Vulnerabilities with Grype

Once your SBOM is generated, it is time to continuously scan it for vulnerabilities. Note that some laws, for example the EU’s Cyber Resiliance Act, require that products are released without any known vulnerability. The first scan should therefore happen before a release.

There are several tools for scanning a product for supply chain vulnerabilities. This tutorial uses Anchore’s Grype, because it integrates well with Anchore’s Syft from the SBOM tutorial . Like Syft, Grype is an open source command line utility.

Setup

The official Grype GitHub repo contains installation instructions. Like for Syft, you may want to change the install path (the very last argument to the shell command) to ‘~/.local/bin’, because ‘/usr/local/bin’ requires root permissions to modify.

Input 
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b ~/.local/bin
Output 
[info] checking github for the current release tag 
[info] fetching release script for tag='v0.94.0' 
[info] checking github for the current release tag 
[info] using release tag='v0.94.0' version='0.94.0' os='linux' arch='amd64' 
[info] installed /root/.local/bin/grype

Usage

With an SBOM at hand, scanning for vulnerabilities is very easy:

Input (long variant) 
grype sbom:/home/your_project/sbom.cdx.json --fail-on low
Input (short variant) 
grype sbom:/home/your_project/sbom.cdx.json -f low
Output 
NAME    INSTALLED  FIXED-IN  TYPE        VULNERABILITY        SEVERITY  EPSS%  RISK  
rustls  0.23.15    0.23.18   rust-crate  GHSA-qg5g-gv98-5ffh  Medium      N/A    N/A
[0025] ERROR discovered vulnerabilities at or above the severity threshold

When running this command, Grype checks several vulnerability databases for matches with the components provided in the sbom. The ‘fail-on’ option specifies that it exits with a non-zero error code if any with severity ’low’ or higher is discovered.

The syntax to export a vulnerability report consumable by BOMnipotent is similar to Syft:

Input (long variant) 
grype sbom:/home/your_project/sbom.cdx.json --output cyclonedx-json=/home/your_project/vuln.cdx.json
Input (short variant) 
grype sbom:/home/your_project/sbom.cdx.json -o cyclonedx-json=/home/your_project/vuln.cdx.json

Grype integrates well with BOMnipotent. You can use the “bom get” command of BOMnipotent Client to directly print the contents of a BOM to the console output, and then pipe it to grype:

Input (long variant) 
bomnipotent_client bom get "Your Project" "1.0.0" | grype --output cyclonedx-json=/home/vuln.cdx.json
Input (short variant) 
bomnipotent_client bom get "Your Project" "1.0.0" | grype -o cyclonedx-json=/home/vuln.cdx.json