From 38f493422141c4b0781f3664efe72586bc72f6ba Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Mon, 27 Jan 2025 13:05:58 +0100 Subject: [PATCH 1/4] sbom: allow collector to scan library packages and any relationships --- pkg/util/trivy/trivy.go | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/pkg/util/trivy/trivy.go b/pkg/util/trivy/trivy.go index 2a4abe21a7343..ba3756375de4d 100644 --- a/pkg/util/trivy/trivy.go +++ b/pkg/util/trivy/trivy.go @@ -328,11 +328,9 @@ func (c *Collector) scan(ctx context.Context, artifact artifact.Artifact, applie trivyReport, err := s.ScanArtifact(ctx, types.ScanOptions{ ScanRemovedPackages: false, - PkgTypes: []types.PkgType{types.PkgTypeOS}, - PkgRelationships: []ftypes.Relationship{ - ftypes.RelationshipUnknown, - }, - Scanners: types.Scanners{types.SBOMScanner}, + PkgTypes: []types.PkgType{types.PkgTypeOS, types.PkgTypeLibrary}, + PkgRelationships: ftypes.Relationships, + Scanners: types.Scanners{types.SBOMScanner}, }) if err != nil { return nil, err From 4badc9d997f5633828985a0e7c6e6b642fd5ae98 Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Mon, 27 Jan 2025 15:55:49 +0100 Subject: [PATCH 2/4] remove unused fields --- pkg/util/trivy/trivy.go | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/pkg/util/trivy/trivy.go b/pkg/util/trivy/trivy.go index ba3756375de4d..04b1da0a187a8 100644 --- a/pkg/util/trivy/trivy.go +++ b/pkg/util/trivy/trivy.go @@ -23,7 +23,6 @@ import ( "github.com/DataDog/datadog-agent/pkg/sbom" "github.com/DataDog/datadog-agent/pkg/util/log" "github.com/DataDog/datadog-agent/pkg/util/option" - "github.com/aquasecurity/trivy-db/pkg/db" "github.com/aquasecurity/trivy/pkg/fanal/analyzer" "github.com/aquasecurity/trivy/pkg/fanal/applier" "github.com/aquasecurity/trivy/pkg/fanal/artifact" @@ -33,10 +32,7 @@ import ( "github.com/aquasecurity/trivy/pkg/fanal/walker" "github.com/aquasecurity/trivy/pkg/sbom/cyclonedx" "github.com/aquasecurity/trivy/pkg/scanner" - "github.com/aquasecurity/trivy/pkg/scanner/langpkg" - "github.com/aquasecurity/trivy/pkg/scanner/ospkg" "github.com/aquasecurity/trivy/pkg/types" - "github.com/aquasecurity/trivy/pkg/vulnerability" // This is required to load sqlite based RPM databases _ "modernc.org/sqlite" @@ -64,9 +60,6 @@ type Collector struct { config collectorConfig cacheInitialized sync.Once persistentCache CacheWithCleaner - osScanner ospkg.Scanner - langScanner langpkg.Scanner - vulnClient vulnerability.Client marshaler cyclonedx.Marshaler wmeta option.Option[workloadmeta.Component] } @@ -158,11 +151,8 @@ func NewCollector(cfg config.Component, wmeta option.Option[workloadmeta.Compone maxCacheSize: cfg.GetInt("sbom.cache.max_disk_size"), overlayFSSupport: cfg.GetBool("sbom.container_image.overlayfs_direct_scan"), }, - osScanner: ospkg.NewScanner(), - langScanner: langpkg.NewScanner(), - vulnClient: vulnerability.NewClient(db.Config{}), - marshaler: cyclonedx.NewMarshaler(""), - wmeta: wmeta, + marshaler: cyclonedx.NewMarshaler(""), + wmeta: wmeta, }, nil } From 19ef24569fefa9f0c610758a5db29c95a1dc08d2 Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Mon, 27 Jan 2025 16:05:35 +0100 Subject: [PATCH 3/4] fetch packages from application as well --- pkg/util/trivy/trivy.go | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/pkg/util/trivy/trivy.go b/pkg/util/trivy/trivy.go index 04b1da0a187a8..215673b2f2706 100644 --- a/pkg/util/trivy/trivy.go +++ b/pkg/util/trivy/trivy.go @@ -284,21 +284,18 @@ func (d *driver) Scan(_ context.Context, target, artifactKey string, blobKeys [] return nil, ftypes.OS{}, xerrors.Errorf("failed to apply layers: %w", err) } - scanTarget := types.ScanTarget{ - Name: target, - OS: detail.OS, - Repository: detail.Repository, - Packages: detail.Packages, - } - result := types.Result{ Target: fmt.Sprintf("%s (%s %s)", target, detail.OS.Family, detail.OS.Name), Class: types.ClassOSPkg, - Type: scanTarget.OS.Family, + Type: detail.OS.Family, } - sort.Sort(scanTarget.Packages) - result.Packages = scanTarget.Packages + sort.Sort(detail.Packages) + result.Packages = detail.Packages + for _, app := range detail.Applications { + sort.Sort(app.Packages) + result.Packages = append(result.Packages, app.Packages...) + } return []types.Result{result}, detail.OS, nil } From b27e2831be9e6502e74fc7e61c24fb0a9eb607e4 Mon Sep 17 00:00:00 2001 From: Paul Cacheux Date: Mon, 27 Jan 2025 17:32:11 +0100 Subject: [PATCH 4/4] `inv -e tidy` --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 141100038f7c3..530254511a215 100644 --- a/go.mod +++ b/go.mod @@ -183,7 +183,7 @@ require ( github.com/acobaugh/osrelease v0.1.0 github.com/alecthomas/participle v0.7.1 // indirect github.com/alecthomas/units v0.0.0-20240626203959-61d1e3462e30 - github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1 + github.com/aquasecurity/trivy-db v0.0.0-20240910133327-7e0f4d2ed4c1 // indirect github.com/avast/retry-go/v4 v4.6.0 github.com/aws/aws-lambda-go v1.37.0 github.com/aws/aws-sdk-go v1.55.6 // indirect