vimp

command module
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 4, 2023 License: Apache-2.0 Imports: 7 Imported by: 0

README

vimp

Import CLI for data output from OSS vulnerability scanners. Extracts vulnerabilities from reports output by common OSS scanners and converts it into a generic format which then is saved into a target store. Useful for comparing data across multiple scanners.

Usage

Given a container image digest:

export image="docker.io/redis@sha256:7b83a0167532d4320a87246a815a134e19e31504d85e8e55f0bb5bb9edf70448"

Generate vulnerability report using one of the supported OSS scanners:

  • grype grype --add-cpes-if-none -s AllLayers -o json --file report.json $image
  • snyk snyk container test --app-vulns --json-file-output=report.json $image
  • trivy trivy image --format json --output report.json $image

Then, import that vulnerability data into one of the supported data stores:

vimp --source $image --file report.json --target bq://project.dataset.table

Note, target table will be created if it does not exist.

The resulting schema in the target DB will look something like this (adjusted for DB-specific data types):

image       TEXT      NOT NULL
digest      TEXT      NOT NULL
source      TEXT      NOT NULL
processed   TIMESTAMP NOT NULL
cve         TEXT      NOT NULL
package     TEXT      NOT NULL
version     TEXT      NOT NULL
severity    TEXT      NOT NULL
score       FLOAT     NOT NULL
fixed       BOOL      NOT NULL

See sql/query.sql for examples of queries against the imported data.

The imported data will look something like this:

[
    {
        "image": "https://docker.io/redis",
        "digest": "sha256:7b83a0167532d4320a87246a815a134e19e31504d85e8e55f0bb5bb9edf70448",
        "source": "grype",
        "processed": "2023-04-04 13:15:22.410631 UTC",
        "cve": "CVE-2018-20860",
        "package": "libopenmpt0",
        "version": "0.3.6-1ubuntu0~18.04.1",
        "severity": "low",
        "score": "4.3",
        "fixed": "false"
    }
    ...
]

See https://github.com/mchmarny/artifact-events for how to set up vimp as an import for all new images in GCR or AR on GCP.

Installation

You can install vimp CLI using one of the following ways:

See the release section for vimp checksums and SBOMs.

Go

If you have Go 1.17 or newer, you can install latest vimp using:

go install github.com/mchmarny/vimp@latest
Homebrew

On Mac or Linux, you can install vimp with Homebrew:

brew tap mchmarny/vimp
brew install vimp

New release will be automatically picked up when you run brew upgrade

RHEL/CentOS
rpm -ivh https://github.com/mchmarny/vimp/releases/download/v$VERSION/vimp-$VERSION_Linux-amd64.rpm
Debian/Ubuntu
wget https://github.com/aquasecurity/vimp/releases/download/v$VERSION/vimp-$VERSION_Linux-amd64.deb
sudo dpkg -i vimp-$VERSION_Linux-64bit.deb
Binary

You can also download the latest release version of vimp for your operating system/architecture from here. Put the binary somewhere in your $PATH, and make sure it has that executable bit.

The official vimp releases include SBOMs

Disclaimer

This is my personal project and it does not represent my employer. While I do my best to ensure that everything works, I take no responsibility for issues caused by this code.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
internal
converter/grype
converter/snyk
converter/trivy
parser
processor
target
target/bq
target/console
target/file
pkg
data

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.