SBOM的介绍与syft和grype的使用

news2024/12/25 2:09:00

文章目录

  • SBOM介绍
  • 工具
    • syft
    • grype

SBOM介绍

SBOM(软件物料清单)是给定产品的中所有软件组件(专有和开源代码)、开源许可证和依赖项的清单。它提供了对软件供应链以及可能存在的任何许可证合规性、安全性和质量风险的可见性。

SBOM可以帮助企业快速识别和补救潜在的安全漏洞,满足许可要求,并应用版本控制最佳实践。

SBOM应包括的内容:

  • 应用程序的开源库
  • 程序的插件、扩展和其他附加组件
  • 开发人员内部编写的自定义源代码
  • 有关这些组件的版本、许可状态和补丁状态的信息
  • 自动组件加密签名和验证
  • 自动扫描以生成SBOM,作为持续集成/持续部署(CI/CD)管道的一部分

SBOM应该使用一致的格式,流行的SBOM格式包括软件包数据交换(SPDX)、软件标识(SWID)标记和OWASP CycloneDX。虽然这些都是标准,但2021年的白宫行政命令并未强制规定特定的SBOM格式。到目前为止,这三者都没有成为事实上的行业标准。

SBOM的价值:

  • 软件生产商使用SBOM来协助构建和维护他们提供的软件。
  • 软件采购商使用SBOM通知预购保证、协商折扣和计划实施策略。
  • 软件运营商使用SBOM为漏洞管理和资产管理提供信息,管理许可和合规性,并快速识别软件和组件依赖关系以及供应链风险。

例子:

