Comments (6)
I like this idea! It might be good to collect/consume this info from KBOM (and/or pluggable other sources) instead of querying cluster(s) directly. An operator running in cluster(s) (like trivy-operator) can produce these results and guac can consume them.
cc @itaysk
from guac.
Nice writeup! I've always wondered how this fits into guac / how people are solving this
from guac.
We had a quick discussion about this with @ridhoq during the community meeting. Overall, this is a great feature that would add value. There are a few points that need discussion:
- Should we store this information in GUAC or would it be better as an integration due to the dynamic nature of the data?
- If stored in GUAC, how often would it need to be updated? As Ridwan stated, it would cause lots of data build-up and would require pruning.
- What is the most effective way to obtain this information?
- As discussed in the call, this would need to be in the form of an "attestation" (preferably an in-toto attestation). This could be signed and verified later down the line to ensure the trustworthiness of the data.
from guac.
@ridhoq and I have been discussing this offline. Our view is that we would like to have one single place where we can store all information related to the supply chain (of containers), not only the composition. The reason being if that information is stored in two (or more) separate systems, joining the information becomes more problematic.
We do see the supply chain as a graph (that we would like to search bi-directionally) that starts from acquisition of the base container images and any external packages and ends with deployment and eventually termination of the running container on the runtime nodes.
Two main scenarios we are targeting at the moment are:
- Inventory/impact assessment scenario
In this scenario, we would like to identify all assets that are impacted by a certain vulnerability and what is the relation between them (including deployed/running assets), i.e. what is the flow through the supply chain - Remediation sequence scenario
In this scenario, we would like to understand what are the steps for remediating vulnerability that is discovered at runtime (or any other stage of the supply chain). This should answer questions like, what base image needs to be updated, what library needs to be updated, what applications/containers need to be redeployed, etc.
Hope this helps steer the conversation further.
from guac.
New Deployment attestation being developed: in-toto/attestation#341
Will need to determine if this fits into this discussion or not.
from guac.
Thanks for the ping @sozercan . While I think the gist of your comment makes sense, I just need to mention that Trivy KBOM does not include information about workloads, but rather information about the Kubernetes cluster components.
from guac.
Related Issues (20)
- [feature] Switch out archived github.com/golang/mock repo with maintained fork github.com/uber-go/mock HOT 3
- [feature] The documentRef GraphQL field is populated by the collectors
- [ENT bug] Query hits PostgreSQL 65535 parameters limit
- [feature] Certifier should use a more specific query and not get all nouns
- [feature] Add SPDX 3.0 support HOT 2
- [ingestion/data-quality issue] GUAC ingestion failing for SBOM file generated from blackduck scanning tool HOT 15
- [feature] Improve CDX parsing HOT 5
- [rolling] Community contribution ladder climbs 04/30 HOT 7
- [feature] Ent Versioned Migration HOT 1
- [bug] `certifyVulnSpec: { vulnerability: { noVuln: true }` not functioning on ENT?
- [feature] Provide Option to Use OpenSSF Scorecard REST API for Scorecard Ingestion HOT 2
- Create v0.8.0 milestone
- Create release template for a release checklist
- [feature] CSub GRPC features: reflection, healthcheck
- [ingestion bug] File collector fails with "operation not permitted"
- [feature] Only use Scorecard API so that we can use deps.dev/api/v3alpha HOT 4
- [feature] Explore wrapping the GraphQL API to allow it to be called via REST
- [feature] Update E2E tests (or create new ones) to test `guaccollect` and the other components HOT 1
- [feature] Implement collector for ClearlyDefined HOT 1
- [bug] guacone query vuln only returns one vulnerability when keyvalue is used
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from guac.