Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Read Syft configuration from Grype #1794

Open
willyw0nka opened this issue Apr 10, 2024 · 5 comments
Open

Read Syft configuration from Grype #1794

willyw0nka opened this issue Apr 10, 2024 · 5 comments
Labels
enhancement New feature or request needs-proposal Should be done but needs proposal/design for further discussion

Comments

@willyw0nka
Copy link

What would you like to be added:
Ability to read syft.yaml config file when running grype.

Why is this needed:
When scanning a directory or docker image grype uses syft to generate the sbom that will be analyzed. There are situations where syft configuration is required (anchore/syft#2266 (comment)). In these instances, it's not possible to solely run grype to generate the sbom and then identify vulnerabilities within it.

Additional context:
The current workaround is

syft . -o json | grype
@willyw0nka willyw0nka added the enhancement New feature or request label Apr 10, 2024
@willmurphyscode
Copy link
Contributor

Hi @willyw0nka! Thanks for the request.

Do you have a specific example of syft <whatever> -o json | grype doing the wrong thing, or particular config you wish was available?

Not every option in the syft config is applicable to grype. For example, syft and grype have a different set of output options, grype has configs for ignoring vulns but syft doesn't have those. Syft has config options to, for example, make network calls that download licensing information for some packages, but this information would just be thrown away during a grype scan. There might be options we can duplicate from Syft to Grype, or maybe make Grype parse a subset of Syft config, but it won't work to just point Grype at a whole Syft config without some real thought, which is why I ask which particular things are not working or configs seem to be missing.

@willyw0nka
Copy link
Author

Hi @willmurphyscode 👋, thanks for the reply.

Asuming that ~/.config/syft/config.yaml contains the following:

java:
    use-network: true

Let's scan an example project

git clone https://github.com/idealo/spring-endpoint-exporter.git
grype spring-endpoint-exporter

The shown output is the following

 ✔ Vulnerability DB                [no update available]  
 ✔ Indexed file system                                                                                                                                                                   spring-endpoint-exporter
 ✔ Cataloged contents                                                                                                                            9552afa469acfc6021761747ae604a09890febf735b3b74a06161652d89815ca
   ├── ✔ Packages                        [23 packages]  
   └── ✔ Executables                     [0 executables]  
 ✔ Scanned for vulnerabilities     [1 vulnerability matches]  
   ├── by severity: 1 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   1 fixed, 0 not-fixed, 0 ignored 
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
NAME                     INSTALLED  FIXED-IN  TYPE          VULNERABILITY        SEVERITY 
spring-boot-starter-web             2.5.12    java-archive  GHSA-36p3-wjmg-h94x  Critical

This project appears to have a critical vulnerability 😱. The reason for this is that the spring-boot-starter-web version could not be read from pom.xml.

Let's try now to scan the same project using syft first and passing the generated SBOM to grype.

syft spring-endpoint-exporter -o json | grype

Which generates the following output

 ✔ Indexed file system                                                                                                                                                                   spring-endpoint-exporter
 ✔ Cataloged contents                                                                                                                            9552afa469acfc6021761747ae604a09890febf735b3b74a06161652d89815ca
   ├── ✔ Packages                        [23 packages]  
   └── ✔ Executables                     [0 executables]  
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
No vulnerabilities found

Yay! No vulnerabilities found! 😄

So the enhanhement request is the following: could grype read grype config and syft config? Does this make sense?

@tgerla
Copy link
Contributor

tgerla commented Apr 18, 2024

Hey @willyw0nka, thanks much for the details. We're discussing this as a team and we've learned a couple of things: we're concerned that parsing syft config by default would confuse users and cause unintended changes in behavior, but we're open to adding an option to allow grype to call syft with config parsing enabled.

Possible options:

  • add a --use-my-syft-config option to turn on syft config parsing
  • add a --use-this-syft-config-file to parse a specific file
  • add some sort of syft config top-level section to grype configuration
  • keep existing behavior: do nothing and ask people to run syft | grype

Dev note: maintenance-wise, the solution should think through minimizing changes that have to be duplicated between Syft and Grype together. One complication: if Syft config is newer than the version of Syft included in Grype, problems could occur.

@tgerla tgerla moved this to Backlog in OSS Apr 18, 2024
@willyw0nka
Copy link
Author

Thank you for the feedback! After considering the current situation and potential solutions, I believe sticking to the --use-this-syft-config-file option is the best course of action. This option offers the most self-descriptive behavior and minimizes potential confusion.

While it is true that this implementation could lead to issues if the syft version is newer than grype, it remains (in my opinion) the easiest option to utilize as an user.

@willmurphyscode
Copy link
Contributor

Just noting that #1012 (comment) is good signal that we need to do this.

TL;DR - users should be able to tell grype to tell syft it's allowed to make network requests to maven repositories, since this would improve scan accuracy by improving JAR identification.

@willmurphyscode willmurphyscode added needs-proposal Should be done but needs proposal/design for further discussion and removed needs-discussion labels Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request needs-proposal Should be done but needs proposal/design for further discussion
Projects
Status: Backlog
Development

No branches or pull requests

4 participants