{
 "artifacts": [
  {
   "id": "56038ff78afaea17",
   "name": "aopalliance-repackaged",
   "version": "2.5.0-b36",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:aopalliance-repackaged:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:aopalliance-repackaged:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:aopalliance_repackaged:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:aopalliance_repackaged:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:aopalliance:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:aopalliance:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:external:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:external:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.hk2.external/aopalliance-repackaged@2.5.0-b36",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:aopalliance-repackaged",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.hk2.external/aopalliance-repackaged/pom.properties",
     "name": "",
     "groupId": "org.glassfish.hk2.external",
     "artifactId": "aopalliance-repackaged",
     "version": "2.5.0-b36"
    }
   }
  },
  {
   "id": "a5067ebc30eb2e85",
   "name": "glassfish-corba-internal-api",
   "version": "4.1.1-b001",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:glassfish-corba-internal-api:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba-internal-api:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_internal_api:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_internal_api:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba-internal:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba-internal:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_internal:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_internal:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:corba:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:corba:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.corba/glassfish-corba-internal-api@4.1.1-b001",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:glassfish-corba-internal-api",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.corba/glassfish-corba-internal-api/pom.properties",
     "name": "",
     "groupId": "org.glassfish.corba",
     "artifactId": "glassfish-corba-internal-api",
     "version": "4.1.1-b001"
    }
   }
  },
  {
   "id": "6de5dbcc6bd3df79",
   "name": "glassfish-corba-omgapi",
   "version": "4.1.1-b001",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:glassfish-corba-omgapi:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba-omgapi:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_omgapi:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_omgapi:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:corba:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:corba:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.corba/glassfish-corba-omgapi@4.1.1-b001",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:glassfish-corba-omgapi",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.corba/glassfish-corba-omgapi/pom.properties",
     "name": "",
     "groupId": "org.glassfish.corba",
     "artifactId": "glassfish-corba-omgapi",
     "version": "4.1.1-b001"
    }
   }
  },
  {
   "id": "cc00fead3a5f49e3",
   "name": "glassfish-corba-orb",
   "version": "4.1.1-b001",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:glassfish-corba-orb:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba-orb:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_orb:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba_orb:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish-corba:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish_corba:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:corba:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:corba:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.corba/glassfish-corba-orb@4.1.1-b001",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:glassfish-corba-orb",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.corba/glassfish-corba-orb/pom.properties",
     "name": "",
     "groupId": "org.glassfish.corba",
     "artifactId": "glassfish-corba-orb",
     "version": "4.1.1-b001"
    }
   }
  },
  {
   "id": "8d099ec8d7ff6ed0",
   "name": "hk2-api",
   "version": "2.5.0-b36",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:glassfish:hk2-api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:hk2_api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-api:hk2-api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-api:hk2_api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_api:hk2-api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_api:hk2_api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-api:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2-api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2_api:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_api:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2:2.5.0-b36:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.hk2/hk2-api@2.5.0-b36",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:hk2-api",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.hk2/hk2-api/pom.properties",
     "name": "",
     "groupId": "org.glassfish.hk2",
     "artifactId": "hk2-api",
     "version": "2.5.0-b36"
    }
   }
  },
  {
   "id": "6e0a2624f7ad3862",
   "name": "hk2-locator",
   "version": "2.5.0-b36",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:hk2-locator:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-locator:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_locator:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_locator:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-locator:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_locator:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2:2.5.0-b36:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.hk2/hk2-locator@2.5.0-b36",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:hk2-locator",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.hk2/hk2-locator/pom.properties",
     "name": "",
     "groupId": "org.glassfish.hk2",
     "artifactId": "hk2-locator",
     "version": "2.5.0-b36"
    }
   }
  },
  {
   "id": "be549b709625535c",
   "name": "hk2-utils",
   "version": "2.5.0-b36",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:glassfish:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-utils:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-utils:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_utils:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_utils:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2-utils:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2_utils:hk2:2.5.0-b36:*:*:*:*:*:*:*",
