Kurtis Velarde

Vulnerability / SBOM / Malware Scan Workflows with Syft, Grype, and Yara

Vulnerability / SBOM / Malware Scan Workflows with Syft, Grype, and Yara

Vulnerability Scans:

Vulnerability scans are critical tools for identifying security weaknesses within a system. These scans enable organizations to detect vulnerabilities early, allowing for timely remediation before they can be exploited by malicious actors. By integrating regular vulnerability scans into the Software Development Life Cycle (SDLC), organizations can ensure that their applications remain secure throughout their development and deployment.

Software Bill of Materials (SBOM):

An SBOM is an essential component in software development and security. It provides a comprehensive list of all components, libraries, and dependencies used in software, along with their corresponding versions and license information. The SBOM aids in managing vulnerabilities effectively by offering clear insights into the software components that are susceptible to security threats. By leveraging an SBOM, organizations can streamline the process of tracking, updating, and securing software components, thereby enhancing the overall security posture.

Malware scans

Yara Hunter standard CI/CD ruleset: https://github.com/deepfence/YaraHunter

Malware scans using YARA fit into the SBOM and vulnerability scan workflow by providing an additional layer of security analysis, particularly targeting the identification of malware signatures and patterns within software components.

Syft

Syft is a versatile open-source tool developed by Anchore, designed for generating Software Bills of Materials (SBOMs) from container images and filesystems. https://github.com/anchore/syft

Key features:

  • Multiple Format Support: Syft can generate SBOMs in several formats, including SPDX, CycloneDX, and its native JSON format, catering to different compliance and integration needs.
  • Comprehensive Analysis: It can scan container images and filesystems to produce detailed SBOMs that include not just software packages but also file metadata and contents, leveraging digests such as SHA-256 and SHA-1 for file verification.
  • Flexible Cataloging: The tool offers advanced options for cataloging packages within various types of archives, enhancing its ability to discover and document components in both indexed and non-indexed archives.
  • Configuration and Extensibility: Users can configure Syft to exclude certain types of packages or perform targeted scans based on specific needs, such as excluding synthetic binary packages that overlap with non-synthetic ones.
  • Integration with Vulnerability Scanners: Syft’s SBOMs can be integrated with tools like Grype, Anchore’s vulnerability scanner, to enable detailed vulnerability assessment based on the components listed in the SBOM.
  • Remote License Fetching: Syft can retrieve licensing information from remote sources, such as package-lock.json files, helping maintain compliance with open-source licensing.

Grype

Grype is a powerful vulnerability scanner for container images and filesystems, developed by Anchore. https://github.com/anchore/grype

Key features:

  • Broad Compatibility: Grype can scan a variety of Linux distributions, including Alpine, CentOS, Debian, and Ubuntu. It supports multiple package formats such as RPM, DEB, Python packages, Ruby Bundles, NPM/Yarn packages, Java artifacts, and Go modules.
  • Comprehensive Vulnerability Matching: Utilizes a vulnerability database that aggregates data from multiple sources like Alpine Linux SecDB, Debian CVE Tracker, and the National Vulnerability Database, ensuring broad coverage of known vulnerabilities.
  • Configurable Severity Levels: Users can configure Grype to fail scans based on the severity of the vulnerabilities found, with options ranging from negligible to critical. This feature allows for flexible integration into CI/CD pipelines, where builds can be failed based on security criteria.
  • Output Formats: Grype supports multiple output formats, including table, JSON, and SARIF, making it easy to integrate and parse scan results in different systems and tools
  • Database Management: Grype manages its vulnerability database automatically, checking for updates before each scan to ensure the most up-to-date security data is used. Users can also manually manage the database, configure its update frequency, or operate entirely offline in air-gapped environments.
  • VEX Support: Grype can interpret Vulnerability Exploitability eXchange (VEX) documents to better understand the context of vulnerabilities, adjusting its reporting based on these inputs.

Yara

Malware research and classification tool: https://virustotal.github.io/yara/

  • Malware Scanning with YARA: After identifying known vulnerabilities, the next step is to scan for potential malware within the software components. YARA is used here to detect specific types of malware based on rules that describe malware patterns. By integrating YARA scans, organizations can detect malicious code that might not be listed as a known vulnerability but could still pose a significant threat. This is especially useful for identifying zero-day exploits and customized malware that targets specific systems.

