Scanners

Harbor

Demo server

https://goharbor.io/docs/2.4.0/install-config/demo-server/

https://demo.goharbor.io/api/v2.0/users
{"username":"harbor-demo-account","email":"random@unchecked.com","realname":"Harbor Demo","password":"Password123","comment":null}

docker login demo.goharbor.io -u harbor-demo-account -p Password123

⚠️ if logged with different users you would probably need to docker logout

Create new project “enrichman” curl -u 'harbor-demo-account:Password123' -H 'Content-Type: application/json' https://demo.goharbor.io/api/v2.0/projects -d '{"project_name": "test-proj-demo"}'

docker tag nginx:latest demo.goharbor.io/test-proj-demo/nginx
docker push demo.goharbor.io/test-proj-demo/nginx

curl -u 'harbor-demo-account:Password123' https://demo.goharbor.io/api/v2.0/projects/test-proj-demo/repositories/nginx/artifacts/latest
curl -u 'harbor-demo-account:Password123' https://demo.goharbor.io/api/v2.0/projects/test-proj-demo/repositories/nginx/artifacts/latest/additions/vulnerabilities

{
  "application/vnd.security.vulnerability.report; version=1.1": {
    "generated_at": "2024-08-01T09:37:05.561615505Z",
    "scanner": {
      "name": "Trivy",
      "vendor": "Aqua Security",
      "version": "v0.51.2"
    },
    "severity": "Critical",
    "vulnerabilities": [
      {
        "id": "CVE-2024-5171",
        "package": "libaom3",
        "version": "3.6.0-1",
        "fix_version": "",
        "severity": "Critical",
        "description": "Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers:\n\n\n  *  Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.\n  *  Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.\n  *  Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.",
        "links": [
          "https://avd.aquasec.com/nvd/cve-2024-5171"
        ],
        "artifact_digests": [
          "sha256:4ac65f23061de2faef157760fa2125c954b5b064bc25e10655e90bd92bc3b354"
        ],
        "preferred_cvss": {
          "score_v3": 9.8,
          "score_v2": null,
          "vector_v3": "",
          "vector_v2": ""
        },
        "cwe_ids": [
          "CWE-190",
          "CWE-20"
        ],
        "vendor_attributes": {
          "CVSS": {
            "nvd": {
              "V3Score": 9.8,
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
            },
            "redhat": {
              "V3Score": 7,
              "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
            }
          }
        }
      },
      ...
    ]
  }
}

docker login demo.goharbor.io
docker image pull nginx
docker tag nginx demo.goharbor.io/enrichman/nginx
docker push demo.goharbor.io/enrichman/nginx

curl -u 'enrichman:Password123' https://demo.goharbor.io/api/v2.0/projects/enrichman/repositories/nginx/artifacts/latest

curl -u 'enrichman:Password123' https://demo.goharbor.io/api/v2.0/projects/enrichman/repositories/nginx/artifacts/latest/additions/vulnerabilities

Grype

https://github.com/anchore/grype

Grype server

Clone and build (not found a ready image)

git clone https://github.com/openclarity/grype-server openclarity/grype-server
docker build -t openclarity/grype-server .

Run with:

docker run -d -p 9991:9991 --name grype-server grype-server run --log-level info

Syft

Install syft to get a SBOM:

brew install syft

Use Syft to POST the SBOM to the Grype server, and get a list of vulnerabilities.

Get SBOM and base64 encode it:

syft nginx:latest -o spdx-json | jq | base64 -w0

Prepare the POST body that should be {"sbom": "<BASE64 ENCODED SBOM>"} and curl it to http://localhost:9991/api/scanSBOM The response is base64 encoded.

