SBOM的介绍与syft和grype的使用

文章目录

  • SBOM介绍
  • 工具
    • syft
    • grype

SBOM介绍

SBOM(软件物料清单)是给定产品的中所有软件组件(专有和开源代码)、开源许可证和依赖项的清单。它提供了对软件供应链以及可能存在的任何许可证合规性、安全性和质量风险的可见性。

SBOM可以帮助企业快速识别和补救潜在的安全漏洞,满足许可要求,并应用版本控制最佳实践。

SBOM应包括的内容:

  • 应用程序的开源库
  • 程序的插件、扩展和其他附加组件
  • 开发人员内部编写的自定义源代码
  • 有关这些组件的版本、许可状态和补丁状态的信息
  • 自动组件加密签名和验证
  • 自动扫描以生成SBOM,作为持续集成/持续部署(CI/CD)管道的一部分

SBOM应该使用一致的格式,流行的SBOM格式包括软件包数据交换(SPDX)、软件标识(SWID)标记和OWASP CycloneDX。虽然这些都是标准,但2021年的白宫行政命令并未强制规定特定的SBOM格式。到目前为止,这三者都没有成为事实上的行业标准。

SBOM的价值:

  • 软件生产商使用SBOM来协助构建和维护他们提供的软件。
  • 软件采购商使用SBOM通知预购保证、协商折扣和计划实施策略。
  • 软件运营商使用SBOM为漏洞管理和资产管理提供信息,管理许可和合规性,并快速识别软件和组件依赖关系以及供应链风险。

例子:

{
 "artifacts": [
  {
   "id": "56038ff78afaea17",
   "name": "aopalliance-repackaged",
   "version": "2.5.0-b36",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:aopalliance-repackaged:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:aopalliance-repackaged:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:aopalliance_repackaged:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:aopalliance_repackaged:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:aopalliance:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:aopalliance:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:external:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:external:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.hk2.external/[email protected]",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:aopalliance-repackaged",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.hk2.external/aopalliance-repackaged/pom.properties",
     "name": "",
     "groupId": "org.glassfish.hk2.external",
     "artifactId": "aopalliance-repackaged",
     "version": "2.5.0-b36"
    }
   }
  },
  {
   "id": "a5067ebc30eb2e85",
   "name": "glassfish-corba-internal-api",
   "version": "4.1.1-b001",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:glassfish-corba-internal-api:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba-internal-api:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_internal_api:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_internal_api:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba-internal:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba-internal:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_internal:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_internal:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:corba:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:corba:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.corba/[email protected]",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:glassfish-corba-internal-api",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.corba/glassfish-corba-internal-api/pom.properties",
     "name": "",
     "groupId": "org.glassfish.corba",
     "artifactId": "glassfish-corba-internal-api",
     "version": "4.1.1-b001"
    }
   }
  },
  {
   "id": "6de5dbcc6bd3df79",
   "name": "glassfish-corba-omgapi",
   "version": "4.1.1-b001",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:glassfish-corba-omgapi:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba-omgapi:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_omgapi:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_omgapi:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:corba:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:corba:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.corba/[email protected]",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:glassfish-corba-omgapi",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.corba/glassfish-corba-omgapi/pom.properties",
     "name": "",
     "groupId": "org.glassfish.corba",
     "artifactId": "glassfish-corba-omgapi",
     "version": "4.1.1-b001"
    }
   }
  },
  {
   "id": "cc00fead3a5f49e3",
   "name": "glassfish-corba-orb",
   "version": "4.1.1-b001",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:glassfish-corba-orb:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba-orb:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_orb:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_orb:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:corba:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:corba:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.corba/[email protected]",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:glassfish-corba-orb",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.corba/glassfish-corba-orb/pom.properties",
     "name": "",
     "groupId": "org.glassfish.corba",
     "artifactId": "glassfish-corba-orb",
     "version": "4.1.1-b001"
    }
   }
  },
  {
   "id": "8d099ec8d7ff6ed0",
   "name": "hk2-api",
   "version": "2.5.0-b36",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:glassfish:hk2-api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:hk2_api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-api:hk2-api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-api:hk2_api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_api:hk2-api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_api:hk2_api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-api:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2-api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2_api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_api:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2:2.5.0-b36:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.hk2/[email protected]",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:hk2-api",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.hk2/hk2-api/pom.properties",
     "name": "",
     "groupId": "org.glassfish.hk2",
     "artifactId": "hk2-api",
     "version": "2.5.0-b36"
    }
   }
  },
  {
   "id": "6e0a2624f7ad3862",
   "name": "hk2-locator",
   "version": "2.5.0-b36",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:hk2-locator:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-locator:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_locator:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_locator:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-locator:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_locator:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2:2.5.0-b36:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.hk2/[email protected]",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:hk2-locator",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.hk2/hk2-locator/pom.properties",
     "name": "",
     "groupId": "org.glassfish.hk2",
     "artifactId": "hk2-locator",
     "version": "2.5.0-b36"
    }
   }
  },
  {
   "id": "be549b709625535c",
   "name": "hk2-utils",
   "version": "2.5.0-b36",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:glassfish:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-utils:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-utils:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_utils:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_utils:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-utils:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_utils:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2:2.5.0-b36:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.hk2/[email protected]",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:hk2-utils",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.hk2/hk2-utils/pom.properties",
     "name": "",
     "groupId": "org.glassfish.hk2",
     "artifactId": "hk2-utils",
     "version": "2.5.0-b36"
    }
   }
  },
  {
   "id": "f52d88b064a16b59",
   "name": "pfl-asm",
   "version": "4.0.1-b001",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:glassfish:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl-asm:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl-asm:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl_asm:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl_asm:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:pfl:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl-asm:pfl:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl_asm:pfl:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl:pfl:4.0.1-b001:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.pfl/[email protected]",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:pfl-asm",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.pfl/pfl-asm/pom.properties",
     "name": "",
     "groupId": "org.glassfish.pfl",
     "artifactId": "pfl-asm",
     "version": "4.0.1-b001"
    }
   }
  },
  {
   "id": "4207385428509458",
   "name": "tiger-types",
   "version": "1.4",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:tiger-types:tiger-types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:tiger-types:tiger_types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:tiger_types:tiger-types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:tiger_types:tiger_types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:jvnet:tiger-types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:jvnet:tiger_types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:tiger:tiger-types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:tiger:tiger_types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:java:tiger-types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:java:tiger_types:1.4:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.jvnet/[email protected]",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:tiger-types",
    "pomProperties": {
     "path": "META-INF/maven/org.jvnet/tiger-types/pom.properties",
     "name": "",
     "groupId": "org.jvnet",
     "artifactId": "tiger-types",
     "version": "1.4"
    },
    "pomProject": {
     "path": "META-INF/maven/org.jvnet/tiger-types/pom.xml",
     "parent": {
      "groupId": "net.java",
      "artifactId": "jvnet-parent",
      "version": "1"
     },
     "groupId": "org.jvnet",
     "artifactId": "tiger-types",
     "version": "1.4",
     "name": "Type arithmetic library for Java5"
    }
   }
  },
  {
   "id": "26d5946744f05e2a",
   "name": "wlclient",
   "version": "12.2.1.3.0",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:wlclient:wlclient:12.2.1.3.0:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/wlclient/[email protected]",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar",
    "manifest": {
     "main": {
      "Created-By": "1.8.0_321 (Oracle Corporation)",
      "DynamicImport-Package": "*",
      "Fragment-Host": "system.bundle; extension:=framework",
      "Implementation-Title": "wls_sharedLibraries",
      "Implementation-Version": "12.2.1.3.0",
      "Library-Version": "12.2.1.3.0",
      "Main-Class": "javassist.CtClass",
      "Manifest-Version": "1.0",
      "Multi-Release": "true",
      "Originally-Created-By": "Apache Maven",
      "Specification-Title": "wlclient",
      "Specification-Version": "12.2.1",
      "service": "foo"
     }
    },
    "digest": [
     {
      "algorithm": "sha1",
      "value": "7b81b31164ee07337ebd81ce404163bcc9934e1f"
     }
    ]
   }
  }
 ],
 "artifactRelationships": [
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "26d5946744f05e2a",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "4207385428509458",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "56038ff78afaea17",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "6de5dbcc6bd3df79",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "6e0a2624f7ad3862",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "8d099ec8d7ff6ed0",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "a5067ebc30eb2e85",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "be549b709625535c",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "cc00fead3a5f49e3",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "f52d88b064a16b59",
   "type": "contains"
  }
 ],
 "source": {
  "id": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
  "type": "file",
  "target": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
 },
 "distro": {},
 "descriptor": {
  "name": "syft",
  "version": "0.69.0",
  "configuration": {
   "configPath": "",
   "verbosity": 0,
   "quiet": false,
   "output": [
    "syft-json=sbom.syft.json"
   ],
   "output-template-path": "",
   "file": "",
   "check-for-app-update": true,
   "dev": {
    "profile-cpu": false,
    "profile-mem": false
   },
   "log": {
    "structured": false,
    "level": "warn",
    "file-location": ""
   },
   "catalogers": null,
   "package": {
    "cataloger": {
     "enabled": true,
     "scope": "Squashed"
    },
    "search-unindexed-archives": false,
    "search-indexed-archives": true
   },
   "attest": {
    "key": "",
    "password": ""
   },
   "file-metadata": {
    "cataloger": {
     "enabled": false,
     "scope": "Squashed"
    },
    "digests": [
     "sha256"
    ]
   },
   "file-classification": {
    "cataloger": {
     "enabled": false,
     "scope": "Squashed"
    }
   },
   "file-contents": {
    "cataloger": {
     "enabled": false,
     "scope": "Squashed"
    },
    "skip-files-above-size": 1048576,
    "globs": []
   },
   "secrets": {
    "cataloger": {
     "enabled": false,
     "scope": "AllLayers"
    },
    "additional-patterns": {},
    "exclude-pattern-names": [],
    "reveal-values": false,
    "skip-files-above-size": 1048576
   },
   "registry": {
    "insecure-skip-tls-verify": false,
    "insecure-use-http": false,
    "auth": []
   },
   "exclude": [],
   "platform": "",
   "name": "",
   "parallelism": 1
  }
 },
 "schema": {
  "version": "6.2.0",
  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-6.2.0.json"
 }
}

