mchmarny / vimp Goto Github PK
View Code? Open in Web Editor NEWCompare data from multiple vulnerability scanners to get a more complete picture of potential exposures.
License: Apache License 2.0
Compare data from multiple vulnerability scanners to get a more complete picture of potential exposures.
License: Apache License 2.0
For consistency and to make it compatible with crane and the scanners we should remove schema from the image uri if provided.
Hey cool idea.
i was giving it a go and am trying to run it before pushing to oci and i was able to get this going via
#!/bin/bash
IMAGE_TAG=$1
SNYK_TOKEN=$2
echo "Started scanning images"
echo "Running snyk image scan"
SNYK_TOKEN=${SNYK_TOKEN} snyk container test --app-vulns --json-file-output=${TMPDIR}/${IMAGE_TAG}-report_snyk.json ${IMAGE_TAG}
echo "Running trivy image scan"
trivy image --scanners vuln --format json --output ${TMPDIR}/${IMAGE_TAG}-report_trivy.json ${IMAGE_TAG}
echo "Running grype image scan"
grype --add-cpes-if-none -s AllLayers -o json --file ${TMPDIR}/${IMAGE_TAG}-report_grype.json ${IMAGE_TAG}
echo "importing"
IMAGE_SHA=$(docker images --no-trunc --quiet ${IMAGE_TAG})
vimp import --source ${IMAGE_TAG}@${IMAGE_SHA} --file ${TMPDIR}/${IMAGE_TAG}-report_snyk.json
vimp import --source ${IMAGE_TAG}@${IMAGE_SHA} --file ${TMPDIR}/${IMAGE_TAG}-report_grype.json
vimp import --source ${IMAGE_TAG}@${IMAGE_SHA} --file ${TMPDIR}/${IMAGE_TAG}-report_trivy.json
vimp query --image ${IMAGE_TAG}@${IMAGE_SHA}
echo "Finished scanning images"
vulnerabilities=$(vimp query --image ${IMAGE_TAG}@${IMAGE_SHA} | jq '.exposures|length')
if [[ $vulnerabilities -gt 0 ]]; then
echo "Found $vulnerabilities vulnerabilities"
exit 1;
fi
my question is when i see the output of grype i see it detects issues but these dont see to end up in the combined dump?
Is it just that there is additional filtering occurring somewhere and most of these are things we probably dont care about? or is this a bug.
Looking at the source i see it should scream at me aslong as the items have the keys "vulnerabilities" and "artifacts". which the first couple i checked did.
I tried the example image (redis) and i do see results for grype in the combined result.
I also tried an image on my registry (a simple vimp import --image
) and grype behaved the same as my force local attempt which makes me think there's just some sort of filtering going on i'm not understanding
Thanks!
Will default to OS
Currently osv-scanner only returns vulnerabilities found in base image (Debian and Alpine)
https://google.github.io/osv-scanner/usage/#scanning-a-debian-based-docker-image-packages
osv-scanner --json -D docker.io/mongo@sha256:cc4522f3f5c0d3435046eb51b1d8a633d8e24d8e661b6ba127a98e5519d11bde
examples/cloud-build/README.md
Notes should only carry information common to all Occurrences.
Since it would be annoying/impossible to have to carry all package issues in the Notes, we should remove any package issue information in the Notes.
Diff algo uses source which makes each result diff. Remove source to compare only on severity and score.
The gcloud command seems to return only vulnerability Occurrences with notes in projects/goog-vulnz
Looks like the Google distrolless includes 9 vulns and >13MB image
ie. 8 SNYK-DEBIAN11-SYSTEMD-3111119, CVE-2022-3821
Is there a difference between the 8 that I am missing?
If no file is provided, detect the install scanners and automatically scan the image. Provide --scanners flag to allow for more granular opt-in selection.
Do each instance in matchDetails need to be converted into separate occurrences?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.