One shot command:

printf '{"sbom": "'$(syft nginx:latest -o spdx-json | jq | base64 -w0)'"}' | \
  curl -s -H 'Content-Type: application/json' http://localhost:9991/api/scanSBOM -d @- | \
  jq -r .vulnerabilities | \
  base64 -d | jq

{
  "matches": [
    {
      "vulnerability": {
        "id": "CVE-2024-5171",
        "dataSource": "https://security-tracker.debian.org/tracker/CVE-2024-5171",
        "namespace": "debian:distro:debian:12",
        "severity": "Critical",
        "urls": [
          "https://security-tracker.debian.org/tracker/CVE-2024-5171"
        ],
        "description": "Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers:     *  Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.   *  Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.   *  Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.",
        "cvss": [],
        "fix": {
          "versions": [],
          "state": "not-fixed"
        },
        "advisories": []
      },
      "relatedVulnerabilities": [
        {
          "id": "CVE-2024-5171",
          "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5171",
          "namespace": "nvd:cpe",
          "severity": "Critical",
          "urls": [
            "https://issues.chromium.org/issues/332382766",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HYUEHZ35ZPY2EONVZCGO6LPT3AMLZCP/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5NRNCEYS246CYGOR32MF7OGKWOWER22/"
          ],
          "description": "Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers:\n\n\n  *  Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.\n  *  Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.\n  *  Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.",
          "cvss": [
            {
              "source": "nvd@nist.gov",
              "type": "Primary",
              "version": "3.1",
              "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "metrics": {
                "baseScore": 9.8,
                "exploitabilityScore": 3.9,
                "impactScore": 5.9
              },
              "vendorMetadata": {}
            }
          ]
        }
      ],
      "matchDetails": [
        {
          "type": "exact-indirect-match",
          "matcher": "dpkg-matcher",
          "searchedBy": {
            "distro": {
              "type": "debian",
              "version": "12"
            },
            "namespace": "debian:distro:debian:12",
            "package": {
              "name": "aom",
              "version": "3.6.0-1"
            }
          },
          "found": {
            "versionConstraint": "none (deb)",
            "vulnerabilityID": "CVE-2024-5171"
          }
        }
      ],
      "artifact": {
        "id": "a4c7bb9eb5dc4e12",
        "name": "libaom3",
        "version": "3.6.0-1",
        "type": "deb",
        "locations": [],
        "language": "",
        "licenses": [
          "BSD-2-Clause AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat AND ISC AND LicenseRef-public-domain-md5"
        ],
        "cpes": [
          "cpe:2.3:a:libaom3:libaom3:3.6.0-1:*:*:*:*:*:*:*"
        ],
        "purl": "pkg:deb/debian/libaom3@3.6.0-1?arch=amd64&upstream=aom&distro=debian-12",
        "upstreams": [
          {
            "name": "aom"
          }
        ]
      }
    },
    ...
  ],
  "source": {
    "type": "image",
    "target": {
      "userInput": "nginx:sha256:578a4c4bb02012ad343b495f635a5c96a7273202bd3d82c8a678c9700f5f7e24",
      "imageID": "DocumentRoot-Image-nginx",
      "manifestDigest": "sha256:578a4c4bb02012ad343b495f635a5c96a7273202bd3d82c8a678c9700f5f7e24",
      "mediaType": "",
      "tags": [],
      "imageSize": 0,
      "layers": null,
      "manifest": null,
      "config": null,
      "repoDigests": [],
      "architecture": "",
      "os": ""
    }
  },
  "distro": {
    "name": "debian",
    "version": "12",
    "idLike": [
      "debian"
    ]
  },
  "descriptor": {
    "name": "",
    "version": "",
    "db": {
      "built": "2024-08-02T01:31:29Z",
      "schemaVersion": 5,
      "location": "/data/5",
      "checksum": "sha256:ba1b1812cc51550aa6a892ea101e29f7e9d6e852d6f3fba5fbc836a89f5fbe07",
      "error": null
    },
    "timestamp": "2024-08-02T10:53:35.07778987Z"
  }
}

enrichman/Scanners.md

Scanners

Harbor

Grype

Grype server

Syft