Привет, Хабр!
Это что, еще одна статья о Trivy? Кажется, будто ничего нового уже об этом инструменте написать нельзя, а сам сканер внедрен в компаниях даже с низким уровнем зрелости ИБ. Но мы заметили, что большая часть статей в интернете представляет собой развернутое руководство по администрированию. А вот описания внутренней логики его работы нам найти так и не удалось.
Определенные выводы можно сделать после внимательного изучения раздела “Coverage” из официальной документации сканера. Это наводит на мысль: “Очевидно, что Trivy сканирует конфигурационные файлы установщиков и пакетных менеджеров”. Но, как часто подобное бывает в математике, очевидное совсем не очевидно и требует доказательств. Именно поэтому, как выразился один из наших коллег, мы «зареверсим опенсурс» и попытаемся разобраться, как в точности работает сканер Trivy. Материал подготовила Анастасия Березовская, инженер по безопасности процессов разработки приложений в Swordfish Security.
Внутренние файлы
Сканер Trivy обычно сохраняет свои внутренние файлы в директории, расположенной по пути ~/.cache/trivy. В ней можно найти две основные папки: fanal и db. В db содержится база данных с информацией о найденных уязвимостях в библиотеках, а также ее метаданные, такие как версия БД и время ее последнего обновления. Папка fanal хранит базу данных с результатами анализа образов и файловых систем.
Обе базы данных хранятся в формате boltDB — производительном хранилище на основе «ключ-значение». Для удобного просмотра содержимого можно использовать небольшую утилиту boltbrowser. Этот инструмент позволяет быстро и эффективно просматривать и анализировать сведения, содержащиеся в файлах формата boltDB, что делает работу с результатами сканирования более удобной и наглядной.
В базе данных fanal.db можно найти детализированную информацию о слоях контейнерных образов, используемых пакетах и их версиях. На рисунке 1 представлены данные о конкретном слое: команда, с помощью которой он был сформирован, и информация об операционной системе и установленных в ней пакетах. Внимательное рассмотрение уже позволяет сделать определенные выводы о том, как работает исследуемый инструмент. Но не будем ограничиваться предположениями и перейдем к изучению его исходного кода.
Последовательность исполнения
Сканирование образов — лишь одна из многочисленных функций Trivy, мы сосредоточим внимание именно на ней. Запускаем программу в режиме отладки на простом образе Alpine, устанавливаем брейкпоинты в ключевых точках и наблюдаем за последовательностью выполнения команд. Даже без углубления в детали проектирования можно выделить несколько ключевых этапов работы.
На начальном этапе происходит преобразование строковых аргументов командной строки и создание контекста для последующих шагов выполнения.
На втором этапе устанавливается таймаут на время выполнения, инициализируется встроенная база данных fanal, скачивается база данных уязвимостей db и активируются WASL-модули. Затем выбирается основная функция, которая будет выполняться, в нашем случае — сканирование образа.
На третьем этапе определяются анализаторы, которые не будут использоваться (например анализаторы lock-файлов сборщиков), и выбирается метод получения информации об образе (из архива или образа, локально или удаленно). Затем происходит переход к сканированию объекта (такой многоступенчатый переход между функциями позволяет использовать одинаковую реализацию для различных типов сканируемых объектов).
На четвертом этапе конфигурируется и инициализируется сканер. Передаются параметры цели сканирования (имя образа), флаги сканирования удаленных файлов и зависимостей этапа разработки. Настраиваются типы библиотек (пакеты ОС, языковые пакеты) и сканеры (поиск секретов, уязвимых библиотек), а также параметры для работы самого сканера, включая настройки Rekor, AWS и Docker Host. Сюда же передаются отключенные на втором этапе анализаторы (lock-файлы и некоторые конфигурационные файлы).
После этого Trivy подключается к контейнеру через CRI (например containerd, podman, docker) и получает информацию о контейнере: конфигурацию, информацию о драйверах хранилища (overlay, overlay2 — их используют для эффективного наложения файловых систем друг на друга, что позволяет создавать легкие и переносимые образы контейнеров). Также инициализируются фильтры для пропускаемых в сканировании файлов и директорий, объекты логирования и Rekor клиент.
Именно здесь перечисляются анализаторы и пост-анализаторы (о которых подробнее будет сказано дальше). Анализаторы конфигурационных файлов для поиска секретов на основе регулярных выражений (включающих и исключающих — как, например, с префиксом example). На этом этапе у нас есть объект, который содержит полную информацию об образе и его содержимом, готовый к сканированию на уязвимости и соответствие лицензионным требованиям.
Мы потихоньку приближаемся к основной логике работы сканирования. Но прежде перейдем к пятому этапу, который помогает Trivy быть действительно быстродействующим сканером.
На этом этапе сканер обращается к конфигурационному файлу, полученному из работы с Docker на четвертом этапе. Затем извлекается идентификатор образа и его слоев. Здесь происходит попытка получить удаленный SBOM. В нашем случае его нет, поэтому программа продолжает исполнение.
Далее производится поиск индекса базового слоя. Разработчики заботливо оставили в комментариях пример работы этой функции:
FROM debian:8 RUN apt-get update COPY mysecret / ENTRYPOINT ["entrypoint.sh"] CMD ["somecmd"]Для этого Dockerfile нужно определить слои в истории сборки, которые принадлежат базовому образу Debian. Чтобы это сделать, в цикле просто ищется первая с конца строка вида:
CMD ["/bin/sh"]Затем идентификаторы слоев и образа конвертируются в ключи для хранения в базе данных fanal.db. Для каждого слоя также извлекается информация из истории, предоставленной опять же самим Docker, о том, какой командой он был сформирован (как мы видели на рисунке 1).
Для каждого из полученных ключей слоев производится попытка извлечения данных из кеша. Это позволяет Trivy эффективно работать: он отправляет на дальнейшее инспектирование только те слои, которых еще нет в кеше (при условии, что версии схем совпадают). Аналогично происходит и с данными об образе.
После фильтрации уже проанализированных слоев приступаем к инспектированию тех, для которых данных в кеше не нашлось. Инспектирование происходит параллельно, что опять же сказывается на производительности.
На шестом этапе мы видим, зачем отделялся базовый слой. Отличие этого анализа только в том, что для него не осуществляется поиск секретов. Для этого к неиспользуемым анализаторам, определенным на третьем этапе, добавляется тип, отвечающий за поиск секретов.
Сканер “проходится” по файловой системе образа. Перед анализом он пропускает файлы, которые были указаны для пропуска, а также файлы с префиксом .wh. и последующими .wh. сегментами, например /etc/.wh..wh..wh..opq. Для справки, такие файлы создаются в системах overlay (Docker как раз относится к такой среде). Эти файлы являются частью механизма, используемого для реализации операций копирования вверх и вниз. Файлы с префиксом .wh. служат маркерами или заполнителями: они указывают на то, что соответствующий файл или каталог был удален или скрыт в overlay-системе. Эти файлы обычно отсутствуют в фактической файловой системе — они являются артефактами, не предназначенными для прямого доступа или манипулирования пользователями или приложениями. Поэтому Trivy их опускает. Все остальные файлы отправляются на анализ.
В ходе этапов анализа происходит следующее: для каждого файла после предварительной фильтрации определяется, соответствует ли он критериям какого-либо анализатора. Иными словами, мы проводим проверку на совместимость.
Если хотя бы одно из условий для файла выполнено, из него извлекается вся необходимая информация. На этом этапе отбираются файлы, требующие дополнительного анализа после основной обработки. Позднее они также дподвергаются подобной процедуре.
На рисунке 2 иллюстрируется последовательный просмотр файлов Trivy. Причем те, что далее идут с логированием уровня дебаг (дебаг принтстейтмент, да-да!) — это файлы, на которые сработал анализатор с типом secret.
Завершающие этапы включают объединение полученных результатов анализа, сохранение их в базе данных fanal.db, а также проверку конфигурационного файла образа с последующим сохранением результатов в кеш. На этом всё, фух!
Работа анализаторов
Анализаторы можно разделить на следующие категории:
-
Анализ версии ОС: эти анализаторы извлекают информацию о версии операционной системы из релизного файла. Хотя эти сведения могут показаться не столь примечательными, они всё же добавляются в таблицу для полноты данных.
-
Анализ зависимостей: эти анализаторы ищут зависимости в файле сборки, метаданных установленных пакетов и бинарных файлах. Таблицу сравнения зависимостей можно найти в официальной документации.
-
Анализ данных о сборке: эти анализаторы извлекают информацию о процессе сборки образа.
-
Анализ файлов метаданных установщиков ОС (например apk, dpkg и т. д.). Ознакомиться с ними можно также в официальной документации.
-
Поиск секретов: анализаторы этой категории ищут потенциально опасные секреты.
|
группа.№ |
Имя анализатора |
Required |
Комментарий |
|
1.1 |
alpineOSAnalyzer |
/etc/alpine-release |
Парсит версию ОС из соответствующего файла |
|
1.2 |
amazonLinuxOSAnalyzer |
etc/system-release, usr/lib/system-release |
|
|
1.3 |
debianOSAnalyzer |
etc/debian_version |
|
|
1.4 |
marinerOSAnalyzer |
etc/mariner-release |
|
|
1.5 |
almaOSAnalyzer |
etc/almalinux-release |
|
|
1.6 |
centOSAnalyzer |
etc/centos-release |
|
|
1.7 |
fedoraOSAnalyzer |
etc/fedora-release, usr/lib/fedora-release |
|
|
1.8 |
oracleOSAnalyzer |
usr/lib/fedora-release |
|
|
1.9 |
redhatOSAnalyzer |
etc/redhat-release |
|
|
1.10 |
rockyOSAnalyzer |
etc/rocky-release |
|
|
1.11 |
osReleaseAnalyzer |
etc/os-release, |
|
|
1.12 |
ubuntuESMAnalyzer |
var/lib/ubuntu-advantage/status.json |
|
|
1.13 |
ubuntuOSAnalyzer |
etc/lsb-release |
|
|
2.1 |
packagesPropsAnalyzer |
HasSuffix(packages.props) |
Парсит файл packages.props, используемый в проектах .NET для управления зависимостями. |
|
2.2 |
depsLibraryAnalyzer |
HasSuffix(.deps.json) |
Парсит файл зависимостей .NET, извлекая из него информацию о библиотеках и их версиях. |
|
2.3 |
nodePkgLibraryAnalyzer |
package.json |
Парсит файл зависимостей JS/TS, извлекая из него информацию о библиотеках и их версиях. |
|
2.4 |
gemspecLibraryAnalyzer |
Regex(.*/specifications/.+\\.gemspec) |
Парсит файл .gemspec, используемый для описания библиотек и их зависимостей в проектах Ruby. |
|
2.5 |
metaAnalyzer |
Regex(`.*/envs/.+/conda-meta/.+-.+-.+\.json) |
Парсит информацию о зависимостях в файлах вида <conda-root>/envs/<env>/conda-meta/<package>.json, используемых в Conda-пакетах. |
|
2.6 |
gobinaryLibraryAnalyzer |
IsExecutable |
Парсит информацию о зависимостях, используемых в компилированной Go-программе. |
|
2.7 |
rustBinaryLibraryAnalyzer |
IsExecutable |
Парсит Rust-бинарные файлы и извлекает информацию о зависимостях. |
|
3.1 |
contentManifestAnalyzer |
root/buildinfo/content_manifests/ & .json |
В Red Hat есть специальные файлы манифеста, которые предоставляют подробную информацию о пакетах, их зависимостях и других атрибутах, необходимых для управления и развертывания программного обеспечения в системах Red Hat. |
|
3.2 |
dockerfileAnalyzer |
root/buildinfo/ & HasPefix(Dockerfile) |
Парсит метаданные и информацию о среде сборки или конфигурации системы. |
|
4.1 |
rpmPkgAnalyzer |
usr/lib/sysimage/rpm/Packages, |
Эти файлы содержат базы данных пакетов, используемых менеджерами пакетов в Linux системах. |
|
4.2 |
rpmqaPkgAnalyzer |
var/lib/rpmmanifest/container-manifest-2 |
Файл container-manifest-2 в каталоге var/lib/rpmmanifest/ содержит манифест контейнера с информацией о содержимом образа. |
|
4.3 |
alpinePkgAnalyzer |
lib/apk/db/installed |
Файл installed в каталоге lib/apk/db/ содержит список установленных пакетов в Alpine Linux. |
|
4.4 |
dpkgAnalyzer |
var/lib/dpkg/status |
Парсинга только dkpg файла достаточно даже при использовании apt, так как он использует под собой dpkg. |
|
5.1 |
sbomAnalyzer |
.spdx |
Парсит информацию из найденных SBOM файлов |
|
5.2 |
SecretAnalyzer |
|
Ищет секреты |
Попытки обмануть Trivy
Теперь, когда мы разобрались, как работают анализаторы, можно немного расслабиться и не торопиться обновлять версии библиотек в образах контейнеров, причем так, чтобы коллеги из отдела ИБ не приходили с замечаниями.
Давайте создадим образ контейнера на базе Alpine и установим в него curl. Для того чтобы скрыть для Trivy присутствие curl в контейнере, удалим из файла ~/lib/apk/db/installed записи о пакете. Это изменение не повлияет на работоспособность утилиты.
FROM alpine:latest RUN apk update && apk add curl && sed -i -e '/P:libcurl/,+18d' lib/apk/db/installed && sed -i -e '/P:curl/,+18d' lib/apk/db/installed && sed -i -e '/R:libcurl/,+3d' lib/apk/db/installeddocker build -t simple . trivy image --format cyclonedx --output simple.json simpleВ итоге в SBOM файле отсутствует упоминание о пакете curl. Аналогичный способ можно применить и к apk/dpkg, где изменять нужно будет файлы в директории var/lib/dpkg/.