    "cpe:2.3:a:hk2:hk2:2.5.0-b36:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.hk2/hk2-utils@2.5.0-b36",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:hk2-utils",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.hk2/hk2-utils/pom.properties",
     "name": "",
     "groupId": "org.glassfish.hk2",
     "artifactId": "hk2-utils",
     "version": "2.5.0-b36"
    }
   }
  },
  {
   "id": "f52d88b064a16b59",
   "name": "pfl-asm",
   "version": "4.0.1-b001",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:glassfish:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl-asm:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl-asm:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl_asm:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl_asm:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:glassfish:pfl:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl-asm:pfl:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl_asm:pfl:4.0.1-b001:*:*:*:*:*:*:*",
    "cpe:2.3:a:pfl:pfl:4.0.1-b001:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.glassfish.pfl/pfl-asm@4.0.1-b001",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:pfl-asm",
    "pomProperties": {
     "path": "META-INF/maven/org.glassfish.pfl/pfl-asm/pom.properties",
     "name": "",
     "groupId": "org.glassfish.pfl",
     "artifactId": "pfl-asm",
     "version": "4.0.1-b001"
    }
   }
  },
  {
   "id": "4207385428509458",
   "name": "tiger-types",
   "version": "1.4",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:tiger-types:tiger-types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:tiger-types:tiger_types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:tiger_types:tiger-types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:tiger_types:tiger_types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:jvnet:tiger-types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:jvnet:tiger_types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:tiger:tiger-types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:tiger:tiger_types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:java:tiger-types:1.4:*:*:*:*:*:*:*",
    "cpe:2.3:a:java:tiger_types:1.4:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/org.jvnet/tiger-types@1.4",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:tiger-types",
    "pomProperties": {
     "path": "META-INF/maven/org.jvnet/tiger-types/pom.properties",
     "name": "",
     "groupId": "org.jvnet",
     "artifactId": "tiger-types",
     "version": "1.4"
    },
    "pomProject": {
     "path": "META-INF/maven/org.jvnet/tiger-types/pom.xml",
     "parent": {
      "groupId": "net.java",
      "artifactId": "jvnet-parent",
      "version": "1"
     },
     "groupId": "org.jvnet",
     "artifactId": "tiger-types",
     "version": "1.4",
     "name": "Type arithmetic library for Java5"
    }
   }
  },
  {
   "id": "26d5946744f05e2a",
   "name": "wlclient",
   "version": "12.2.1.3.0",
   "type": "java-archive",
   "foundBy": "java-cataloger",
   "locations": [
    {
     "path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
    }
   ],
   "licenses": [],
   "language": "java",
   "cpes": [
    "cpe:2.3:a:wlclient:wlclient:12.2.1.3.0:*:*:*:*:*:*:*"
   ],
   "purl": "pkg:maven/wlclient/wlclient@12.2.1.3.0",
   "metadataType": "JavaMetadata",
   "metadata": {
    "virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar",
    "manifest": {
     "main": {
      "Created-By": "1.8.0_321 (Oracle Corporation)",
      "DynamicImport-Package": "*",
      "Fragment-Host": "system.bundle; extension:=framework",
      "Implementation-Title": "wls_sharedLibraries",
      "Implementation-Version": "12.2.1.3.0",
      "Library-Version": "12.2.1.3.0",
      "Main-Class": "javassist.CtClass",
      "Manifest-Version": "1.0",
      "Multi-Release": "true",
      "Originally-Created-By": "Apache Maven",
      "Specification-Title": "wlclient",
      "Specification-Version": "12.2.1",
      "service": "foo"
     }
    },
    "digest": [
     {
      "algorithm": "sha1",
      "value": "7b81b31164ee07337ebd81ce404163bcc9934e1f"
     }
    ]
   }
  }
 ],
 "artifactRelationships": [
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "26d5946744f05e2a",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "4207385428509458",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "56038ff78afaea17",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "6de5dbcc6bd3df79",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "6e0a2624f7ad3862",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "8d099ec8d7ff6ed0",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "a5067ebc30eb2e85",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "be549b709625535c",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "cc00fead3a5f49e3",
   "type": "contains"
  },
  {
   "parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
   "child": "f52d88b064a16b59",
   "type": "contains"
  }
 ],
 "source": {
  "id": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
  "type": "file",
  "target": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
 },
 "distro": {},
 "descriptor": {
  "name": "syft",
  "version": "0.69.0",
  "configuration": {
   "configPath": "",
   "verbosity": 0,
   "quiet": false,
   "output": [
    "syft-json=sbom.syft.json"
   ],
   "output-template-path": "",
   "file": "",
   "check-for-app-update": true,
   "dev": {
    "profile-cpu": false,
    "profile-mem": false
   },
   "log": {
    "structured": false,
    "level": "warn",
    "file-location": ""
   },
   "catalogers": null,
   "package": {
    "cataloger": {
     "enabled": true,
     "scope": "Squashed"
    },
    "search-unindexed-archives": false,
    "search-indexed-archives": true
   },
   "attest": {
    "key": "",
    "password": ""
   },
   "file-metadata": {
    "cataloger": {
     "enabled": false,
     "scope": "Squashed"
    },
    "digests": [
     "sha256"
    ]
   },
   "file-classification": {
    "cataloger": {
     "enabled": false,
     "scope": "Squashed"
    }
   },
   "file-contents": {
    "cataloger": {
     "enabled": false,
     "scope": "Squashed"
    },
    "skip-files-above-size": 1048576,
    "globs": []
   },
   "secrets": {
    "cataloger": {
     "enabled": false,
     "scope": "AllLayers"
    },
    "additional-patterns": {},
    "exclude-pattern-names": [],
    "reveal-values": false,
    "skip-files-above-size": 1048576
   },
   "registry": {
    "insecure-skip-tls-verify": false,
    "insecure-use-http": false,
    "auth": []
   },
   "exclude": [],
   "platform": "",
   "name": "",
   "parallelism": 1
  }
 },
 "schema": {
  "version": "6.2.0",
  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-6.2.0.json"
 }
}

