
"licenseConcluded": "ISC AND (BSD-3-Clause OR MIT)",
"licenseDeclared": "ISC AND (BSD-3-Clause OR MIT)",
"name": "libretls",
"versionInfo": "3.3.4-r3"
},
{
"SPDXID": "SPDXRef-317ce3476703f20d",
"filesAnalyzed": false,
"licenseConcluded": "GPL-2.0-only",
"licenseDeclared": "GPL-2.0-only",
"name": "busybox",
"versionInfo": "1.34.1-r5"
},
{
"SPDXID": "SPDXRef-34f407fb4dbd67f4",
"filesAnalyzed": false,
"licenseConcluded": "OpenSSL",
"licenseDeclared": "OpenSSL",
"name": "libcrypto1.1",
"versionInfo": "1.1.1n-r0"
},
{
"SPDXID": "SPDXRef-4bbc1cb449d54083",
"filesAnalyzed": false,
"licenseConcluded": "BSD-2-Clause AND BSD-3-Clause",
"licenseDeclared": "BSD-2-Clause AND BSD-3-Clause",
"name": "libc-utils",
"versionInfo": "0.7.2-r3"
},
{
"SPDXID": "SPDXRef-a3bdd174be1456b6",
"filesAnalyzed": false,
"licenseConcluded": "MIT",
"licenseDeclared": "MIT",
"name": "alpine-keys",
"versionInfo": "2.4-r1"
},
{
"SPDXID": "SPDXRef-ac6472ba26fb991c",
"filesAnalyzed": false,
"licenseConcluded": "MPL-2.0 AND MIT",
"licenseDeclared": "MPL-2.0 AND MIT",
"name": "ca-certificates-bundle",
"versionInfo": "20211220-r0"
},
{
"SPDXID": "SPDXRef-b2d1b1d70fe90f7d",
"filesAnalyzed": false,
"licenseConcluded": "OpenSSL",
"licenseDeclared": "OpenSSL",
"name": "libssl1.1",
"versionInfo": "1.1.1n-r0"
},
{
"SPDXID": "SPDXRef-c617077ba6649520",
"filesAnalyzed": false,
"licenseConcluded": "GPL-2.0-only",
"licenseDeclared": "GPL-2.0-only",
"name": "scanelf",
"versionInfo": "1.3.3-r0"
},
{
"SPDXID": "SPDXRef-ca80b810029cde0e",
"filesAnalyzed": false,
"licenseConcluded": "MIT",
"licenseDeclared": "MIT",
"name": "musl",
"versionInfo": "1.2.2-r7"
},
{
"SPDXID": "SPDXRef-d782e64751ba9faa",
"filesAnalyzed": false,
"licenseConcluded": "GPL-2.0-only",
"licenseDeclared": "GPL-2.0-only",
"name": "alpine-baselayout",
"versionInfo": "3.2.0-r18"
},
{
"SPDXID": "SPDXRef-e5e8a237f6162e22",
"filesAnalyzed": false,
"licenseConcluded": "MIT BSD GPL2+",
"licenseDeclared": "MIT BSD GPL2+",
"name": "musl-utils",
"versionInfo": "1.2.2-r7"
},
{
"SPDXID": "SPDXRef-fdf0ce84f6337be4",
"filesAnalyzed": false,
"licenseConcluded": "GPL-2.0-only",
"licenseDeclared": "GPL-2.0-only",
"name": "ssl_client",
"versionInfo": "1.34.1-r5"
}
],
"spdxVersion": "SPDX-2.2"
}
```

</details>

[spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf
3 changes: 3 additions & 0 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,7 @@ require (
github.com/sergi/go-diff v1.1.0 // indirect
github.com/shopspring/decimal v1.2.0 // indirect
github.com/sirupsen/logrus v1.8.1 // indirect
github.com/spdx/tools-golang v0.3.0
github.com/spf13/cast v1.4.1 // indirect
github.com/stretchr/objx v0.3.0 // indirect
github.com/tmccombs/hcl2json v0.3.4 // indirect
Expand Down Expand Up @@ -199,5 +200,7 @@ require (
sigs.k8s.io/yaml v1.3.0 // indirect
)

require github.com/mitchellh/hashstructure/v2 v2.0.2

// To resolve CVE-2022-23648
replace github.com/containerd/containerd v1.5.9 => github.com/containerd/containerd v1.5.10
5 changes: 5 additions & 0 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1124,6 +1124,8 @@ github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQ
github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
github.com/mitchellh/hashstructure v1.0.0/go.mod h1:QjSHrPWS+BGUVBYkbTZWEnOh3G1DutKwClXU/ABz6AQ=
github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
Expand Down Expand Up @@ -1393,6 +1395,9 @@ github.com/sourcegraph/go-diff v0.5.1/go.mod h1:j2dHj3m8aZgQO8lMTcTnBcXkRRRqi34c
github.com/sourcegraph/go-diff v0.5.3/go.mod h1:v9JDtjCE4HHHCZGId75rg8gkKKa98RVjBcBGsVmMmak=
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
github.com/spdx/tools-golang v0.3.0 h1:rtm+DHk3aAt74Fh0Wgucb4pCxjXV8SqHCPEb2iBd30k=
github.com/spdx/tools-golang v0.3.0/go.mod h1:RO4Y3IFROJnz+43JKm1YOrbtgQNljW4gAPpA/sY2eqo=
github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
Expand Down
Loading