Результат: simple.json
{ "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:5701312e-e2be-4cc5-b8fb-0d2c84ade435", "version": 1, "metadata": { "timestamp": "2024-06-18T11:58:03+00:00", "tools": { "components": [ { "type": "application", "group": "aquasecurity", "name": "trivy", "version": "0.52.0" } ] }, "component": { "bom-ref": "f454a1e2-78e9-4b06-8d4c-aa57e771d29a", "type": "container", "name": "simple", "properties": [ { "name": "aquasecurity:trivy:DiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:DiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:ImageID", "value": "sha256:2863ace3f03ff8dffe0938aaae013100f154963ecffc66906a2b46e2283b5cb7" }, { "name": "aquasecurity:trivy:RepoTag", "value": "simple:latest" }, { "name": "aquasecurity:trivy:SchemaVersion", "value": "2" } ] } }, "components": [ { "bom-ref": "be0c2be1-a5ca-4c09-af16-e605edbeccbb", "type": "operating-system", "name": "alpine", "version": "3.20.0", "properties": [ { "name": "aquasecurity:trivy:Class", "value": "os-pkgs" }, { "name": "aquasecurity:trivy:Type", "value": "alpine" } ] }, { "bom-ref": "pkg:apk/alpine/alpine-baselayout-data@3.6.5-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "alpine-baselayout-data", "version": "3.6.5-r0", "hashes": [ { "alg": "SHA-1", "content": "ee68a6fb02f7e62304b428b0404a2fc1e2fc353d" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/alpine-baselayout-data@3.6.5-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "alpine-baselayout-data@3.6.5-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "alpine-baselayout" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "3.6.5-r0" } ] }, { "bom-ref": "pkg:apk/alpine/alpine-baselayout@3.6.5-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "alpine-baselayout", "version": "3.6.5-r0", "hashes": [ { "alg": "SHA-1", "content": "a8a719fa3db7c6cb005e681086438ef1d1e76d6c" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/alpine-baselayout@3.6.5-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "alpine-baselayout@3.6.5-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "alpine-baselayout" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "3.6.5-r0" } ] }, { "bom-ref": "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.20.0", "type": "library", "name": "alpine-keys", "version": "2.4-r1", "hashes": [ { "alg": "SHA-1", "content": "78ab5150a3919e474204e0f91972d1cf0a344f9d" } ], "licenses": [ { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "alpine-keys@2.4-r1" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "alpine-keys" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "2.4-r1" } ] }, { "bom-ref": "pkg:apk/alpine/apk-tools@2.14.4-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "apk-tools", "version": "2.14.4-r0", "hashes": [ { "alg": "SHA-1", "content": "a8c5ec2451b123ac57e39b0cb6ceccdaf26d5099" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/apk-tools@2.14.4-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "apk-tools@2.14.4-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "apk-tools" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "2.14.4-r0" } ] }, { "bom-ref": "pkg:apk/alpine/brotli-libs@1.1.0-r2?arch=x86_64&distro=3.20.0", "type": "library", "name": "brotli-libs", "version": "1.1.0-r2", "hashes": [ { "alg": "SHA-1", "content": "bc58ba1128a8703ca7ab3d7097a07bf095d9ddcd" } ], "licenses": [ { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/brotli-libs@1.1.0-r2?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "brotli-libs@1.1.0-r2" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "brotli" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.1.0-r2" } ] }, { "bom-ref": "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0", "type": "library", "name": "busybox-binsh", "version": "1.36.1-r28", "hashes": [ { "alg": "SHA-1", "content": "bcc87860f989f46a653262a6c76c9e86a0f6d549" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "busybox-binsh@1.36.1-r28" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "busybox" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.36.1-r28" } ] }, { "bom-ref": "pkg:apk/alpine/busybox@1.36.1-r28?arch=x86_64&distro=3.20.0", "type": "library", "name": "busybox", "version": "1.36.1-r28", "hashes": [ { "alg": "SHA-1", "content": "0676c3ae99458f235efcd3a8842d3371636e7cbe" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/busybox@1.36.1-r28?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "busybox@1.36.1-r28" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "busybox" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.36.1-r28" } ] }, { "bom-ref": "pkg:apk/alpine/c-ares@1.28.1-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "c-ares", "version": "1.28.1-r0", "hashes": [ { "alg": "SHA-1", "content": "a128e26b902d098af3e7987ffa97c879916b9a0d" } ], "licenses": [ { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/c-ares@1.28.1-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "c-ares@1.28.1-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "c-ares" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.28.1-r0" } ] }, { "bom-ref": "pkg:apk/alpine/ca-certificates-bundle@20240226-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "ca-certificates-bundle", "version": "20240226-r0", "hashes": [ { "alg": "SHA-1", "content": "118470356e088a64f194c32a95a24fb5afa0b867" } ], "licenses": [ { "license": { "name": "MPL-2.0" } }, { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/ca-certificates-bundle@20240226-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "ca-certificates-bundle@20240226-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "ca-certificates" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "20240226-r0" } ] }, { "bom-ref": "pkg:apk/alpine/ca-certificates@20240226-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "ca-certificates", "version": "20240226-r0", "hashes": [ { "alg": "SHA-1", "content": "d2b7d55933c597e43a51ce1e9d42aa1c245003a0" } ], "licenses": [ { "license": { "name": "MPL-2.0" } }, { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/ca-certificates@20240226-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "ca-certificates@20240226-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "ca-certificates" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "20240226-r0" } ] }, { "bom-ref": "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "type": "library", "name": "libcrypto3", "version": "3.3.0-r2", "hashes": [ { "alg": "SHA-1", "content": "69627477e98ac11d7a2250683f55c9f0eebe1cee" } ], "licenses": [ { "license": { "name": "Apache-2.0" } } ], "purl": "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "libcrypto3@3.3.0-r2" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "openssl" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "3.3.0-r2" } ] }, { "bom-ref": "pkg:apk/alpine/libidn2@2.3.7-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "libidn2", "version": "2.3.7-r0", "hashes": [ { "alg": "SHA-1", "content": "02629e610eec8b3f8fc422bec27b3b2359d5c962" } ], "licenses": [ { "license": { "name": "GPL-2.0" } }, { "license": { "name": "LGPL-3.0-or-later" } } ], "purl": "pkg:apk/alpine/libidn2@2.3.7-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "libidn2@2.3.7-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "libidn2" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "2.3.7-r0" } ] }, { "bom-ref": "pkg:apk/alpine/libpsl@0.21.5-r1?arch=x86_64&distro=3.20.0", "type": "library", "name": "libpsl", "version": "0.21.5-r1", "hashes": [ { "alg": "SHA-1", "content": "1f1e660c761dadb2614c0f573ea6ef2be8649206" } ], "licenses": [ { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/libpsl@0.21.5-r1?