工具

syft

syft 是一个 CLI 工具和 Go 库,用于从容器镜像和文件系统生成软件物料清单SBOM。

支持下面镜像:

  • Alpine (apk)
  • C (conan)
  • C++ (conan)
  • Dart (pubs)
  • Debian (dpkg)
  • Dotnet (deps.json)
  • Objective-C (cocoapods)
  • Elixir (mix)
  • Erlang (rebar3)
  • Go (go.mod, Go binaries)
  • Haskell (cabal, stack)
  • Java (jar, ear, war, par, sar, native-image)
  • JavaScript (npm, yarn)
  • Jenkins Plugins (jpi, hpi)
  • PHP (composer)
  • Python (wheel, egg, poetry, requirements.txt)
  • Red Hat (rpm)
  • Ruby (gem)
  • Rust (cargo.lock)
  • Swift (cocoapods)

比如可以使用如下命令输出sbom:

syft /weblogic/wls12213/wlserver/server/lib/wlclient.jar -o syft-json=sbom.syft.json

输出见第一章的例子

grype

grype 是一份容器镜像和文件系统的漏洞扫描器。
支持发现主要的操作系统的漏洞:

  • Alpine
  • Amazon Linux
  • BusyBox
  • CentOS
  • Debian
  • Distroless
  • Oracle Linux
  • Red Hat (RHEL)
  • Ubuntu
    支持查找特定语言包的漏洞
  • Ruby (Gems)
  • Java (JAR, WAR, EAR, JPI, HPI)
  • JavaScript (NPM, Yarn)
  • Python (Egg, Wheel, Poetry, requirements.txt/setup.py files)
  • Dotnet (deps.json)
  • Golang (go.mod)
  • PHP (Composer)
  • Rust (Cargo)
    支持 Docker 和 OCI 镜像格式

支持通过sbom文件发现漏洞

grype sbom:./sbom.syft.json

在这里插入图片描述

参考:
https://baijiahao.baidu.com/s?id=1738298541287787037&wfr=spider&for=pc

https://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650546781&idx=2&sn=54e5b3a7de985c94b4b11ec9bfa318b5&chksm=83bd47b9b4caceafbd1177ec3c17472212f93309ebd7d8da24e9217ccb579ef09b1e80c2f99c&scene=27

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/192989.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

Hystrix如何达到高可用

小型电商网站的页面展示采用页面全量静态化的思想。数据库中存放了所有的商品信息,页面静态化系统,将数据填充进静态模板中,形成静态化页面,推入Nginx服务器。用户浏览网站页面时,取用一个已经静态化好的html页面,直接返回回去,不涉及任何的业务逻辑处理。 用户每次浏览…

python输出不重复的字符

项目场景: 输入一个字符串,把最左边的10个不重复的字符(大小写算不同字符)挑选出来。 如不重复的字符不到10个,则按实际数目输出。问题描述 输出一个字符串,包含字符串s最左边10个不重复的字符。不到10个…

Canal与Kafka数据传输协议protocol buffer

1.写在前面 实时数仓开发中,利用Canal伪装slave获取MySQL的增量数据,获取后的数据由Kafka生产者接收,交由Flink实时流计算。传输数据量较大时,会占用内存及带宽,所以考虑将数据序列化和反序列化操作,这里介…

KNN(K-近邻)算法

1、概述 KNN(K−NearestNeighbor)KNN \left( K-Nearest Neighbor \right)KNN(K−NearestNeighbor)是机器学习中最基础的算法之一。既可以用于分类也可以用于回归,KNNKNNKNN通过测量不同特征值之间的距离来进行分类。 2、实例理解 如果k3k 3k3,绿色圆点…

【Cocos新手入门】使用 cocos creator 创建单行文本输入框及多行文本输入框

本篇文章主要讲解使用 cocos creator 创建单行文本输入框及多行文本输入框,并绑定文本框获取文本输入数据的方法。 作者:任聪聪 日期:2023年2月2日 cocos引擎版本2.4.3 实际效果 单行文本效果、多行文本效果 说明:如果不清楚按钮…

jquery:表单请求、序列化+案例

表单请求提交原则name相同的表单提交,name出现多次,对应不同表单的值没有name,含有disabled(禁用)禁止提交多选单选下拉列表需要设置value属性才能取值表单提交事件名称写法描述提交方式method“get”get不安全取数据&…

30. 面向对象高级编程

1. __solts__ 正常情况下,当我们定义了一个class,创建了一个class的实例后,我们可以给该实例绑定任何属性和方法,这就是动态语言的灵活性。 from types import MethodTypeclass Student:def __init__(self):passdef set_num(sel…

OSCP_VULHUB_Matrix3

文章目录简介扫描ida汇编ssh登录/提权简介 下载地址: https://download.vulnhub.com/matrix/Machine_Matrix_v3.ova 环境: VMware 16虚拟机软件 Matrix3靶机IP地址:192.168.132.145 Kali的IP地址:192.168.132.139 Matrix3靶机与…

Shiro基础知识与集成应用

1、Shiro可以完成: 【认证、授权、加密、会话管理】、与Web集成、缓存等2、特点: 易于使用、全面、灵活、强力支持Web、兼容性强、社区支持 外部观看内部观看3、 登录认证:1)身份验证:一般需要提供如身份ID等一些标识信息来表明登录者的身份,如提供email…

