Publish once-off grype-db with hardware (:h:) and platform (:o:) CPEs included
#872
Comments
|
Thanks for the report @tgagneret-embedded . This happens because we currently only load application type CPEs into the published grype databases (since we know syft and grype can't yet discover them), so there is currently no data available for it to match on. We might be able to investigate letting these flow through although I suspect it might greatly inflate the db size |
|
This is probably part of a larger discussion around supporting IoT and embedded We know we want to do this, but we also don't have a ton of data or examples to start the journey |
|
I'm not sure what you mean by 'data', but If you need some components that are widely used in embedded (MCU), I can provide you a short list for your tests ? |
|
@tgagneret-embedded Yeah, that's what I mean. If you have some examples we can look at it would be extremely helpful! |
|
You can find some components used in embedded system in the following SBOM: I hope it helps :) Thanks |
|
Hi, Is it possible to have a status on this feature ? Thanks :) |
|
Hi @tgagneret-embedded, sorry, we do not have a status update for you at this point. We will leave this issue open for tracking. In the meantime, if you are interested in working on this please feel free to join our Slack channel and we would be happy to get you pointed in the right direction. Thanks! |
|
Discussion notes: Last time we had a request to include CPEs beyond the I've add the |
|
Hi @tgagneret-embedded, we just discussed this issue on our livestream, and we have a couple updates:
Thanks! |
:h:) and platform (:o:) CPEs included
|
@willmurphyscode As we had discussed I have had with #2365 a similar conundrum. Is it possible to use the grype-db tool you mentioned to cache the database locally including o and h parts and thus circumvent the issue ? or will that new option just accept the cpe's without resolving them against the vulnerability database. Thank you for your support |
|
Is this one working as expected now that we are publishing the |
It is except there is some peculiar behaviour when feeding a bom as cyclonedx this doesnot work {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"version": 1,
"components": [
{
"type": "operating-system",
"name": "Linux Kernel",
"version": "5.15.0",
"cpe": "cpe:2.3:o:linux:linux_kernel:5.15.0:*:*:*:*:*:*:*"
}
]
}
and this works {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"version": 1,
"components": [
{
"type": "framework",
"name": "Linux Kernel",
"version": "5.15.0",
"cpe": "cpe:2.3:o:linux:linux_kernel:5.15.0:*:*:*:*:*:*:*"
}
]
}
so basically when the type is set to "framework" instead of "operating-system" it gets detected and parsed which is very peculiar. The official CycloneDX standard specifies any operating system or partial OS-Level components (like kernels) to be of the operating-system type. So there is something going on the 8000 re that is probably an implementation detail in grype . Any Insights why this is so ? |
|
@jurassicLizard -- it looks like you've opened a new issue, much appreciated! I'm going to close this one, as I think it is resolved -- please let me know if it should be reopened! |
Uh oh!
There was an error while loading. Please reload this page.
What happened:
I'm trying to use grype to search for vulnerability for an embedded project using a SBOM file (using cycloneDX specification).I add an embedded components like freeRTOS, STM32L4 firmware, ... with an associated "cpe" field since "purl" is not adapted here. Then I run grype, but it is not matching any CVE (but there are).
What you expected to happen:
Grype shoud find CVE for FreeRTOS and STM32L4.
How to reproduce it (as minimally and precisely as possible):
You can use the following SBOM file and run
grype -vv sbom:file.json.{ "bomFormat": "CycloneDX", "specVersion": "1.4", "serialNumber": "urn:uuid:8454585a-e0ad-4c8c-8721-114fd54605c6", "version": 1, "components": [ { "type": "device", "name": "stm32l4", "scope": "required", "cpe": "cpe:2.3:o:st:stm32l4_firmware:-:*:*:*:*:*:*:*" }, { "type": "firmware", "name": "stm32l4_firmware", "scope": "required", "cpe": "cpe:2.3:o:st:stm32cubel4_firmware:-:*:*:*:*:*:*:*" }, { "type": "framework", "name": "github.com/FreeRTOS/FreeRTOS-Kernel", "scope": "required", "cpe": "cpe:2.3:o:amazon:freertos:*:*:*:*:-:*:*:*" } ] }Anything else we need to know?:
Depending on "type" field, it seems that grype doesn't search for any vulnerablity, but that's not the only issue.
Environment:
Output of
grype version:[0000] INFO grype version: 0.46.0
[0000] DEBUG ├── buildDate: 2022-08-04T14:48:21Z
[0000] DEBUG ├── compiler: gc
[0000] DEBUG ├── gitCommit: c755c73
[0000] DEBUG ├── gitDescription: v0.46.0
[0000] DEBUG ├── goVersion: go1.18.4
[0000] DEBUG ├── platform: linux/amd64
[0000] DEBUG ├── syftVersion: v0.53.4
[0000] DEBUG └── version: 0.46.0
[0000] DEBUG No new grype update available
OS (e.g:
cat /etc/os-releaseor similar):ArchLinux
Thanks for the help.
The text was updated successfully, but these errors were encountered: