SBOM 생성 및 취약점 검사 (with Syft, Grype)

SBOM 생성 및 취약점 검사 (with Syft, Grype) 

 

https://www.youtube.com/watch?v=PiSTpHNM0T0 

 

 

syft  : OSS SBOM

 

[설치]

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin

 

[info]\033[0m fetching release script for tag='v0.88.0' \033[0m

[info] using release tag='v0.88.0' version='0.88.0' os='linux' arch='amd64'

[info] installed /usr/local/bin/syft

 

[테스트]

syft nginx:latest

syft nginx:latest -o json | jq . <-- jq error?

syft nginx:latest -o json > nginx_sbom.json

syft nginx:latest -o cyclonedx-xml --file ./nginxbom

 

[지원형식]

syft-json / cyclonedx-xml / cyclonedx-json / github-json /

spdx-tag-value / spdx-json / syft-table / syft-text / template

 

syft nginx:latest -o spdx

syft nginx:latest -o spdx-json --file ./nginx_sbom.json

syft dir:/opt -o json --file ./mybom.json

 

time syft -o json debian:latest > output.json

vi output.json

 

time syft -o cyclone-dx-json debian:latest > cyclonedx.json

time syft -o spdx-json debian:latest > spdx.json

time syft debian:latest

 

Grype : 이미지, 파일, 폴더 취약점 검사

 

지원 이미지는 다음과 같다. 이 이미지 기반 이미지(예: NGINX, MySQL 등) 지원.

Alpine, Amazon Linux, BusyBox, CentOS, Debian,

Distroless, Oracle Linux, Red Hat(RHEL), Ubuntu

 

지원하는 언어는 다음과 같다.

Ruby(Gems)

Java(JAR, WAR, EAR, JPI, HPI)

JavaScript(NPM, Yarn)

Python(Egg, Wheel, Poetry, requirements.txt/setup.py files)

 

[설치]

curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin

 

[info]\033[0m checking github for the current release tag \033[0m

[info]\033[0m fetching release script for tag='v0.65.2' \033[0m

[info]\033[0m checking github for the current release tag \033[0m

[info]\033[0m using release tag='v0.65.2' version='0.65.2' os='linux' arch='amd64' \033[0m

[info]\033[0m installed /usr/local/bin/grype

 

[DB]

grype db check

grype db update

 

[검사]

grype dir:~/myproject/

grype nginx:latest --scope all-layers

grype nginx:latest

grype IMAGE

 

grype sbom:./nginxbom  ---  Syft에서 만든 SBOM(cyclonedx-xml)의 취약점 검사