Vulnerability insights through SBOM

[thomasvandeweijer]

Hi,
I'm currently trying to get better insights of active vulnerabilities on my systems. To do this for Flatcar I'm currently loading the flatcar_production_image_sbom.json file into Trivy, however I suspect this SBOM might have more packages than are actually in the image I'm loading (flatcar_production_pxe.vmlinuz and flatcar_production_pxe_image.cpio.gz).
Based on these suspicions I have a few questions:

• What packages are included in the SBOM? (only what's included in the image or also build tools?)
• Is the SBOM the right source for vulnerability detection?
• Are there any alternative ways to get included package versions for scanning input?

Any other suggestions/recommendations are also welcome, I'm still searching for the best approach.

[tormath1]

Hello, SBOM is created based on the generic image content¹ so it should not have the build tools listed inside (e.g: you can't find go or rust inside the SBOM file).

I don't have enough knowledge on this topic to know if SBOM is the right source for vulnerability detection but looking at the file content and its integration with tools like trivy it seems to be the best source for doing this.

There are two alternatives ways to get included packages versions:

• Using this file: https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_image_packages.txt. Note that sysext packages are not listed here, you need to go through them individually (e.g docker sysext: https://stable.release.flatcar-linux.net/amd64-usr/current/rootfs-included-sysexts/containerd-flatcar_packages.txt)
• Under /usr/share/SLSA you can find all the in-toto statements

Footnotes

1. https://github.com/flatcar/scripts/blob/f028badc1c7877f5a78d82835f550e9bf159bb64/build_library/prod_image_util.sh#L110 ↩