Add Trivy SBOM scan for wave build containers

[munishchouhan]

from @ewels
Seeing more and more people ask about SBOM documents for pipelines / containers (software bill of materials). It looks like Trivy can generate SBOMs. Is this something that we could get Wave to do automatically for every build? Then host it the same way that we do for the security scan results?
https://www.aquasec.com/blog/software-supply-chain-security-trivy-sbom/

[pditommaso]

Likely this can be implemented following the same "pattern" for the build logs:

1. the command for the creation of the SBOM is included in the job carrying out the Trivy scan
2. when the scan complete the SBOM file is collected and uploaded to a bucket, similarly to a log
3. The endpoint /builds/{id}/sbom is added to retrieve the sbom content, similar to the logs one

[munishchouhan]

Working on this issue now, getting error with the sbom command, researching on that:

[pditommaso]

Depends on #602

[pditommaso]

Does this require a separate job or it can be done along with the scan?

[munishchouhan]

Does this require a separate job or it can be done along with the scan?

We can use existing scan job.
we need to add --list-all-pkgs flag in our existing scan command which will also add sbom in the output json

[munishchouhan]

like this
docker run --rm aquasec/trivy:0.55.0 -q image --format json --list-all-pkgs ubuntu:20.04
it will have new package section which will contain

"Results": [
    {
      "Target": "ubuntu:20.04 (ubuntu 20.04)",
      "Class": "os-pkgs",
      "Type": "ubuntu",
      "Packages": [
        {
          "ID": "[email protected]",
          "Name": "adduser",
          "Identifier": {
            "PURL": "pkg:deb/ubuntu/[email protected]?arch=all\u0026distro=ubuntu-20.04",
            "UID": "5122302fc4653274"
          },
          "Version": "3.118ubuntu2",
          "Arch": "all",
          "SrcName": "adduser",
          "SrcVersion": "3.118ubuntu2",
          "Licenses": [
            "GPL-2.0"
          ],
          "Maintainer": "Ubuntu Core Developers \[email protected]\u003e",
          "DependsOn": [
            "[email protected]",
            "passwd@1:4.8.1-1ubuntu5.20.04.5"
          ], 

[pditommaso]

Nice. @ewels is what you were expecting by this?

[munishchouhan]

There are two main industry standards for SBOMs:

1. Software Package Data Exchange (SPDX and SPDX Lite), an ISO standard hosted by the Linux Foundation, which outlines the components, licenses, and copyrights associated with a software package.
2. CycloneDX, an open source, lightweight SBOM standard, which is used in application security and supply chain analysis and originated from the Open Web Application Security Project (OWASP).

[pditommaso]

Can both of them be created with the same scan command?

[munishchouhan]

Can both of them be created with the same scan command?

no we need to provide the specific format for it
in case of CycloneDX, we get vulnerabilities too, but not in the case of SPDX

if we want SPDX, then we need two jobs

there is PR which add support for security scan in SPDX, but i don't see it in the results
aquasecurity/trivy#7213

examples:

1. CycloneDX
   docker run --rm aquasec/trivy:0.55.0 -q image --format cyclonedx --list-all-pkgs --scanners vuln ubuntu:20.04

2. spdx
   docker run --rm aquasec/trivy:0.55.0 -q image --format spdx --list-all-pkgs --scanners vuln ubuntu:20.04

docker run --rm aquasec/trivy:0.55.0 -q image --format spdx-json --list-all-pkgs --scanners vuln ubuntu:20.04

[munishchouhan]

correction: SPDX also contains vulnerabilities, but format is different:

"externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:deb/ubuntu/[email protected]?arch=amd64\u0026distro=ubuntu-24.04"
        },
        {
          "referenceCategory": "SECURITY",
          "referenceType": "advisory",
          "referenceLocator": "https://avd.aquasec.com/nvd/cve-2016-20013"
        }
      ],

[ewels]

Any idea what other services provide? eg. Docker / Quay etc? Could do worse than comparing ourselves against them.