LAB

Image Assessment Workflow

  • Build New Container Image
  • SBOM Generation with Syft
  • Vulnerability Scan with Gype
  • Generating an SBOM for our Docker image
  • Malware Scan with Yara
  • Publish Container Image and SDLC metadata as OCI Artifacts

Install Tools

ORAS OCI Client: https://github.com/oras-project/oras

# ORAS OCI CLI Installation
$ VERSION="1.1.0"
$ curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
$ mkdir -p oras-install/
$ tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
$ sudo mv oras-install/oras /usr/local/bin/
$ rm -rf oras_${VERSION}_*.tar.gz oras-install/ 
#Install Syft
$ curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
# Install Grype
$ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

Container Build and Assessment

# Download https://secure.eicar.org/eicar.com.txt file to trigger yara rules
$ curl -O https://secure.eicar.org/eicar.com.txt

# Start OCI Registry server
$ docker run -d –restart=always -p “127.0.0.1:5000:5000” –name reg registry:2
# Create Docker File
$ cat <<EOF > Dockerfile-alpine
FROM apline:3.10
WORKDIR /app

COPY ./eicar.com.txt /app
EOF


# Build Container Image
$ docker build -f Dockerfile -t localhost:5000/alpine1:0.1 .

# Push to local registry for storage
$ docker push localhost:5000/alpine1:0.1

# Docker sbom command (Syft Under the Hood) to create a spdx-json sbom
$ docker sbom –format spdx-json –output sbom.txt localhost:5000/alpine1:0.1

# Docker and Grype for SAST vulnerability scan reporting
$ docker sbom –format spdx-json localhost:5000/alpine1:0.1 | /usr/local/bin/grype > vuln-scan.txt

# Yara Malware Scan
$ docker run -i –rm –name=deepfence-yarahunter -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/home/deepfence/output deepfenceio/deepfence_malware_scanner_ce:2.0.0 –image-name localhost:5000/alpine1:0.1 –output=json > malware-scan.json

# Attach Sbom to image
$ oras attach localhost:5000/alpine-prod:0.1 sbom.txt –artifact-type example/sbom

# Attach vulnerability scan report to image artifact
$ oras attach localhost:5000/alpine-prod:0.1 vuln-scan.txt –artifact-type example/doc

# Attach Malware scan to image
$ oras attach localhost:5000/alpine-prod:0.1 malware-scan.json –artifact-type example/doc

# View supply chain artifact
$ oras discover localhost:5000/alpine-prod:0.1 -o tree

Summary

By incorporating YARA scans into the SBOM and vulnerability scanning workflow, organizations can achieve a more comprehensive security assessment, protecting against both known vulnerabilities and potential malware threats embedded within their software supply chain. This multi-layered approach is crucial for maintaining the integrity and security of software applications in today’s threat landscape.

Makefile (Jenkins / Gitlab / Actions) Example:

REG_URL := “kurtisvelarde.com:5000”
NAME := “alpine-eicar”
VERSION := “0.1”

build: ## Docker Build
@docker build . -t $(REG_URL)/$(NAME):$(VERSION)

push: ## Push to local registry
@docker push $(REG_URL)/$(NAME):$(VERSION)

sign: ## Sign with build key
@cosign sign –key ~/.sigstore/cosign.key kurtisvelarde.com:5000/alpine-eicar:0.1

verify: ## Cosign verify
@cosign verify –key https://kurtisvelarde.com/build/cosign.pub kurtisvelarde.com:5000/alpine-eicar:0.1
cve-scan:
@docker scout cves

trivy-scan: ## SAST Scan for High and Critical CVEs
@trivy image –severity HIGH,CRITICAL $(REG_URL)/$(NAME):$(VERSION)

create-sbomb: ## Generate spdk (LinuxFoundation)
@syft kurtisvelarde.com:5000/alpine-eicar:0.1 -o spdx > latest.spdx

attach-sbom: ## Attach sbom to image
@cosign attach sbom –sbom latest.spdx kurtisvelar^C.com:5000/alpine-eicar:0.1
sign-sbom: ## Sign sbom with cosign key
@cosign sign –key ~/.sigstore/cosign.key kurtisvelarde.com:5000/alpine-eicar:sha256-eda1dbd3ea70923db4482a669331cee9844ff82ca7915ed292001542357c8a7d.sbom

verify-sbom: ## Verify
@ cosign verify –key https://kurtisvelarde.com/build/cosign.pub kurtisvelarde.com:5000/alpine-eicar:sha256-eda1dbd3ea70923db4482a669331cee9844ff82ca7915ed292001542357c8a7d.sbom
test: ## Push to local registry
docker run -it 127.0.0.1:5000/myimage:0.1 /bin/sh -c “uptime”

help:
@grep -E ‘^[a-zA-Z_-]+:.?## .$$’ $(MAKEFILE_LIST) | sort | awk ‘BEGIN {FS = “:.*?## “}; {printf “\033[36m%-30s\033[0m %s\n”, $$1, $$2}’