Replies: 2 comments 11 replies
-
I think it should be discussed with the CycloneDX and SPDX teams first. Once it's standardized, we're happy to add support for that. Otherwise, nobody will use the field for this purpose, and implementing it in Trivy will be meaningless. Also, the VEX Repository Specification potentially allows the indexing of external VEX documents. This can achieve this benefit you pointed out.
|
Beta Was this translation helpful? Give feedback.
-
To reiterate on this after the christmas break. It seems as if there are already "some" examples of package maintainers using these external references to allow the discovery of dynamic documents (in this case VDR and not VEX) from their SBOMs: https://www.sonatype.com/blog/sbom-vdr-and-maven-transforming-the-apache-logging-experience-to-a-common-pattern Also just to drive the point across, I believe this has already been "standardized" as these are the definitions that CycloneDx and SPDX use to describe the field that seem very self-explanatory to me:
Whether how widely it is/would be adopted is a different question ... To me it would be a more "simplistic" and tool agnostic approach to dynamically discover a VEX document than the VEX-Hub could currently provide. It could even be used alongside the structure of the VEX-Hub to point to a file stored in GitHub. I have a branch on trivy ready that shows how it would fit in with what is already there in terms of SBOM and VEX handling for my own POC. I could raise it as a PR if there is interest. EDIT: I stumbled over an issue on Grype where it seems like @sethmlarson has outlined the exact same proposal with a nice diagram: anchore/grype#1365 (comment) |
Beta Was this translation helpful? Give feedback.
-
Description
What is this about?
I am wondering if it makes sense for the most feature complete OS SBOM scanner (namely Trivy) to support the dynamic loading of VEX statements specified via an "external reference" in CycloneDX or SPDX SBOMs.
What am I talking about
Both CycloneDx and SPDX SBOM standards have the possibility to included "externalReferences" with a strict enum of possibly types of external references / documents that are related to that SBOM. What is especially interesting for me here is the "exploitability-statement" type of CycloneDx and the "vulnerabilityExploitabilityAssessment" type of SPDX.
As this field is explicitly allowed to contain URLs I believe it would be a valid usecase to make a lookup to such an URL and check if the resource located at that URL is a supported VEX format that can be applied to filter the produced output.
What would be the value?
This could be used to have a very "efficient" way of retrieving VEX information specifically related to the SBOM that is being scanned. Compared to the "vex-repo" approach, in the best case this would only require to retrieve the VEX information that is explicitly relevant to the scanned SBOM. This would even open up possibilities for publishers/vendors to generate VEX files dynamically on the fly and distribute them via an API.
Furthermore, this gives vendors that are already publishing SBOMs (e.g. as part of their container images with Cosign and In-Toto attestations) a way for these SBOMs to point at where the dynamic VEX information for that SBOM can be retrieved.
What could be downsides?
How much work do I think that is?
Actually with Trivy already supporting VEX filtering and the ability to handle different VEX formats this is "only" another way of specifying where the VEX information is coming from that should be used to "filter" the results of an SBOM scan.
Who would need to do the work
I am currently pretty deep in that topic as I am working on a master's thesis in that field and would be willing to contribute if that seems to be a reasonable feature to have.
Target
SBOM
Scanner
Vulnerability
Beta Was this translation helpful? Give feedback.
All reactions