From 9dc8a2ba6bdc8554ca068285f8488286132697d2 Mon Sep 17 00:00:00 2001 From: Itay Shakury Date: Fri, 21 Jun 2024 09:32:32 +0300 Subject: [PATCH] docs: non-packaged and sbom clarifications (#6975) Co-authored-by: Teppei Fukuda --- docs/docs/coverage/language/golang.md | 2 +- docs/docs/scanner/vulnerability.md | 20 ++++++++++++++------ docs/docs/supply-chain/sbom.md | 20 +++++++++++++------- 3 files changed, 28 insertions(+), 14 deletions(-) diff --git a/docs/docs/coverage/language/golang.md b/docs/docs/coverage/language/golang.md index 3d57edade7ec..6b3646329318 100644 --- a/docs/docs/coverage/language/golang.md +++ b/docs/docs/coverage/language/golang.md @@ -66,7 +66,7 @@ such as `go mod download`, `go mod tidy`, etc. Trivy traverses `$GOPATH/pkg/mod` and collects those extra information. ### Go binaries -Trivy scans binaries built by Go. +Trivy scans binaries built by Go, which include [module information](https://tip.golang.org/doc/go1.18#go-version). If there is a Go binary in your container image, Trivy automatically finds and scans it. Also, you can scan your local binaries. diff --git a/docs/docs/scanner/vulnerability.md b/docs/docs/scanner/vulnerability.md index 57cb6d79c1c3..55403dda2207 100644 --- a/docs/docs/scanner/vulnerability.md +++ b/docs/docs/scanner/vulnerability.md @@ -1,13 +1,12 @@ # Vulnerability Scanning -Trivy detects known vulnerabilities according to the versions of installed packages. +Trivy detects known vulnerabilities in software components that it finds in the scan target. -The following packages are supported. +The following are supported: - [OS packages](#os-packages) - [Language-specific packages](#language-specific-packages) -- [Kubernetes components (control plane, node and addons)](#kubernetes) - -Trivy also detects known vulnerabilities in Kubernetes components using KBOM (Kubernetes bill of Material) scanning. To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md#KBOM). +- [Non-packaged software](#non-packaged-software) +- [Kubernetes components](#kubernetes) ## OS Packages Trivy is capable of automatically detecting installed OS packages when scanning container images, VM images and running hosts. @@ -138,9 +137,18 @@ See [here](../coverage/language/index.md#supported-languages) for the supported [^1]: Intentional delay between vulnerability disclosure and registration in the DB +## Non-packaged software + +If you have software that is not managed by a package manager, Trivy can still detect vulnerabilities in it in some cases: + +- [Using SBOM from Sigstore Rekor](../supply-chain/attestation/rekor/#non-packaged-binaries) +- [Go Binaries with embedded module information](../coverage/language/golang/#go-binaries) +- [Rust Binaries with embedded information](../coverage/language/rust/#binaries) +- [SBOM embedded in container images](../supply-chain/container-image/#sbom-embedded-in-container-images) + ## Kubernetes -Trivy can detect vulnerabilities in Kubernetes clusters and components. +Trivy can detect vulnerabilities in Kubernetes clusters and components by scanning a Kubernetes Cluster, or a KBOM (Kubernetes bill of Material). To learn more, see the [documentation for Kubernetes scanning](../target/kubernetes.md). ### Data Sources diff --git a/docs/docs/supply-chain/sbom.md b/docs/docs/supply-chain/sbom.md index cb3a68c9d8f3..ed57195b3550 100644 --- a/docs/docs/supply-chain/sbom.md +++ b/docs/docs/supply-chain/sbom.md @@ -731,17 +731,20 @@ $ cat result.spdx.json | jq . ## Scanning -Trivy can take SBOM documents as input for scanning. + +### SBOM as Target +Trivy can take SBOM documents as input for scanning, e.g `trivy sbom ./sbom.spdx`. See [here](../target/sbom.md) for more details. -Also, Trivy searches for SBOM files in container images. +### SBOM Detection inside Targets +Trivy searches for SBOM files in container images with the following extensions: +- `.spdx` +- `.spdx.json` +- `.cdx` +- `.cdx.json` -```bash -$ trivy image bitnami/elasticsearch:8.7.1 -``` +In addition, Trivy automatically detects SBOM files in [Bitnami images](https://github.com/bitnami/containers), [see here](../coverage/os/bitnami.md) for more details. -For example, [Bitnami images](https://github.com/bitnami/containers) contain SBOM files in `/opt/bitnami` directory. -Trivy automatically detects the SBOM files and uses them for scanning. It is enabled in the following targets. | Target | Enabled | @@ -755,6 +758,9 @@ It is enabled in the following targets. | AWS | | | SBOM | | +### SBOM Discovery for Container Images + +When scanning container images, Trivy can discover SBOM for those images. [See here](../target/container_image.md) for more details. [spdx]: https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf