mchmarny / vimp Goto Github PK

For consistency and to make it compatible with crane and the scanners we should remove schema from the image uri if provided.

Hey cool idea.

i was giving it a go and am trying to run it before pushing to oci and i was able to get this going via

#!/bin/bash
IMAGE_TAG=$1
SNYK_TOKEN=$2

echo "Started scanning images"

echo "Running snyk image scan"
SNYK_TOKEN=${SNYK_TOKEN} snyk container test --app-vulns --json-file-output=${TMPDIR}/${IMAGE_TAG}-report_snyk.json  ${IMAGE_TAG}

echo "Running trivy image scan"
trivy image --scanners vuln --format json --output ${TMPDIR}/${IMAGE_TAG}-report_trivy.json ${IMAGE_TAG}

echo "Running grype image scan"
grype --add-cpes-if-none -s AllLayers -o json --file ${TMPDIR}/${IMAGE_TAG}-report_grype.json ${IMAGE_TAG} 

echo "importing"
IMAGE_SHA=$(docker images --no-trunc --quiet ${IMAGE_TAG})
vimp import --source ${IMAGE_TAG}@${IMAGE_SHA} --file ${TMPDIR}/${IMAGE_TAG}-report_snyk.json
vimp import --source ${IMAGE_TAG}@${IMAGE_SHA} --file ${TMPDIR}/${IMAGE_TAG}-report_grype.json 
vimp import --source ${IMAGE_TAG}@${IMAGE_SHA} --file ${TMPDIR}/${IMAGE_TAG}-report_trivy.json 

vimp query --image ${IMAGE_TAG}@${IMAGE_SHA} 

echo "Finished scanning images"
vulnerabilities=$(vimp query --image ${IMAGE_TAG}@${IMAGE_SHA} | jq '.exposures|length')
if [[ $vulnerabilities -gt 0 ]]; then
    echo "Found $vulnerabilities vulnerabilities"
    exit 1;
fi

my question is when i see the output of grype i see it detects issues but these dont see to end up in the combined dump?

Is it just that there is additional filtering occurring somewhere and most of these are things we probably dont care about? or is this a bug.

Looking at the source i see it should scream at me aslong as the items have the keys "vulnerabilities" and "artifacts". which the first couple i checked did.

I tried the example image (redis) and i do see results for grype in the combined result.

I also tried an image on my registry (a simple vimp import --image) and grype behaved the same as my force local attempt which makes me think there's just some sort of filtering going on i'm not understanding

Thanks!

Will default to OS

Currently osv-scanner only returns vulnerabilities found in base image (Debian and Alpine)

https://google.github.io/osv-scanner/usage/#scanning-a-debian-based-docker-image-packages

osv-scanner --json -D docker.io/mongo@sha256:cc4522f3f5c0d3435046eb51b1d8a633d8e24d8e661b6ba127a98e5519d11bde

vulnz-container.txt

examples/cloud-build/README.md

Notes should only carry information common to all Occurrences.

Since it would be annoying/impossible to have to carry all package issues in the Notes, we should remove any package issue information in the Notes.

Diff algo uses source which makes each result diff. Remove source to compare only on severity and score.

The gcloud command seems to return only vulnerability Occurrences with notes in projects/goog-vulnz

Looks like the Google distrolless includes 9 vulns and >13MB image

ie. 8 SNYK-DEBIAN11-SYSTEMD-3111119, CVE-2022-3821

Is there a difference between the 8 that I am missing?

• Not all CVSS v3 fields are currently being populated
• Make sure CVSS and CVSS v3 fields are not being cross contaminated

If no file is provided, detect the install scanners and automatically scan the image. Provide --scanners flag to allow for more granular opt-in selection.

Do each instance in matchDetails need to be converted into separate occurrences?