Security scanner
SBOM
A software bill of materials (SBOM) is an industry standard mechanism of surfacing metadata about dependencies in images or applications. Source. An SBOM can be created based on the source code, binaries (language-specific artifacts or container images) or dynamically at runtime.
formats
SBOM tools
Software Composition Analysis (SCA)
- cdxgen - cli to create CycloneDX for different package managers (no build binaries needed)
- CLI to generate spdx sbom for different package managers
- cyclonedx cli from owasp currently supports BOM analysis, modification, diffing, merging, format conversion, signing and verification.
- DependencyTrack continuous SBOM analysis platform from owasp
- cve-bin-tool from intel allows to check binary or sbom for CVEs
- spdx-to-osv cli allows to find Open Source Vulnerabilities in SBOM
vulnerability scanner
These scanners usually allow to scan binaries, but some also allow to start form a existing SBOM file.
- OWASP DependencyCheck scanner from owasp (cli or build plugins for maven, gradle, etc.)
- Trivy multi purpose scanner.
- Grype a vulnerability scanner for container images and filesystems
- Clair a vulnerability scanner for container images from redhat
examples
# generate spdx sbom from maven project
spdx-sbom-generator
## creates: bom-Java-Maven.spdx
# scan spdx or cyclonedx sbom for vulnerabilities
trivy sbom bom-Java-Maven.spdx
## or
grype sbom:/bom-Java-Maven.spdx
## generate sbom from jar
syft --output cyclonedx-json name.jar > sbom-cyclonedx.json
syft --output spdx-json name.jar > sbom-spdx.json
## scan jar for vulnerabilities
grype name.jar
vulnerability databases
- Common Vulnerabilities and Exposures (CVE)
- Open Source Vulnerabilities Database (OSV)
- National Vulnerability Database (NVD)
- Sonatype oss index
Common Platform Enumeration (CPE)
Is a structured naming scheme for information technology systems, software, and packages.