bpmcdevitt/security_tools
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added links to grype and syft

Browse source
This commit is contained in:
Brendan McDevitt 2022-08-17 22:07:01 -05:00
parent 81f6103ca8
commit 4aa8d376b0
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
notes/notes_from_blackhat_2022.md
View file

@ -26,8 +26,8 @@ CPE has its limitations and [package-url](https://github.com/package-url/purl-sp
[osv.dev](osv.dev) This database is super awesome and they have a great [schema](https://ossf.github.io/osv-schema/). I am going to start contributing to this database to help strengthen the ecosystem further. By having this database be open source, all of the companies and vendors can finally start to work together and we can work at a pace that each individual is comfortable at. I think alot more work can get done this way and we can build a great vulnerability database together out in the open. Everyone will benefit from this. It uses PURL package-urls instead of CPEs and goes directly to the advisory if their is a machine readable version. The more advisories that can get converted to this schema format, the quicker this database can get adapted across the entire security ecosystem so everybody is not all solving the same solution for no reason. We all want the same thing, to secure the systems, and this is a great way to approach it.
#### Vulnerability Scanners
I did not see much on Microsoft based scanners, other than the Microsoft booth who were marketing their Endpoint software. Which for Windows based stuff works great, but I have also recently learned that it does work well for Linux based systems too. Overall the Microsoft vuln scanner is really good and I would love to get it in an enviroment to test it out further.
- Grype: Go based. Container and filesystem scanner. Works great with SBOMS. Kind of takes its input from SYFT SBOMS. Similiar to Trivy. I will be reading much of the source code to learn Go and understand more about how to do SBOMs.
- Syft: Go based. This program is super cool. It generates SBOMS from a container or filesystem. I will be reading alot of this code too in the future to study it and figure out how to do SBOMs.
- [Grype](https://github.com/anchore/grype): Go based. Container and filesystem scanner. Works great with SBOMS. Kind of takes its input from SYFT SBOMS. Similiar to Trivy. I will be reading much of the source code to learn Go and understand more about how to do SBOMs.
- [Syft](https://github.com/anchore/syft): Go based. This program is super cool. It generates SBOMS from a container or filesystem. I will be reading alot of this code too in the future to study it and figure out how to do SBOMs.
#### CSAF - Common Security Advisory Framework
This is a new standard being discussed around automating security advisories. As I noted [here](https://git.mcdevitt.tech/bpmcdevitt/data_importer/-/blob/main/doc/cna_readme_notes/cnas_with_html_advisories.md) as one example, there are many security advisories from various CNA's that have only an HTML table of their advisory data. They are a victim of the times, and we used to interpret thigns via web browsers. But now we need a way to pass around the security advisory data so our scanners that we are all focusing on building can accurately and reliably consume the data so there is no time gap, and so things are standarized and so we dont have to scrape html. This is happening through OASIS. I want to see if I can maybe sit in on a meeting to see how they go and how close it is to being adopted.