工具

syft

syft 是一个 CLI 工具和 Go 库,用于从容器镜像和文件系统生成软件物料清单SBOM。

支持下面镜像:

  • Alpine (apk)
  • C (conan)
  • C++ (conan)
  • Dart (pubs)
  • Debian (dpkg)
  • Dotnet (deps.json)
  • Objective-C (cocoapods)
  • Elixir (mix)
  • Erlang (rebar3)
  • Go (go.mod, Go binaries)
  • Haskell (cabal, stack)
  • Java (jar, ear, war, par, sar, native-image)
  • JavaScript (npm, yarn)
  • Jenkins Plugins (jpi, hpi)
  • PHP (composer)
  • Python (wheel, egg, poetry, requirements.txt)
  • Red Hat (rpm)
  • Ruby (gem)
  • Rust (cargo.lock)
  • Swift (cocoapods)

比如可以使用如下命令输出sbom:

syft /weblogic/wls12213/wlserver/server/lib/wlclient.jar -o syft-json=sbom.syft.json

输出见第一章的例子

grype

grype 是一份容器镜像和文件系统的漏洞扫描器。
支持发现主要的操作系统的漏洞:

  • Alpine
  • Amazon Linux
  • BusyBox
  • CentOS
  • Debian
  • Distroless
  • Oracle Linux
  • Red Hat (RHEL)
  • Ubuntu
    支持查找特定语言包的漏洞
  • Ruby (Gems)
  • Java (JAR, WAR, EAR, JPI, HPI)
  • JavaScript (NPM, Yarn)
  • Python (Egg, Wheel, Poetry, requirements.txt/setup.py files)
  • Dotnet (deps.json)
  • Golang (go.mod)
  • PHP (Composer)
  • Rust (Cargo)
    支持 Docker 和 OCI 镜像格式

支持通过sbom文件发现漏洞

grype sbom:./sbom.syft.json

SBOM的介绍与syft和grype的使用_第1张图片

参考:
https://baijiahao.baidu.com/s?id=1738298541287787037&wfr=spider&for=pc

https://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650546781&idx=2&sn=54e5b3a7de985c94b4b11ec9bfa318b5&chksm=83bd47b9b4caceafbd1177ec3c17472212f93309ebd7d8da24e9217ccb579ef09b1e80c2f99c&scene=27

你可能感兴趣的:(工具,sbom,grype,syft)