⭐️ scan SBOM files for vulnerabilities (#1296)

* 🧹 use new iox package * 🧹 add sbom support to vuln subcommand * 🧹 update to latest cnquery sbom * 🧹 Bump cnquery to v11.6.1 (#1308) * 🧹 align asset scores in CLI report (#1307) Signed-off-by: Ivan Milchev <[email protected]> * 🧹 Add test for filters (#1304) This tests shows, that MQL filters are OR connected. Signed-off-by: Christian Zunker <[email protected]> * 🧹 Bump cnquery to v11.6.1 --------- Signed-off-by: Ivan Milchev <[email protected]> Signed-off-by: Christian Zunker <[email protected]> Co-authored-by: Ivan Milchev <[email protected]> Co-authored-by: Christian Zunker <[email protected]> Co-authored-by: Mondoo Tools <[email protected]> * fix tests Signed-off-by: Ivan Milchev <[email protected]> --------- Signed-off-by: Ivan Milchev <[email protected]> Signed-off-by: Christian Zunker <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Ivan Milchev <[email protected]> Co-authored-by: Christian Zunker <[email protected]> Co-authored-by: Mondoo Tools <[email protected]> Co-authored-by: Ivan Milchev <[email protected]>
mondoohq · May 30, 2024 · 240d9d5 · 240d9d5
1 parent c37e9ec
commit 240d9d5
Show file tree

Hide file tree

Showing 17 changed files with 144 additions and 92 deletions.
diff --git a/apps/cnspec/cmd/root.go b/apps/cnspec/cmd/root.go
@@ -101,7 +101,7 @@ func BuildRootCmd() (*cobra.Command, error) {
 			Command:             vulnCmd,
 			Run:                 vulnCmdRun,
 			Action:              "Check for vulnerabilities ",
-			SupportedConnectors: []string{"docker", "container", "filesystem", "local", "ssh", "vagrant", "winrm", "vsphere"},
+			SupportedConnectors: []string{"docker", "container", "filesystem", "local", "ssh", "vagrant", "winrm", "vsphere", "sbom"},
 		},
 	)
 	return rootCmd, err

diff --git a/apps/cnspec/cmd/vuln.go b/apps/cnspec/cmd/vuln.go
@@ -11,7 +11,8 @@ import (
 	"go.mondoo.com/cnquery/v11/providers"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/plugin"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/upstream/mvd"
-	"go.mondoo.com/cnquery/v11/sbom"
+	"go.mondoo.com/cnquery/v11/sbom/generator"
+	"go.mondoo.com/cnquery/v11/sbom/pack"
 	"go.mondoo.com/cnspec/v11/cli/reporter"
 	"go.mondoo.com/cnspec/v11/policy"
 )
@@ -42,7 +43,7 @@ var vulnCmd = &cobra.Command{
 }
 
 var vulnCmdRun = func(cmd *cobra.Command, runtime *providers.Runtime, cliRes *plugin.ParseCLIRes) {
-	pb, err := sbom.QueryPack()
+	pb, err := pack.QueryPack()
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed to load sbom query pack")
 	}
@@ -74,7 +75,7 @@ var vulnCmdRun = func(cmd *cobra.Command, runtime *providers.Runtime, cliRes *pl
 		logger.DebugDumpJSON("mondoo-sbom-report", data)
 	}
 
-	boms, err := sbom.NewBom(cnspecReport.ToCnqueryReport())
+	boms, err := generator.NewBom(cnspecReport.ToCnqueryReport())
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed to parse sbom data")
 	}
@@ -101,7 +102,7 @@ var vulnCmdRun = func(cmd *cobra.Command, runtime *providers.Runtime, cliRes *pl
 
 	var runningKernel string
 	if bom.Asset.Labels != nil {
-		runningKernel = bom.Asset.Labels[sbom.LABEL_KERNEL_RUNNING]
+		runningKernel = bom.Asset.Labels[generator.LABEL_KERNEL_RUNNING]
 	}
 
 	req := &mvd.AnalyseAssetRequest{

diff --git a/cli/reporter/cli_reporter.go b/cli/reporter/cli_reporter.go
@@ -18,7 +18,7 @@ import (
 	"go.mondoo.com/cnquery/v11/providers"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/resources"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/upstream/mvd"
-	"go.mondoo.com/cnquery/v11/shared"
+	"go.mondoo.com/cnquery/v11/utils/iox"
 	"go.mondoo.com/cnspec/v11/policy"
 	"sigs.k8s.io/yaml"
 )
@@ -156,7 +156,7 @@ func (r *Reporter) WriteReport(ctx context.Context, data *policy.ReportCollectio
 		_, err = r.out.Write(data)
 		return err
 	case FormatJUnit:
-		writer := shared.IOWriter{Writer: r.out}
+		writer := iox.IOWriter{Writer: r.out}
 		return ConvertToJunit(data, &writer)
 	// case FormatCSV:
 	// 	res, err = data.ToCsv()
@@ -186,11 +186,11 @@ func (r *Reporter) PrintVulns(data *mvd.VulnReport, target string) error {
 	case FormatJUnit:
 		return errors.New("'junit' is not supported for vuln reports, please use one of the other formats")
 	case FormatCSV:
-		writer := shared.IOWriter{Writer: r.out}
+		writer := iox.IOWriter{Writer: r.out}
 		return VulnReportToCSV(data, &writer)
 	case FormatYAMLv1, FormatYAMLv2:
 		raw := bytes.Buffer{}
-		writer := shared.IOWriter{Writer: &raw}
+		writer := iox.IOWriter{Writer: &raw}
 		err := VulnReportToJSON(target, data, &writer)
 		if err != nil {
 			return err
@@ -203,7 +203,7 @@ func (r *Reporter) PrintVulns(data *mvd.VulnReport, target string) error {
 		_, err = r.out.Write(json)
 		return err
 	case FormatJSONv1, FormatJSONv2:
-		writer := shared.IOWriter{Writer: r.out}
+		writer := iox.IOWriter{Writer: r.out}
 		return VulnReportToJSON(target, data, &writer)
 	default:
 		return errors.New("unknown reporter type, don't recognize this Format")

diff --git a/cli/reporter/cli_reporter_test.go b/cli/reporter/cli_reporter_test.go
@@ -14,7 +14,7 @@ import (
 	"go.mondoo.com/cnquery/v11/cli/printer"
 	"go.mondoo.com/cnquery/v11/cli/theme/colors"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/upstream/mvd"
-	"go.mondoo.com/cnquery/v11/shared"
+	"go.mondoo.com/cnquery/v11/utils/iox"
 	"go.mondoo.com/cnspec/v11/policy"
 )
 
@@ -27,7 +27,7 @@ func TestCompactReporter(t *testing.T) {
 	require.NoError(t, err)
 
 	buf := bytes.Buffer{}
-	writer := shared.IOWriter{Writer: &buf}
+	writer := iox.IOWriter{Writer: &buf}
 
 	r := &Reporter{
 		Conf:    defaultPrintConfig(),
@@ -57,7 +57,7 @@ func TestVulnReporter(t *testing.T) {
 	require.NoError(t, err)
 
 	buf := bytes.Buffer{}
-	writer := shared.IOWriter{Writer: &buf}
+	writer := iox.IOWriter{Writer: &buf}
 	target := "index.docker.io/library/ubuntu@669e010b58ba"
 
 	t.Run("format=summary", func(t *testing.T) {

diff --git a/cli/reporter/csv_vuln.go b/cli/reporter/csv_vuln.go
@@ -9,7 +9,7 @@ import (
 	"strings"
 
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/upstream/mvd"
-	"go.mondoo.com/cnquery/v11/shared"
+	"go.mondoo.com/cnquery/v11/utils/iox"
 	"go.mondoo.com/cnspec/v11/cli/components"
 	"go.mondoo.com/cnspec/v11/cli/components/advisories"
 )
@@ -29,7 +29,7 @@ func (c csvStruct) toSlice() []string {
 }
 
 // ReportCollectionToCSV writes the given report collection to the given output directory
-func VulnReportToCSV(data *mvd.VulnReport, out shared.OutputHelper) error {
+func VulnReportToCSV(data *mvd.VulnReport, out iox.OutputHelper) error {
 	w := csv.NewWriter(out)
 
 	// write header

diff --git a/cli/reporter/csv_vuln_test.go b/cli/reporter/csv_vuln_test.go
@@ -12,7 +12,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/upstream/mvd"
-	"go.mondoo.com/cnquery/v11/shared"
+	"go.mondoo.com/cnquery/v11/utils/iox"
 )
 
 func TestCsvConverter(t *testing.T) {
@@ -24,7 +24,7 @@ func TestCsvConverter(t *testing.T) {
 	require.NoError(t, err)
 
 	buf := bytes.Buffer{}
-	writer := shared.IOWriter{Writer: &buf}
+	writer := iox.IOWriter{Writer: &buf}
 	err = VulnReportToCSV(report, &writer)
 	require.NoError(t, err)
 

diff --git a/cli/reporter/json.go b/cli/reporter/json.go
@@ -11,11 +11,11 @@ import (
 	cr "go.mondoo.com/cnquery/v11/cli/reporter"
 	"go.mondoo.com/cnquery/v11/llx"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/inventory"
-	"go.mondoo.com/cnquery/v11/shared"
+	"go.mondoo.com/cnquery/v11/utils/iox"
 	"go.mondoo.com/cnspec/v11/policy"
 )
 
-func printScore(score *policy.Score, mrn string, out shared.OutputHelper, prefix string) bool {
+func printScore(score *policy.Score, mrn string, out iox.OutputHelper, prefix string) bool {
 	if score == nil {
 		return false
 	}
@@ -59,7 +59,7 @@ func prepareAssetsForPrinting(assets map[string]*inventory.Asset) map[string]*as
 	return printableAssets
 }
 
-func ConvertToJSON(data *policy.ReportCollection, out shared.OutputHelper) error {
+func ConvertToJSON(data *policy.ReportCollection, out iox.OutputHelper) error {
 	if data == nil {
 		return nil
 	}

diff --git a/cli/reporter/json_test.go b/cli/reporter/json_test.go
@@ -14,7 +14,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.mondoo.com/cnquery/v11/cli/printer"
 	"go.mondoo.com/cnquery/v11/cli/theme/colors"
-	"go.mondoo.com/cnquery/v11/shared"
+	"go.mondoo.com/cnquery/v11/utils/iox"
 	"go.mondoo.com/cnspec/v11/policy"
 )
 
@@ -27,7 +27,7 @@ func TestJsonOutput(t *testing.T) {
 	require.NoError(t, err)
 
 	buf := bytes.Buffer{}
-	writer := shared.IOWriter{Writer: &buf}
+	writer := iox.IOWriter{Writer: &buf}
 
 	conf := defaultPrintConfig()
 	conf.format = FormatJSONv1
@@ -56,7 +56,7 @@ func TestJsonOutputOnlyErrors(t *testing.T) {
 	require.NoError(t, err)
 
 	buf := bytes.Buffer{}
-	writer := shared.IOWriter{Writer: &buf}
+	writer := iox.IOWriter{Writer: &buf}
 
 	conf := defaultPrintConfig()
 	conf.format = FormatJSONv1

diff --git a/cli/reporter/json_vuln.go b/cli/reporter/json_vuln.go
@@ -11,7 +11,7 @@ import (
 
 	"github.com/rs/zerolog/log"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/upstream/mvd"
-	"go.mondoo.com/cnquery/v11/shared"
+	"go.mondoo.com/cnquery/v11/utils/iox"
 	"go.mondoo.com/cnspec/v11/cli/components"
 	"go.mondoo.com/cnspec/v11/cli/components/advisories"
 )
@@ -46,7 +46,7 @@ type packagePrintable struct {
 	Cves      []string `json:"cves"`
 }
 
-func VulnReportToJSON(target string, data *mvd.VulnReport, out shared.OutputHelper) error {
+func VulnReportToJSON(target string, data *mvd.VulnReport, out iox.OutputHelper) error {
 	if data == nil {
 		return nil
 	}

diff --git a/cli/reporter/json_vuln_test.go b/cli/reporter/json_vuln_test.go
@@ -12,7 +12,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/upstream/mvd"
-	"go.mondoo.com/cnquery/v11/shared"
+	"go.mondoo.com/cnquery/v11/utils/iox"
 )
 
 func TestJsonConverter(t *testing.T) {
@@ -24,7 +24,7 @@ func TestJsonConverter(t *testing.T) {
 	require.NoError(t, err)
 
 	buf := bytes.Buffer{}
-	writer := shared.IOWriter{Writer: &buf}
+	writer := iox.IOWriter{Writer: &buf}
 	err = VulnReportToJSON("index.docker.io/ubutnu:focal-20220113", report, &writer)
 	require.NoError(t, err)
 

diff --git a/cli/reporter/junit.go b/cli/reporter/junit.go
@@ -13,12 +13,12 @@ import (
 	"go.mondoo.com/cnquery/v11/explorer"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/inventory"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/upstream/mvd"
-	"go.mondoo.com/cnquery/v11/shared"
+	"go.mondoo.com/cnquery/v11/utils/iox"
 	"go.mondoo.com/cnspec/v11/policy"
 )
 
 // ConvertToJunit maps the ReportCollection to Junit. Each asset becomes its own Suite
-func ConvertToJunit(r *policy.ReportCollection, out shared.OutputHelper) error {
+func ConvertToJunit(r *policy.ReportCollection, out iox.OutputHelper) error {
 	noXMLHeader := false
 
 	suites := junit.Testsuites{}

diff --git a/cli/reporter/junit_test.go b/cli/reporter/junit_test.go
@@ -5,13 +5,14 @@ package reporter
 
 import (
 	"bytes"
+	"testing"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.mondoo.com/cnquery/v11/explorer"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/inventory"
-	"go.mondoo.com/cnquery/v11/shared"
+	"go.mondoo.com/cnquery/v11/utils/iox"
 	"go.mondoo.com/cnspec/v11/policy"
-	"testing"
 )
 
 func sampleReportCollection() *policy.ReportCollection {
@@ -93,7 +94,7 @@ func sampleReportCollection() *policy.ReportCollection {
 func TestJunitConverter(t *testing.T) {
 	yr := sampleReportCollection()
 	buf := bytes.Buffer{}
-	writer := shared.IOWriter{Writer: &buf}
+	writer := iox.IOWriter{Writer: &buf}
 	err := ConvertToJunit(yr, &writer)
 	require.NoError(t, err)
 
@@ -108,7 +109,7 @@ func TestJunitNilReport(t *testing.T) {
 	var yr *policy.ReportCollection
 
 	buf := bytes.Buffer{}
-	writer := shared.IOWriter{Writer: &buf}
+	writer := iox.IOWriter{Writer: &buf}
 	err := ConvertToJunit(yr, &writer)
 	require.NoError(t, err)
 

diff --git a/cli/reporter/output_handler.go b/cli/reporter/output_handler.go
@@ -7,7 +7,7 @@ import (
 	"bytes"
 	"context"
 
-	"go.mondoo.com/cnquery/v11/shared"
+	"go.mondoo.com/cnquery/v11/utils/iox"
 	"go.mondoo.com/cnspec/v11/policy"
 	_ "gocloud.dev/pubsub/awssnssqs"
 	_ "gocloud.dev/pubsub/azuresb"
@@ -85,7 +85,7 @@ func reportToYamlV1(report *policy.ReportCollection) ([]byte, error) {
 
 func reportToJsonV1(report *policy.ReportCollection) ([]byte, error) {
 	raw := bytes.Buffer{}
-	writer := shared.IOWriter{Writer: &raw}
+	writer := iox.IOWriter{Writer: &raw}
 	err := ConvertToJSON(report, &writer)
 	if err != nil {
 		return nil, err

diff --git a/cli/reporter/proto.go b/cli/reporter/proto.go
@@ -10,7 +10,7 @@ import (
 	"strings"
 
 	cr "go.mondoo.com/cnquery/v11/cli/reporter"
-	"go.mondoo.com/cnquery/v11/shared"
+	"go.mondoo.com/cnquery/v11/utils/iox"
 	"go.mondoo.com/cnspec/v11/policy"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/types/known/structpb"
@@ -85,7 +85,7 @@ func ConvertToProto(data *policy.ReportCollection) (*Report, error) {
 			}
 
 			buf := &bytes.Buffer{}
-			w := shared.IOWriter{Writer: buf}
+			w := iox.IOWriter{Writer: buf}
 			err := cr.CodeBundleToJSON(query.Code, results, &w)
 			if err != nil {
 				return nil, err