Druid(德鲁伊)数据库连接池

文章目录一.数据库连接池的必要性(一).传统数据库连接模式的的步骤(二).传统数据库连接模式存在的问题二.数据库连接池技术(一).数据连接池的思想:(二).数据库连接池的任务:(三).数据库连接池的规模:(四).工作原理:(五).数据库连接…

5 -【Faster R-CNN】之 AnchorGenerator 代码精读

【Faster R-CNN】之 AnchorGenerator 代码精读1、anchor 的 size 和 aspect_ratios2、计算以中心坐标为 (0, 0) 的 anchor3、将 anchor 映射到原图上4、代码汇总anchor 的作用:anchor 是用来做辅助计算的,用于和 (上节课说的,由RP…

共享模型之内存(一)

1.Java内存模型 1>.JMM即Java Memory Model,它定义了主存、工作内存抽象概念,底层对应着CPU寄存器、缓存、硬件内存、CPU指令优化等; 2>.JMM体现在以下几个方面: ①.原子性 - 保证指令不会受到线程上下文切换的影响; ②.可见性 - 保证指令不会受cpu缓存的影响; ③.有序…

大型会场活动线上保障方案

背景 为保证活动上线后的质量,大型会场活动上线前通常会预设一些线上可能出现的问题,提前制定保障方案。 这些与活动保障相关的问题可能与App端上的容器环境有关,也可能与大盘用户设备特征有关,问题的处理方案会影响活动的线上效…

《啊哈算法图的遍历》(14张图解)

目录 前言 一,dfs和bfs是什么 二,城市地图--图的深度优先遍历 三,最少转机--图的广度优先遍历 前言 🌼说爱你(超甜女声版) - 逗仔 - 单曲 - 网易云音乐 1月22日一个女孩加了我,她和我聊音…

adb常用指令合集

adb文件管理指令 1.复制设备里的文件到电脑 adb pull <设备里的文件路径> [电脑上的目录] 电脑上的目录 参数可以省略&#xff0c;默认复制到当前目录 例&#xff1a;adb pull /data/tsplogtool /home/jxq/文档/场景魔方 2.复制电脑里的文件到设备 adb push <电脑上的…

浅谈未来10年IT行业的变局与抉择,一文带你认识元宇宙

一. 困局据国家就业部门最新统计数据报告&#xff0c;2022年应届毕业生的数量首次突破1000万大关。其中研究生达到130万&#xff0c;985、211等名校毕业生75万&#xff0c;普通本科毕业生470万&#xff0c;专科生460万&#xff0c;另外还有几十万的归国留学生&#xff01;但这还…

《从0开始学大数据》之Spark性能优化案例

基于软件性能优化原则和 Spark 的特点&#xff0c;Spark 性能优化可以分解为下面几步。 性能测试&#xff0c;观察 Spark 性能特性和资源&#xff08;CPU、Memory、Disk、Net&#xff09;利用情况。分析、寻找资源瓶颈。分析系统架构、代码&#xff0c;发现资源利用关键所在&a…

【前端】Vue项目:旅游App-(17)home:页面滚动显示搜索栏、节流、时间同步

文章目录目标过程与代码页面滚动到目标位置显示搜索框优化&#xff1a;节流搜索栏显示时间同步效果总代码修改或添加的文件search-bar.vueuseScroll.jsstore的main.jsformatDate.jshome.vue参考本项目博客总结&#xff1a;【前端】Vue项目&#xff1a;旅游App-博客总结 目标 …

HDFS文件浏览器功能OOM排查

现象描述 涉及HDFS文件浏览器的某个功能运行一段时间后会出现OOM的情况 错误日志如下&#xff1a; service.log.2023-02-01-0.log:java.lang.OutOfMemoryError: Java heap space排查过程 需要查看dump文件排查一下造成OOM的原因 查看jvm参数如下&#xff1a; java -Duser.t…

一文讲明Docker的基本使用,常见Docker命令使用 、Docker的安装使用等【详细说明+图解+概念+实践】

一个混迹于Github、Stack Overflow、开源中国、CSDN、博客园、稀土掘金、51CTO等 的野生程序员。 目标&#xff1a;分享更多的知识&#xff0c;充实自己&#xff0c;帮助他人 GitHub公共仓库&#xff1a;https://github.com/zhengyuzh 以github为主&#xff1a; 1、分享前端后端…