文章目录
- SBOM介绍
- 工具
- syft
- grype
SBOM介绍
SBOM(软件物料清单)是给定产品的中所有软件组件(专有和开源代码)、开源许可证和依赖项的清单。它提供了对软件供应链以及可能存在的任何许可证合规性、安全性和质量风险的可见性。
SBOM可以帮助企业快速识别和补救潜在的安全漏洞,满足许可要求,并应用版本控制最佳实践。
SBOM应包括的内容:
- 应用程序的开源库
- 程序的插件、扩展和其他附加组件
- 开发人员内部编写的自定义源代码
- 有关这些组件的版本、许可状态和补丁状态的信息
- 自动组件加密签名和验证
- 自动扫描以生成SBOM,作为持续集成/持续部署(CI/CD)管道的一部分
SBOM应该使用一致的格式,流行的SBOM格式包括软件包数据交换(SPDX)、软件标识(SWID)标记和OWASP CycloneDX。虽然这些都是标准,但2021年的白宫行政命令并未强制规定特定的SBOM格式。到目前为止,这三者都没有成为事实上的行业标准。
SBOM的价值:
- 软件生产商使用SBOM来协助构建和维护他们提供的软件。
- 软件采购商使用SBOM通知预购保证、协商折扣和计划实施策略。
- 软件运营商使用SBOM为漏洞管理和资产管理提供信息,管理许可和合规性,并快速识别软件和组件依赖关系以及供应链风险。
例子:
{
"artifacts": [
{
"id": "56038ff78afaea17",
"name": "aopalliance-repackaged",
"version": "2.5.0-b36",
"type": "java-archive",
"foundBy": "java-cataloger",
"locations": [
{
"path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
}
],
"licenses": [],
"language": "java",
"cpes": [
"cpe:2.3:a:aopalliance-repackaged:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:aopalliance-repackaged:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:aopalliance_repackaged:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:aopalliance_repackaged:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:aopalliance:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:aopalliance:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:external:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:external:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2:aopalliance-repackaged:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2:aopalliance_repackaged:2.5.0-b36:*:*:*:*:*:*:*"
],
"purl": "pkg:maven/org.glassfish.hk2.external/aopalliance-repackaged@2.5.0-b36",
"metadataType": "JavaMetadata",
"metadata": {
"virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:aopalliance-repackaged",
"pomProperties": {
"path": "META-INF/maven/org.glassfish.hk2.external/aopalliance-repackaged/pom.properties",
"name": "",
"groupId": "org.glassfish.hk2.external",
"artifactId": "aopalliance-repackaged",
"version": "2.5.0-b36"
}
}
},
{
"id": "a5067ebc30eb2e85",
"name": "glassfish-corba-internal-api",
"version": "4.1.1-b001",
"type": "java-archive",
"foundBy": "java-cataloger",
"locations": [
{
"path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
}
],
"licenses": [],
"language": "java",
"cpes": [
"cpe:2.3:a:glassfish-corba-internal-api:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish-corba-internal-api:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish_corba_internal_api:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish_corba_internal_api:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish-corba-internal:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish-corba-internal:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish_corba_internal:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish_corba_internal:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish-corba:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish-corba:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish_corba:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish_corba:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:corba:glassfish-corba-internal-api:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:corba:glassfish_corba_internal_api:4.1.1-b001:*:*:*:*:*:*:*"
],
"purl": "pkg:maven/org.glassfish.corba/glassfish-corba-internal-api@4.1.1-b001",
"metadataType": "JavaMetadata",
"metadata": {
"virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:glassfish-corba-internal-api",
"pomProperties": {
"path": "META-INF/maven/org.glassfish.corba/glassfish-corba-internal-api/pom.properties",
"name": "",
"groupId": "org.glassfish.corba",
"artifactId": "glassfish-corba-internal-api",
"version": "4.1.1-b001"
}
}
},
{
"id": "6de5dbcc6bd3df79",
"name": "glassfish-corba-omgapi",
"version": "4.1.1-b001",
"type": "java-archive",
"foundBy": "java-cataloger",
"locations": [
{
"path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
}
],
"licenses": [],
"language": "java",
"cpes": [
"cpe:2.3:a:glassfish-corba-omgapi:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish-corba-omgapi:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish_corba_omgapi:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish_corba_omgapi:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish-corba:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish-corba:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish_corba:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish_corba:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:corba:glassfish-corba-omgapi:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:corba:glassfish_corba_omgapi:4.1.1-b001:*:*:*:*:*:*:*"
],
"purl": "pkg:maven/org.glassfish.corba/glassfish-corba-omgapi@4.1.1-b001",
"metadataType": "JavaMetadata",
"metadata": {
"virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:glassfish-corba-omgapi",
"pomProperties": {
"path": "META-INF/maven/org.glassfish.corba/glassfish-corba-omgapi/pom.properties",
"name": "",
"groupId": "org.glassfish.corba",
"artifactId": "glassfish-corba-omgapi",
"version": "4.1.1-b001"
}
}
},
{
"id": "cc00fead3a5f49e3",
"name": "glassfish-corba-orb",
"version": "4.1.1-b001",
"type": "java-archive",
"foundBy": "java-cataloger",
"locations": [
{
"path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
}
],
"licenses": [],
"language": "java",
"cpes": [
"cpe:2.3:a:glassfish-corba-orb:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish-corba-orb:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish_corba_orb:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish_corba_orb:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish-corba:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish-corba:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish_corba:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish_corba:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:corba:glassfish-corba-orb:4.1.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:corba:glassfish_corba_orb:4.1.1-b001:*:*:*:*:*:*:*"
],
"purl": "pkg:maven/org.glassfish.corba/glassfish-corba-orb@4.1.1-b001",
"metadataType": "JavaMetadata",
"metadata": {
"virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:glassfish-corba-orb",
"pomProperties": {
"path": "META-INF/maven/org.glassfish.corba/glassfish-corba-orb/pom.properties",
"name": "",
"groupId": "org.glassfish.corba",
"artifactId": "glassfish-corba-orb",
"version": "4.1.1-b001"
}
}
},
{
"id": "8d099ec8d7ff6ed0",
"name": "hk2-api",
"version": "2.5.0-b36",
"type": "java-archive",
"foundBy": "java-cataloger",
"locations": [
{
"path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
}
],
"licenses": [],
"language": "java",
"cpes": [
"cpe:2.3:a:glassfish:hk2-api:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:hk2_api:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2-api:hk2-api:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2-api:hk2_api:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2_api:hk2-api:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2_api:hk2_api:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:hk2:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2-api:hk2:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2:hk2-api:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2:hk2_api:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2_api:hk2:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2:hk2:2.5.0-b36:*:*:*:*:*:*:*"
],
"purl": "pkg:maven/org.glassfish.hk2/hk2-api@2.5.0-b36",
"metadataType": "JavaMetadata",
"metadata": {
"virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:hk2-api",
"pomProperties": {
"path": "META-INF/maven/org.glassfish.hk2/hk2-api/pom.properties",
"name": "",
"groupId": "org.glassfish.hk2",
"artifactId": "hk2-api",
"version": "2.5.0-b36"
}
}
},
{
"id": "6e0a2624f7ad3862",
"name": "hk2-locator",
"version": "2.5.0-b36",
"type": "java-archive",
"foundBy": "java-cataloger",
"locations": [
{
"path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
}
],
"licenses": [],
"language": "java",
"cpes": [
"cpe:2.3:a:hk2-locator:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2-locator:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2_locator:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2_locator:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2-locator:hk2:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2:hk2-locator:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2:hk2_locator:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2_locator:hk2:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:hk2:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2:hk2:2.5.0-b36:*:*:*:*:*:*:*"
],
"purl": "pkg:maven/org.glassfish.hk2/hk2-locator@2.5.0-b36",
"metadataType": "JavaMetadata",
"metadata": {
"virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:hk2-locator",
"pomProperties": {
"path": "META-INF/maven/org.glassfish.hk2/hk2-locator/pom.properties",
"name": "",
"groupId": "org.glassfish.hk2",
"artifactId": "hk2-locator",
"version": "2.5.0-b36"
}
}
},
{
"id": "be549b709625535c",
"name": "hk2-utils",
