Vulnerability insights through SBOM #1590

thomasvandeweijer · 2024-11-26T14:49:07Z

thomasvandeweijer
Nov 26, 2024

Hi,
I'm currently trying to get better insights of active vulnerabilities on my systems. To do this for Flatcar I'm currently loading the flatcar_production_image_sbom.json file into Trivy, however I suspect this SBOM might have more packages than are actually in the image I'm loading (flatcar_production_pxe.vmlinuz and flatcar_production_pxe_image.cpio.gz).
Based on these suspicions I have a few questions:

What packages are included in the SBOM? (only what's included in the image or also build tools?)
Is the SBOM the right source for vulnerability detection?
Are there any alternative ways to get included package versions for scanning input?

Any other suggestions/recommendations are also welcome, I'm still searching for the best approach.

Answered by tormath1

Nov 27, 2024

Hello, SBOM is created based on the generic image content¹ so it should not have the build tools listed inside (e.g: you can't find go or rust inside the SBOM file).

I don't have enough knowledge on this topic to know if SBOM is the right source for vulnerability detection but looking at the file content and its integration with tools like trivy it seems to be the best source for doing this.

There are two alternatives ways to get included packages versions:

Using this file: https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_image_packages.txt. Note that sysext packages are not listed here, you need to go through them individually (e.g docker sysext: https://sta…

View full answer

tormath1 · 2024-11-27T08:44:48Z

tormath1
Nov 27, 2024
Maintainer

Hello, SBOM is created based on the generic image content¹ so it should not have the build tools listed inside (e.g: you can't find go or rust inside the SBOM file).

I don't have enough knowledge on this topic to know if SBOM is the right source for vulnerability detection but looking at the file content and its integration with tools like trivy it seems to be the best source for doing this.

There are two alternatives ways to get included packages versions:

Using this file: https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_image_packages.txt. Note that sysext packages are not listed here, you need to go through them individually (e.g docker sysext: https://stable.release.flatcar-linux.net/amd64-usr/current/rootfs-included-sysexts/containerd-flatcar_packages.txt)
Under /usr/share/SLSA you can find all the in-toto statements

https://github.com/flatcar/scripts/blob/f028badc1c7877f5a78d82835f550e9bf159bb64/build_library/prod_image_util.sh#L110 ↩

1 reply

thomasvandeweijer Dec 2, 2024
Author

Hi, I was able to confirm the SBOM was indeed the right source for me here. trivy reported a vulnerability in distribution/distribution which I could not trace back at first, but looking at the input SBOM more closely it's clear that distribution/distribution in this case is a module of docker-buildx which is included in the image.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerability insights through SBOM #1590

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Vulnerability insights through SBOM #1590

thomasvandeweijer Nov 26, 2024

Replies: 1 comment · 1 reply

tormath1 Nov 27, 2024 Maintainer

Footnotes

thomasvandeweijer Dec 2, 2024 Author

thomasvandeweijer
Nov 26, 2024

Replies: 1 comment 1 reply

tormath1
Nov 27, 2024
Maintainer

thomasvandeweijer Dec 2, 2024
Author