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "libpsl@0.21.5-r1" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "libpsl" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "0.21.5-r1" } ] }, { "bom-ref": "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "type": "library", "name": "libssl3", "version": "3.3.0-r2", "hashes": [ { "alg": "SHA-1", "content": "612adac6b965a4920b7456374bf1ec34383901ff" } ], "licenses": [ { "license": { "name": "Apache-2.0" } } ], "purl": "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "libssl3@3.3.0-r2" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "openssl" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "3.3.0-r2" } ] }, { "bom-ref": "pkg:apk/alpine/libunistring@1.2-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "libunistring", "version": "1.2-r0", "hashes": [ { "alg": "SHA-1", "content": "1ff86ed40752102a6c84ece085ae89ac88c74c5a" } ], "licenses": [ { "license": { "name": "GPL-2.0" } }, { "license": { "name": "LGPL-3.0-or-later" } } ], "purl": "pkg:apk/alpine/libunistring@1.2-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "libunistring@1.2-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "libunistring" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.2-r0" } ] }, { "bom-ref": "pkg:apk/alpine/musl-utils@1.2.5-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "musl-utils", "version": "1.2.5-r0", "hashes": [ { "alg": "SHA-1", "content": "e11671e426dc2d8189155906d007c39be1eb1367" } ], "licenses": [ { "license": { "name": "MIT" } }, { "license": { "name": "BSD-2-Clause" } }, { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/musl-utils@1.2.5-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "musl-utils@1.2.5-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "musl" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.2.5-r0" } ] }, { "bom-ref": "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "musl", "version": "1.2.5-r0", "hashes": [ { "alg": "SHA-1", "content": "3d2da235e1c31f7045e9382a48cbbfa5c7375c86" } ], "licenses": [ { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "musl@1.2.5-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "musl" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.2.5-r0" } ] }, { "bom-ref": "pkg:apk/alpine/nghttp2-libs@1.62.0-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "nghttp2-libs", "version": "1.62.0-r0", "hashes": [ { "alg": "SHA-1", "content": "31d24a354dec6ffaf8c483ed77e07ce5cb17c53d" } ], "licenses": [ { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/nghttp2-libs@1.62.0-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "nghttp2-libs@1.62.0-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "nghttp2" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.62.0-r0" } ] }, { "bom-ref": "pkg:apk/alpine/scanelf@1.3.7-r2?arch=x86_64&distro=3.20.0", "type": "library", "name": "scanelf", "version": "1.3.7-r2", "hashes": [ { "alg": "SHA-1", "content": "c84b0b49111485cb08744822f9b34a9fa9524fcc" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/scanelf@1.3.7-r2?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "scanelf@1.3.7-r2" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "pax-utils" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.3.7-r2" } ] }, { "bom-ref": "pkg:apk/alpine/ssl_client@1.36.1-r28?arch=x86_64&distro=3.20.0", "type": "library", "name": "ssl_client", "version": "1.36.1-r28", "hashes": [ { "alg": "SHA-1", "content": "5dd848dcb8ac48034bf64586a45daa0ae84d8509" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/ssl_client@1.36.1-r28?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "ssl_client@1.36.1-r28" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "busybox" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.36.1-r28" } ] }, { "bom-ref": "pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=3.20.0", "type": "library", "name": "zlib", "version": "1.3.1-r1", "hashes": [ { "alg": "SHA-1", "content": "9ba6f253e2982e0e6e71cb4187e3d6b6c4bbae99" } ], "licenses": [ { "license": { "name": "Zlib" } } ], "purl": "pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "zlib@1.3.1-r1" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "zlib" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.3.1-r1" } ] }, { "bom-ref": "pkg:apk/alpine/zstd-libs@1.5.6-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "zstd-libs", "version": "1.5.6-r0", "hashes": [ { "alg": "SHA-1", "content": "4d60614645192deddc80e6e568fe535b38c315c1" } ], "licenses": [ { "license": { "name": "BSD-3-Clause" } }, { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/zstd-libs@1.5.6-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "zstd-libs@1.5.6-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "zstd" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.5.6-r0" } ] } ], "dependencies": [ { "ref": "be0c2be1-a5ca-4c09-af16-e605edbeccbb", "dependsOn": [ "pkg:apk/alpine/alpine-baselayout-data@3.6.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/alpine-baselayout@3.6.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/apk-tools@2.14.4-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/brotli-libs@1.1.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/busybox@1.36.1-r28?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/c-ares@1.28.1-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/ca-certificates-bundle@20240226-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/ca-certificates@20240226-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libidn2@2.3.7-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libpsl@0.21.5-r1?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libunistring@1.2-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl-utils@1.2.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/nghttp2-libs@1.62.0-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/scanelf@1.3.7-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/ssl_client@1.36.1-r28?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/zstd-libs@1.5.6-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "f454a1e2-78e9-4b06-8d4c-aa57e771d29a", "dependsOn": [ "be0c2be1-a5ca-4c09-af16-e605edbeccbb" ] }, { "ref": "pkg:apk/alpine/alpine-baselayout-data@3.6.5-r0?arch=x86_64&distro=3.20.0", "dependsOn": [] }, { "ref": "pkg:apk/alpine/alpine-baselayout@3.6.5-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/alpine-baselayout-data@3.6.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.20.0", "dependsOn": [] }, { "ref": "pkg:apk/alpine/apk-tools@2.14.4-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/ca-certificates-bundle@20240226-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/brotli-libs@1.1.0-r2?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/busybox@1.36.1-r28?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/busybox@1.36.1-r28?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/c-ares@1.28.1-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/ca-certificates-bundle@20240226-r0?arch=x86_64&distro=3.20.0", "dependsOn": [] }, { "ref": "pkg:apk/alpine/ca-certificates@20240226-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/libidn2@2.3.7-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/libunistring@1.2-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/libpsl@0.21.5-r1?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/libidn2@2.3.7-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libunistring@1.2-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/libunistring@1.2-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/musl-utils@1.2.5-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/scanelf@1.3.7-r2?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "dependsOn": [] }, { "ref": "pkg:apk/alpine/nghttp2-libs@1.62.0-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/scanelf@1.3.7-r2?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/ssl_client@1.36.1-r28?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/zstd-libs@1.5.6-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] } ], "vulnerabilities": [] } Этот трюк не сработает, если добавить флаг —removed-pkgs.
trivy image --removed-pkgs --format cyclonedx --output with_removed.json simpleРезультат: with_removed.json
{ "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:90125ba3-fb31-49bf-97de-80a6a9389c18", "version": 1, "metadata": { "timestamp": "2024-06-18T11:59:02+00:00", "tools": { "components": [ { "type": "application", "group": "aquasecurity", "name": "trivy", "version": "0.52.0" } ] }, "component": { "bom-ref": "73a39b8d-f318-425b-8b7c-3251ebc40070", "type": "container", "name": "simple", "properties": [ { "name": "aquasecurity:trivy:DiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:DiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:ImageID", "value": "sha256:2863ace3f03ff8dffe0938aaae013100f154963ecffc66906a2b46e2283b5cb7" }, { "name": "aquasecurity:trivy:RepoTag", "value": "simple:latest" }, { "name": "aquasecurity:trivy:SchemaVersion", "value": "2" } ] } }, "components": [ { "bom-ref": "01a85ab9-e3bc-41de-9e2b-5615863bd6f7", "type": "library", "name": "libncursesw", "version": "6.4_p20240420-r0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "alpine" } ] }, { "bom-ref": "07b61b98-6bc7-45e2-aaf2-7d2a8014854e", "type": "library", "name": "curl", "version": "8.7.1-r0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "alpine" } ] }, { "bom-ref": "127f253c-a7c4-477a-aeb0-01da3de7b358", "type": "library", "name": "libcurl", "version": "8.7.1-r0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "alpine" } ] }, { "bom-ref": "31a6c493-18f2-457b-a667-945caf72e406", "type": "library", "name": "ncurses-terminfo-base", "version": "6.4_p20240420-r0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "alpine" } ] }, { "bom-ref": "4414c997-ed28-4c5a-a805-fe910a0b4d6f", "type": "library", "name": "yash-binsh", "version": "2.56.1-r1", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "alpine" } ] }, { "bom-ref": "767dea9c-a2c1-4740-9474-d1b889c14b3b", "type": "library", "name": "brotli", "version": "1.1.0-r2", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "alpine" } ] }, { "bom-ref": "81bd6fa8-43e8-4c19-9786-685344661f9f", "type": "library", "name": "openssl", "version": "3.3.1-r0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "alpine" } ] }, { "bom-ref": "8df69276-165e-466b-8c65-2a9c6b76452b", "type": "library", "name": "ncurses", "version": "6.4_p20240420-r0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "alpine" } ] }, { "bom-ref": "a22fc604-cb46-430c-807a-4f8c44a89532", "type": "library", "name": "yash", "version": "2.56.1-r1", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "alpine" } ] }, { "bom-ref": "a97049e7-3d03-4dc2-b23a-3174b8e493c5", "type": "library", "name": "zstd", "version": "1.5.6-r0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "alpine" } ] }, { "bom-ref": "d723cf30-3e35-49f9-b849-9904404fe627", "type": "library", "name": "nghttp2", "version": "1.62.0-r0", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "alpine" } ] }, { "bom-ref": "daf11902-aea0-477b-8ac7-61d2ca711509", "type": "operating-system", "name": "alpine", "version": "3.20.0", "properties": [ { "name": "aquasecurity:trivy:Class", "value": "os-pkgs" }, { "name": "aquasecurity:trivy:Type", "value": "alpine" } ] }, { "bom-ref": "pkg:apk/alpine/alpine-baselayout-data@3.6.5-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "alpine-baselayout-data", "version": "3.6.5-r0", "hashes": [ { "alg": "SHA-1", "content": "ee68a6fb02f7e62304b428b0404a2fc1e2fc353d" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/alpine-baselayout-data@3.6.5-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "alpine-baselayout-data@3.6.5-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "alpine-baselayout" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "3.6.5-r0" } ] }, { "bom-ref": "pkg:apk/alpine/alpine-baselayout@3.6.5-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "alpine-baselayout", "version": "3.6.5-r0", "hashes": [ { "alg": "SHA-1", "content": "a8a719fa3db7c6cb005e681086438ef1d1e76d6c" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/alpine-baselayout@3.6.5-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "alpine-baselayout@3.6.5-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "alpine-baselayout" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "3.6.5-r0" } ] }, { "bom-ref": "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.20.0", "type": "library", "name": "alpine-keys", "version": "2.4-r1", "hashes": [ { "alg": "SHA-1", "content": "78ab5150a3919e474204e0f91972d1cf0a344f9d" } ], "licenses": [ { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "alpine-keys@2.4-r1" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "alpine-keys" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "2.4-r1" } ] }, { "bom-ref": "pkg:apk/alpine/apk-tools@2.14.4-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "apk-tools", "version": "2.14.4-r0", "hashes": [ { "alg": "SHA-1", "content": "a8c5ec2451b123ac57e39b0cb6ceccdaf26d5099" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/apk-tools@2.14.4-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "apk-tools@2.14.4-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "apk-tools" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "2.14.4-r0" } ] }, { "bom-ref": "pkg:apk/alpine/brotli-libs@1.1.0-r2?arch=x86_64&distro=3.20.0", "type": "library", "name": "brotli-libs", "version": "1.1.0-r2", "hashes": [ { "alg": "SHA-1", "content": "bc58ba1128a8703ca7ab3d7097a07bf095d9ddcd" } ], "licenses": [ { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/brotli-libs@1.1.0-r2?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "brotli-libs@1.1.0-r2" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "brotli" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.1.0-r2" } ] }, { "bom-ref": "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0", "type": "library", "name": "busybox-binsh", "version": "1.36.1-r28", "hashes": [ { "alg": "SHA-1", "content": "bcc87860f989f46a653262a6c76c9e86a0f6d549" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "busybox-binsh@1.36.1-r28" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "busybox" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.36.1-r28" } ] }, { "bom-ref": "pkg:apk/alpine/busybox@1.36.1-r28?arch=x86_64&distro=3.20.0", "type": "library", "name": "busybox", "version": "1.36.1-r28", "hashes": [ { "alg": "SHA-1", "content": "0676c3ae99458f235efcd3a8842d3371636e7cbe" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/busybox@1.36.1-r28?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "busybox@1.36.1-r28" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "busybox" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.36.1-r28" } ] }, { "bom-ref": "pkg:apk/alpine/c-ares@1.28.1-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "c-ares", "version": "1.28.1-r0", "hashes": [ { "alg": "SHA-1", "content": "a128e26b902d098af3e7987ffa97c879916b9a0d" } ], "licenses": [ { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/c-ares@1.28.1-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "c-ares@1.28.1-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "c-ares" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.28.1-r0" } ] }, { "bom-ref": "pkg:apk/alpine/ca-certificates-bundle@20240226-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "ca-certificates-bundle", "version": "20240226-r0", "hashes": [ { "alg": "SHA-1", "content": "118470356e088a64f194c32a95a24fb5afa0b867" } ], "licenses": [ { "license": { "name": "MPL-2.0" } }, { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/ca-certificates-bundle@20240226-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "ca-certificates-bundle@20240226-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "ca-certificates" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "20240226-r0" } ] }, { "bom-ref": "pkg:apk/alpine/ca-certificates@20240226-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "ca-certificates", "version": "20240226-r0", "hashes": [ { "alg": "SHA-1", "content": "d2b7d55933c597e43a51ce1e9d42aa1c245003a0" } ], "licenses": [ { "license": { "name": "MPL-2.0" } }, { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/ca-certificates@20240226-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "ca-certificates@20240226-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "ca-certificates" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "20240226-r0" } ] }, { "bom-ref": "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "type": "library", "name": "libcrypto3", "version": "3.3.0-r2", "hashes": [ { "alg": "SHA-1", "content": "69627477e98ac11d7a2250683f55c9f0eebe1cee" } ], "licenses": [ { "license": { "name": "Apache-2.0" } } ], "purl": "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "libcrypto3@3.3.0-r2" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "openssl" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "3.3.0-r2" } ] }, { "bom-ref": "pkg:apk/alpine/libidn2@2.3.7-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "libidn2", "version": "2.3.7-r0", "hashes": [ { "alg": "SHA-1", "content": "02629e610eec8b3f8fc422bec27b3b2359d5c962" } ], "licenses": [ { "license": { "name": "GPL-2.0" } }, { "license": { "name": "LGPL-3.0-or-later" } } ], "purl": "pkg:apk/alpine/libidn2@2.3.7-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "libidn2@2.3.7-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "libidn2" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "2.3.7-r0" } ] }, { "bom-ref": "pkg:apk/alpine/libpsl@0.21.5-r1?arch=x86_64&distro=3.20.0", "type": "library", "name": "libpsl", "version": "0.21.5-r1", "hashes": [ { "alg": "SHA-1", "content": "1f1e660c761dadb2614c0f573ea6ef2be8649206" } ], "licenses": [ { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/libpsl@0.21.5-r1?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "libpsl@0.21.5-r1" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "libpsl" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "0.21.5-r1" } ] }, { "bom-ref": "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "type": "library", "name": "libssl3", "version": "3.3.0-r2", "hashes": [ { "alg": "SHA-1", "content": "612adac6b965a4920b7456374bf1ec34383901ff" } ], "licenses": [ { "license": { "name": "Apache-2.0" } } ], "purl": "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "libssl3@3.3.0-r2" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "openssl" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "3.3.0-r2" } ] }, { "bom-ref": "pkg:apk/alpine/libunistring@1.2-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "libunistring", "version": "1.2-r0", "hashes": [ { "alg": "SHA-1", "content": "1ff86ed40752102a6c84ece085ae89ac88c74c5a" } ], "licenses": [ { "license": { "name": "GPL-2.0" } }, { "license": { "name": "LGPL-3.0-or-later" } } ], "purl": "pkg:apk/alpine/libunistring@1.2-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "libunistring@1.2-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "libunistring" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.2-r0" } ] }, { "bom-ref": "pkg:apk/alpine/musl-utils@1.2.5-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "musl-utils", "version": "1.2.5-r0", "hashes": [ { "alg": "SHA-1", "content": "e11671e426dc2d8189155906d007c39be1eb1367" } ], "licenses": [ { "license": { "name": "MIT" } }, { "license": { "name": "BSD-2-Clause" } }, { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/musl-utils@1.2.5-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "musl-utils@1.2.5-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "musl" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.2.5-r0" } ] }, { "bom-ref": "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "musl", "version": "1.2.5-r0", "hashes": [ { "alg": "SHA-1", "content": "3d2da235e1c31f7045e9382a48cbbfa5c7375c86" } ], "licenses": [ { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "musl@1.2.5-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "musl" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.2.5-r0" } ] }, { "bom-ref": "pkg:apk/alpine/nghttp2-libs@1.62.0-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "nghttp2-libs", "version": "1.62.0-r0", "hashes": [ { "alg": "SHA-1", "content": "31d24a354dec6ffaf8c483ed77e07ce5cb17c53d" } ], "licenses": [ { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/nghttp2-libs@1.62.0-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "nghttp2-libs@1.62.0-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "nghttp2" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.62.0-r0" } ] }, { "bom-ref": "pkg:apk/alpine/scanelf@1.3.7-r2?arch=x86_64&distro=3.20.0", "type": "library", "name": "scanelf", "version": "1.3.7-r2", "hashes": [ { "alg": "SHA-1", "content": "c84b0b49111485cb08744822f9b34a9fa9524fcc" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/scanelf@1.3.7-r2?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "scanelf@1.3.7-r2" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "pax-utils" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.3.7-r2" } ] }, { "bom-ref": "pkg:apk/alpine/ssl_client@1.36.1-r28?arch=x86_64&distro=3.20.0", "type": "library", "name": "ssl_client", "version": "1.36.1-r28", "hashes": [ { "alg": "SHA-1", "content": "5dd848dcb8ac48034bf64586a45daa0ae84d8509" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/ssl_client@1.36.1-r28?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "ssl_client@1.36.1-r28" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "busybox" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.36.1-r28" } ] }, { "bom-ref": "pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=3.20.0", "type": "library", "name": "zlib", "version": "1.3.1-r1", "hashes": [ { "alg": "SHA-1", "content": "9ba6f253e2982e0e6e71cb4187e3d6b6c4bbae99" } ], "licenses": [ { "license": { "name": "Zlib" } } ], "purl": "pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "zlib@1.3.1-r1" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "zlib" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.3.1-r1" } ] }, { "bom-ref": "pkg:apk/alpine/zstd-libs@1.5.6-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "zstd-libs", "version": "1.5.6-r0", "hashes": [ { "alg": "SHA-1", "content": "4d60614645192deddc80e6e568fe535b38c315c1" } ], "licenses": [ { "license": { "name": "BSD-3-Clause" } }, { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/zstd-libs@1.5.6-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:67b7e246f4700d863a4ea89fc8b4e5ff4b92993e73f672e70ccb45bbcdef87b5" }, { "name": "aquasecurity:trivy:PkgID", "value": "zstd-libs@1.5.6-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "zstd" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.5.6-r0" } ] } ], "dependencies": [ { "ref": "01a85ab9-e3bc-41de-9e2b-5615863bd6f7", "dependsOn": [] }, { "ref": "07b61b98-6bc7-45e2-aaf2-7d2a8014854e", "dependsOn": [] }, { "ref": "127f253c-a7c4-477a-aeb0-01da3de7b358", "dependsOn": [] }, { "ref": "31a6c493-18f2-457b-a667-945caf72e406", "dependsOn": [] }, { "ref": "4414c997-ed28-4c5a-a805-fe910a0b4d6f", "dependsOn": [] }, { "ref": "73a39b8d-f318-425b-8b7c-3251ebc40070", "dependsOn": [ "daf11902-aea0-477b-8ac7-61d2ca711509" ] }, { "ref": "767dea9c-a2c1-4740-9474-d1b889c14b3b", "dependsOn": [] }, { "ref": "81bd6fa8-43e8-4c19-9786-685344661f9f", "dependsOn": [] }, { "ref": "8df69276-165e-466b-8c65-2a9c6b76452b", "dependsOn": [] }, { "ref": "a22fc604-cb46-430c-807a-4f8c44a89532", "dependsOn": [] }, { "ref": "a97049e7-3d03-4dc2-b23a-3174b8e493c5", "dependsOn": [] }, { "ref": "d723cf30-3e35-49f9-b849-9904404fe627", "dependsOn": [] }, { "ref": "daf11902-aea0-477b-8ac7-61d2ca711509", "dependsOn": [ "01a85ab9-e3bc-41de-9e2b-5615863bd6f7", "07b61b98-6bc7-45e2-aaf2-7d2a8014854e", "127f253c-a7c4-477a-aeb0-01da3de7b358", "31a6c493-18f2-457b-a667-945caf72e406", "4414c997-ed28-4c5a-a805-fe910a0b4d6f", "767dea9c-a2c1-4740-9474-d1b889c14b3b", "81bd6fa8-43e8-4c19-9786-685344661f9f", "8df69276-165e-466b-8c65-2a9c6b76452b", "a22fc604-cb46-430c-807a-4f8c44a89532", "a97049e7-3d03-4dc2-b23a-3174b8e493c5", "d723cf30-3e35-49f9-b849-9904404fe627", "pkg:apk/alpine/alpine-baselayout-data@3.6.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/alpine-baselayout@3.6.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/apk-tools@2.14.4-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/brotli-libs@1.1.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/busybox@1.36.1-r28?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/c-ares@1.28.1-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/ca-certificates-bundle@20240226-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/ca-certificates@20240226-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libidn2@2.3.7-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libpsl@0.21.5-r1?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libunistring@1.2-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl-utils@1.2.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/nghttp2-libs@1.62.0-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/scanelf@1.3.7-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/ssl_client@1.36.1-r28?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/zstd-libs@1.5.6-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/alpine-baselayout-data@3.6.5-r0?arch=x86_64&distro=3.20.0", "dependsOn": [] }, { "ref": "pkg:apk/alpine/alpine-baselayout@3.6.5-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/alpine-baselayout-data@3.6.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.20.0", "dependsOn": [] }, { "ref": "pkg:apk/alpine/apk-tools@2.14.4-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/ca-certificates-bundle@20240226-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/brotli-libs@1.1.0-r2?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/busybox@1.36.1-r28?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/busybox@1.36.1-r28?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/c-ares@1.28.1-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/ca-certificates-bundle@20240226-r0?arch=x86_64&distro=3.20.0", "dependsOn": [] }, { "ref": "pkg:apk/alpine/ca-certificates@20240226-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/libidn2@2.3.7-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/libunistring@1.2-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/libpsl@0.21.5-r1?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/libidn2@2.3.7-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libunistring@1.2-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/libunistring@1.2-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/musl-utils@1.2.5-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/scanelf@1.3.7-r2?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "dependsOn": [] }, { "ref": "pkg:apk/alpine/nghttp2-libs@1.62.0-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/scanelf@1.3.7-r2?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/ssl_client@1.36.1-r28?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/zstd-libs@1.5.6-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] } ], "vulnerabilities": [] } Внесём небольшие изменения в Dockerfile.
FROM alpine:latest RUN pkg=curl && apk update && apk add $(pkg) && sed -i -e '/P:libcurl/,+18d' lib/apk/db/installed && sed -i -e '/P:curl/,+18d' lib/apk/db/installed && sed -i -e '/R:libcurl/,+3d' lib/apk/db/installeddocker build -t hidden . trivy image --removed-pkgs --format cyclonedx --output hidden.json hiddenВ SBOM-файле снова отсутствует упоминание о пакете curl.
Результат: hidden.json
{ "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:135788ad-e4d0-4e24-b2cf-c3dc537345ea", "version": 1, "metadata": { "timestamp": "2024-06-18T12:00:20+00:00", "tools": { "components": [ { "type": "application", "group": "aquasecurity", "name": "trivy", "version": "0.52.0" } ] }, "component": { "bom-ref": "a4731535-6673-41f7-8da9-04cccc724a5c", "type": "container", "name": "hidden", "properties": [ { "name": "aquasecurity:trivy:DiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:DiffID", "value": "sha256:abc7cdb293178101d251284bb3dfb2c5d070a3b26162305dccab848e54330779" }, { "name": "aquasecurity:trivy:ImageID", "value": "sha256:b09a69b41c302e4a5d417cbcca672af19ffd6bb9ba8a39519851d44685c2a36a" }, { "name": "aquasecurity:trivy:RepoTag", "value": "hidden:latest" }, { "name": "aquasecurity:trivy:SchemaVersion", "value": "2" } ] } }, "components": [ { "bom-ref": "fc62c8ca-130f-47d1-9e92-bf004f47df33", "type": "operating-system", "name": "alpine", "version": "3.20.0", "properties": [ { "name": "aquasecurity:trivy:Class", "value": "os-pkgs" }, { "name": "aquasecurity:trivy:Type", "value": "alpine" } ] }, { "bom-ref": "pkg:apk/alpine/alpine-baselayout-data@3.6.5-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "alpine-baselayout-data", "version": "3.6.5-r0", "hashes": [ { "alg": "SHA-1", "content": "ee68a6fb02f7e62304b428b0404a2fc1e2fc353d" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/alpine-baselayout-data@3.6.5-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "alpine-baselayout-data@3.6.5-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "alpine-baselayout" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "3.6.5-r0" } ] }, { "bom-ref": "pkg:apk/alpine/alpine-baselayout@3.6.5-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "alpine-baselayout", "version": "3.6.5-r0", "hashes": [ { "alg": "SHA-1", "content": "a8a719fa3db7c6cb005e681086438ef1d1e76d6c" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/alpine-baselayout@3.6.5-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "alpine-baselayout@3.6.5-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "alpine-baselayout" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "3.6.5-r0" } ] }, { "bom-ref": "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.20.0", "type": "library", "name": "alpine-keys", "version": "2.4-r1", "hashes": [ { "alg": "SHA-1", "content": "78ab5150a3919e474204e0f91972d1cf0a344f9d" } ], "licenses": [ { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "alpine-keys@2.4-r1" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "alpine-keys" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "2.4-r1" } ] }, { "bom-ref": "pkg:apk/alpine/apk-tools@2.14.4-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "apk-tools", "version": "2.14.4-r0", "hashes": [ { "alg": "SHA-1", "content": "a8c5ec2451b123ac57e39b0cb6ceccdaf26d5099" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/apk-tools@2.14.4-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "apk-tools@2.14.4-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "apk-tools" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "2.14.4-r0" } ] }, { "bom-ref": "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0", "type": "library", "name": "busybox-binsh", "version": "1.36.1-r28", "hashes": [ { "alg": "SHA-1", "content": "bcc87860f989f46a653262a6c76c9e86a0f6d549" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "busybox-binsh@1.36.1-r28" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "busybox" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.36.1-r28" } ] }, { "bom-ref": "pkg:apk/alpine/busybox@1.36.1-r28?arch=x86_64&distro=3.20.0", "type": "library", "name": "busybox", "version": "1.36.1-r28", "hashes": [ { "alg": "SHA-1", "content": "0676c3ae99458f235efcd3a8842d3371636e7cbe" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/busybox@1.36.1-r28?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "busybox@1.36.1-r28" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "busybox" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.36.1-r28" } ] }, { "bom-ref": "pkg:apk/alpine/ca-certificates-bundle@20240226-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "ca-certificates-bundle", "version": "20240226-r0", "hashes": [ { "alg": "SHA-1", "content": "118470356e088a64f194c32a95a24fb5afa0b867" } ], "licenses": [ { "license": { "name": "MPL-2.0" } }, { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/ca-certificates-bundle@20240226-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "ca-certificates-bundle@20240226-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "ca-certificates" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "20240226-r0" } ] }, { "bom-ref": "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "type": "library", "name": "libcrypto3", "version": "3.3.0-r2", "hashes": [ { "alg": "SHA-1", "content": "69627477e98ac11d7a2250683f55c9f0eebe1cee" } ], "licenses": [ { "license": { "name": "Apache-2.0" } } ], "purl": "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "libcrypto3@3.3.0-r2" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "openssl" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "3.3.0-r2" } ] }, { "bom-ref": "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "type": "library", "name": "libssl3", "version": "3.3.0-r2", "hashes": [ { "alg": "SHA-1", "content": "612adac6b965a4920b7456374bf1ec34383901ff" } ], "licenses": [ { "license": { "name": "Apache-2.0" } } ], "purl": "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "libssl3@3.3.0-r2" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "openssl" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "3.3.0-r2" } ] }, { "bom-ref": "pkg:apk/alpine/musl-utils@1.2.5-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "musl-utils", "version": "1.2.5-r0", "hashes": [ { "alg": "SHA-1", "content": "e11671e426dc2d8189155906d007c39be1eb1367" } ], "licenses": [ { "license": { "name": "MIT" } }, { "license": { "name": "BSD-2-Clause" } }, { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/musl-utils@1.2.5-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "musl-utils@1.2.5-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "musl" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.2.5-r0" } ] }, { "bom-ref": "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "type": "library", "name": "musl", "version": "1.2.5-r0", "hashes": [ { "alg": "SHA-1", "content": "3d2da235e1c31f7045e9382a48cbbfa5c7375c86" } ], "licenses": [ { "license": { "name": "MIT" } } ], "purl": "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "musl@1.2.5-r0" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "musl" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.2.5-r0" } ] }, { "bom-ref": "pkg:apk/alpine/scanelf@1.3.7-r2?arch=x86_64&distro=3.20.0", "type": "library", "name": "scanelf", "version": "1.3.7-r2", "hashes": [ { "alg": "SHA-1", "content": "c84b0b49111485cb08744822f9b34a9fa9524fcc" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/scanelf@1.3.7-r2?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "scanelf@1.3.7-r2" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "pax-utils" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.3.7-r2" } ] }, { "bom-ref": "pkg:apk/alpine/ssl_client@1.36.1-r28?arch=x86_64&distro=3.20.0", "type": "library", "name": "ssl_client", "version": "1.36.1-r28", "hashes": [ { "alg": "SHA-1", "content": "5dd848dcb8ac48034bf64586a45daa0ae84d8509" } ], "licenses": [ { "license": { "name": "GPL-2.0" } } ], "purl": "pkg:apk/alpine/ssl_client@1.36.1-r28?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "ssl_client@1.36.1-r28" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "busybox" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.36.1-r28" } ] }, { "bom-ref": "pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=3.20.0", "type": "library", "name": "zlib", "version": "1.3.1-r1", "hashes": [ { "alg": "SHA-1", "content": "9ba6f253e2982e0e6e71cb4187e3d6b6c4bbae99" } ], "licenses": [ { "license": { "name": "Zlib" } } ], "purl": "pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=3.20.0", "properties": [ { "name": "aquasecurity:trivy:LayerDiffID", "value": "sha256:02f2bcb26af5ea6d185dcf509dc795746d907ae10c53918b6944ac85447a0c72" }, { "name": "aquasecurity:trivy:PkgID", "value": "zlib@1.3.1-r1" }, { "name": "aquasecurity:trivy:PkgType", "value": "alpine" }, { "name": "aquasecurity:trivy:SrcName", "value": "zlib" }, { "name": "aquasecurity:trivy:SrcVersion", "value": "1.3.1-r1" } ] } ], "dependencies": [ { "ref": "a4731535-6673-41f7-8da9-04cccc724a5c", "dependsOn": [ "fc62c8ca-130f-47d1-9e92-bf004f47df33" ] }, { "ref": "fc62c8ca-130f-47d1-9e92-bf004f47df33", "dependsOn": [ "pkg:apk/alpine/alpine-baselayout-data@3.6.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/alpine-baselayout@3.6.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/apk-tools@2.14.4-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/busybox@1.36.1-r28?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/ca-certificates-bundle@20240226-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl-utils@1.2.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/scanelf@1.3.7-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/ssl_client@1.36.1-r28?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/alpine-baselayout-data@3.6.5-r0?arch=x86_64&distro=3.20.0", "dependsOn": [] }, { "ref": "pkg:apk/alpine/alpine-baselayout@3.6.5-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/alpine-baselayout-data@3.6.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&distro=3.20.0", "dependsOn": [] }, { "ref": "pkg:apk/alpine/apk-tools@2.14.4-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/ca-certificates-bundle@20240226-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/busybox-binsh@1.36.1-r28?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/busybox@1.36.1-r28?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/busybox@1.36.1-r28?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/ca-certificates-bundle@20240226-r0?arch=x86_64&distro=3.20.0", "dependsOn": [] }, { "ref": "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/musl-utils@1.2.5-r0?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/scanelf@1.3.7-r2?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0", "dependsOn": [] }, { "ref": "pkg:apk/alpine/scanelf@1.3.7-r2?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/ssl_client@1.36.1-r28?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/libcrypto3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/libssl3@3.3.0-r2?arch=x86_64&distro=3.20.0", "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] }, { "ref": "pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=3.20.0", "dependsOn": [ "pkg:apk/alpine/musl@1.2.5-r0?arch=x86_64&distro=3.20.0" ] } ], "vulnerabilities": [] } Эти примеры, на первый взгляд, довольно простые, но они могут послужить источником вдохновения для использования подобных методов с недобрыми намерениями.
Послесловие
В статье мы постарались предоставить более глубокий взгляд на сканирование образов при помощи Trivy. Теперь мы знаем не только, как его запустить, но и как он функционирует «под капотом». Понимание внутренних механизмов так же важно, как и умение использовать инструмент.
Напишите в комментариях к статье, знали ли вы о данных методах обхода и проверяете ли их наличие в файлах манифестов докер образов. Если проверяете, то как?
ссылка на оригинал статьи https://habr.com/ru/articles/822705/
Добавить комментарий