"version": "2.5.0-b36",
"type": "java-archive",
"foundBy": "java-cataloger",
"locations": [
{
"path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
}
],
"licenses": [],
"language": "java",
"cpes": [
"cpe:2.3:a:glassfish:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2-utils:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2-utils:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2_utils:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2_utils:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:hk2:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2-utils:hk2:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2:hk2-utils:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2:hk2_utils:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2_utils:hk2:2.5.0-b36:*:*:*:*:*:*:*",
"cpe:2.3:a:hk2:hk2:2.5.0-b36:*:*:*:*:*:*:*"
],
"purl": "pkg:maven/org.glassfish.hk2/hk2-utils@2.5.0-b36",
"metadataType": "JavaMetadata",
"metadata": {
"virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:hk2-utils",
"pomProperties": {
"path": "META-INF/maven/org.glassfish.hk2/hk2-utils/pom.properties",
"name": "",
"groupId": "org.glassfish.hk2",
"artifactId": "hk2-utils",
"version": "2.5.0-b36"
}
}
},
{
"id": "f52d88b064a16b59",
"name": "pfl-asm",
"version": "4.0.1-b001",
"type": "java-archive",
"foundBy": "java-cataloger",
"locations": [
{
"path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
}
],
"licenses": [],
"language": "java",
"cpes": [
"cpe:2.3:a:glassfish:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:pfl-asm:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:pfl-asm:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:pfl_asm:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:pfl_asm:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:glassfish:pfl:4.0.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:pfl-asm:pfl:4.0.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:pfl:pfl-asm:4.0.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:pfl:pfl_asm:4.0.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:pfl_asm:pfl:4.0.1-b001:*:*:*:*:*:*:*",
"cpe:2.3:a:pfl:pfl:4.0.1-b001:*:*:*:*:*:*:*"
],
"purl": "pkg:maven/org.glassfish.pfl/pfl-asm@4.0.1-b001",
"metadataType": "JavaMetadata",
"metadata": {
"virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:pfl-asm",
"pomProperties": {
"path": "META-INF/maven/org.glassfish.pfl/pfl-asm/pom.properties",
"name": "",
"groupId": "org.glassfish.pfl",
"artifactId": "pfl-asm",
"version": "4.0.1-b001"
}
}
},
{
"id": "4207385428509458",
"name": "tiger-types",
"version": "1.4",
"type": "java-archive",
"foundBy": "java-cataloger",
"locations": [
{
"path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
}
],
"licenses": [],
"language": "java",
"cpes": [
"cpe:2.3:a:tiger-types:tiger-types:1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:tiger-types:tiger_types:1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:tiger_types:tiger-types:1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:tiger_types:tiger_types:1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:jvnet:tiger-types:1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:jvnet:tiger_types:1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:tiger:tiger-types:1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:tiger:tiger_types:1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:java:tiger-types:1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:java:tiger_types:1.4:*:*:*:*:*:*:*"
],
"purl": "pkg:maven/org.jvnet/tiger-types@1.4",
"metadataType": "JavaMetadata",
"metadata": {
"virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar:tiger-types",
"pomProperties": {
"path": "META-INF/maven/org.jvnet/tiger-types/pom.properties",
"name": "",
"groupId": "org.jvnet",
"artifactId": "tiger-types",
"version": "1.4"
},
"pomProject": {
"path": "META-INF/maven/org.jvnet/tiger-types/pom.xml",
"parent": {
"groupId": "net.java",
"artifactId": "jvnet-parent",
"version": "1"
},
"groupId": "org.jvnet",
"artifactId": "tiger-types",
"version": "1.4",
"name": "Type arithmetic library for Java5"
}
}
},
{
"id": "26d5946744f05e2a",
"name": "wlclient",
"version": "12.2.1.3.0",
"type": "java-archive",
"foundBy": "java-cataloger",
"locations": [
{
"path": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
}
],
"licenses": [],
"language": "java",
"cpes": [
"cpe:2.3:a:wlclient:wlclient:12.2.1.3.0:*:*:*:*:*:*:*"
],
"purl": "pkg:maven/wlclient/wlclient@12.2.1.3.0",
"metadataType": "JavaMetadata",
"metadata": {
"virtualPath": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar",
"manifest": {
"main": {
"Created-By": "1.8.0_321 (Oracle Corporation)",
"DynamicImport-Package": "*",
"Fragment-Host": "system.bundle; extension:=framework",
"Implementation-Title": "wls_sharedLibraries",
"Implementation-Version": "12.2.1.3.0",
"Library-Version": "12.2.1.3.0",
"Main-Class": "javassist.CtClass",
"Manifest-Version": "1.0",
"Multi-Release": "true",
"Originally-Created-By": "Apache Maven",
"Specification-Title": "wlclient",
"Specification-Version": "12.2.1",
"service": "foo"
}
},
"digest": [
{
"algorithm": "sha1",
"value": "7b81b31164ee07337ebd81ce404163bcc9934e1f"
}
]
}
}
],
"artifactRelationships": [
{
"parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
"child": "26d5946744f05e2a",
"type": "contains"
},
{
"parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
"child": "4207385428509458",
"type": "contains"
},
{
"parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
"child": "56038ff78afaea17",
"type": "contains"
},
{
"parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
"child": "6de5dbcc6bd3df79",
"type": "contains"
},
{
"parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
"child": "6e0a2624f7ad3862",
"type": "contains"
},
{
"parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
"child": "8d099ec8d7ff6ed0",
"type": "contains"
},
{
"parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
"child": "a5067ebc30eb2e85",
"type": "contains"
},
{
"parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
"child": "be549b709625535c",
"type": "contains"
},
{
"parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
"child": "cc00fead3a5f49e3",
"type": "contains"
},
{
"parent": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
"child": "f52d88b064a16b59",
"type": "contains"
}
],
"source": {
"id": "ca786cc0c385d6226ffd0bdc47366c8be455b4a1f906abbe5e0ddcc45b271686",
"type": "file",
"target": "/weblogic/wls12213/wlserver/server/lib/wlclient.jar"
},
"distro": {},
"descriptor": {
"name": "syft",
"version": "0.69.0",
"configuration": {
"configPath": "",
"verbosity": 0,
"quiet": false,
"output": [
"syft-json=sbom.syft.json"
],
"output-template-path": "",
"file": "",
"check-for-app-update": true,
"dev": {
"profile-cpu": false,
"profile-mem": false
},
"log": {
"structured": false,
"level": "warn",
"file-location": ""
},
"catalogers": null,
"package": {
"cataloger": {
"enabled": true,
"scope": "Squashed"
},
"search-unindexed-archives": false,
"search-indexed-archives": true
},
"attest": {
"key": "",
"password": ""
},
"file-metadata": {
"cataloger": {
"enabled": false,
"scope": "Squashed"
},
"digests": [
"sha256"
]
},
"file-classification": {
"cataloger": {
"enabled": false,
"scope": "Squashed"
}
},
"file-contents": {
"cataloger": {
"enabled": false,
"scope": "Squashed"
},
"skip-files-above-size": 1048576,
"globs": []
},
"secrets": {
"cataloger": {
"enabled": false,
"scope": "AllLayers"
},
"additional-patterns": {},
"exclude-pattern-names": [],
"reveal-values": false,
"skip-files-above-size": 1048576
},
"registry": {
"insecure-skip-tls-verify": false,
"insecure-use-http": false,
"auth": []
},
"exclude": [],
"platform": "",
"name": "",
"parallelism": 1
}
},
"schema": {
"version": "6.2.0",
"url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-6.2.0.json"
}
}
工具
syft
syft 是一个 CLI 工具和 Go 库,用于从容器镜像和文件系统生成软件物料清单SBOM。
支持下面镜像:
- Alpine (apk)
- C (conan)
- C++ (conan)
- Dart (pubs)
- Debian (dpkg)
- Dotnet (deps.json)
- Objective-C (cocoapods)
- Elixir (mix)
- Erlang (rebar3)
- Go (go.mod, Go binaries)
- Haskell (cabal, stack)
- Java (jar, ear, war, par, sar, native-image)
- JavaScript (npm, yarn)
- Jenkins Plugins (jpi, hpi)
- PHP (composer)
- Python (wheel, egg, poetry, requirements.txt)
- Red Hat (rpm)
- Ruby (gem)
- Rust (cargo.lock)
- Swift (cocoapods)
比如可以使用如下命令输出sbom:
syft /weblogic/wls12213/wlserver/server/lib/wlclient.jar -o syft-json=sbom.syft.json
输出见第一章的例子
grype
grype 是一份容器镜像和文件系统的漏洞扫描器。
支持发现主要的操作系统的漏洞:
- Alpine
- Amazon Linux
- BusyBox
- CentOS
- Debian
- Distroless
- Oracle Linux
- Red Hat (RHEL)
- Ubuntu
支持查找特定语言包的漏洞 - Ruby (Gems)
- Java (JAR, WAR, EAR, JPI, HPI)
- JavaScript (NPM, Yarn)
- Python (Egg, Wheel, Poetry, requirements.txt/setup.py files)
- Dotnet (deps.json)
- Golang (go.mod)
- PHP (Composer)
- Rust (Cargo)
支持 Docker 和 OCI 镜像格式
支持通过sbom文件发现漏洞
grype sbom:./sbom.syft.json
参考:
https://baijiahao.baidu.com/s?id=1738298541287787037&wfr=spider&for=pc
https://mp.weixin.qq.com/s?__biz=MzAxMjE3ODU3MQ==&mid=2650546781&idx=2&sn=54e5b3a7de985c94b4b11ec9bfa318b5&chksm=83bd47b9b4caceafbd1177ec3c17472212f93309ebd7d8da24e9217ccb579ef09b1e80c2f99c&scene=27
