From e20a86ead4f104f68bb8b94507ce885abf7972b1 Mon Sep 17 00:00:00 2001 From: stlef14 Date: Mon, 20 Oct 2025 17:13:26 -0400 Subject: [PATCH 1/6] changes to trivy sbom fs for POC with CycloneDX Signed-off-by: stlef14 --- .../boostsecurityio/trivy-sbom/module.yaml | 186 ++++++++---------- 1 file changed, 83 insertions(+), 103 deletions(-) diff --git a/scanners/boostsecurityio/trivy-sbom/module.yaml b/scanners/boostsecurityio/trivy-sbom/module.yaml index c33f0e03..ab15238b 100644 --- a/scanners/boostsecurityio/trivy-sbom/module.yaml +++ b/scanners/boostsecurityio/trivy-sbom/module.yaml @@ -8,114 +8,94 @@ scan_types: config: support_diff_scan: false - include_files: - # C/C++ https://trivy.dev/v0.61/docs/coverage/language/c/ - - conan.lock - # Dart https://trivy.dev/v0.61/docs/coverage/language/dart/ - - pubspec.lock - # Dotnet https://trivy.dev/v0.61/docs/coverage/language/dotnet/ - - "*.deps.json" - - packages.config - - "*Packages.props" - - packages.lock.json - # Elixir https://trivy.dev/v0.61/docs/coverage/language/elixir/ - - mix.lock - # Go https://trivy.dev/v0.61/docs/coverage/language/golang/ - - go.mod - # Java https://trivy.dev/v0.61/docs/coverage/language/java/ - - "*gradle.lockfile" - - pom.xml - - "*.sbt.lock" - # NodeJs https://trivy.dev/v0.61/docs/coverage/language/nodejs/ - - package-lock.json - - yarn.lock - - pnpm-lock.yaml - # Php https://trivy.dev/v0.61/docs/coverage/language/php/ - - composer.lock - - installed.json - # Python https://trivy.dev/v0.61/docs/coverage/language/python/ - - Pipfile.lock - - requirements.txt - - poetry.lock - - uv.lock - # Ruby https://trivy.dev/v0.61/docs/coverage/language/ruby/ - - Gemfile.lock - - .gemspec - # RUST https://trivy.dev/v0.61/docs/coverage/language/rust/ - - Cargo.lock - # Swift https://trivy.dev/v0.61/docs/coverage/language/swift/ - - Package.resolved - - Podfile.lock - # Julia https://trivy.dev/v0.61/docs/coverage/language/julia/ - - Manifest.toml setup: - - name: Utility scripts + - name: Verify dotnet installed run: | - mkdir -p $SETUP_PATH/pre-scan-checks/ - cp $SETUP_PATH/../../registry/scanners/boostsecurityio/trivy-fs/prescan_checks.sh $SETUP_PATH/pre-scan-checks/trivy - - name: download trivy - environment: - VERSION: 0.67.0 - LINUX_X86_64_SHA: 5b10e9bba00a508b0f3bcb98e78f1039f7eee26b57c9266961a415642a9208ab - LINUX_ARM64_SHA: 0f3ac33954dd918cad708bdf06731b4aa8cc14b12e879932b4ceef2f22640a9e - MACOS_X86_64_SHA: ae8a13d8c3abf7f7e7981ac1a5f5ec094d68835f2aac67da102d4ba36e820c3c - MACOS_ARM64_SHA: feea8727b501f654683774fe0f98a9c1a128c7d8bcd7c942a8e6f6d05b33bd4b - run: | - BINARY_URL="https://github.com/aquasecurity/trivy/releases/download/v${VERSION}" - ARCH=$(uname -m) - - case "$(uname -sm)" in - "Linux x86_64") - BINARY_URL="${BINARY_URL}/trivy_${VERSION}_Linux-64bit.tar.gz" - SHA="${LINUX_X86_64_SHA} trivy.tgz" - ;; - "Linux aarch64") - BINARY_URL="${BINARY_URL}/trivy_${VERSION}_Linux-ARM64.tar.gz" - SHA="${LINUX_ARM64_SHA} trivy.tgz" - ;; - "Darwin x86_64") - BINARY_URL="${BINARY_URL}/trivy_${VERSION}_macOS-64bit.tar.gz" - SHA="${MACOS_X86_64_SHA} trivy.tgz" - ;; - "Darwin arm64") - BINARY_URL="${BINARY_URL}/trivy_${VERSION}_macOS-ARM64.tar.gz" - SHA="${MACOS_ARM64_SHA} trivy.tgz" - ;; - *) - echo "Unsupported machine: ${OPTARG}" - exit 1 - ;; - esac - - curl -o trivy.tgz -fsSL "${BINARY_URL}" - echo "${SHA}" | sha256sum --check - - tar --no-same-owner -zxf trivy.tgz trivy - rm trivy.tgz - chmod +x trivy + mkdir -p $SETUP_PATH/scan-tools + if ! dotnet --version ; then + echo "dotnet is not installed, the scanner cannot run." + exit 1 + fi + dotnet tool install CycloneDX --version 5.5.0 --tool-path $SETUP_PATH/scan-tools/.dotnet-tools + if [ $? -ne 0 ]; then + echo "Failed to install CycloneDX" + exit 1 + fi + if ! "$SETUP_PATH/scan-tools/.dotnet-tools/dotnet-CycloneDX" --version >/dev/null 2>&1; then + echo "CycloneDX did not install or run correctly" + exit 1 + fi steps: - - run: $SETUP_PATH/pre-scan-checks/trivy - scan: command: - environment: - NO_COLOR: "true" - TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2 - TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1 - run: > - $SETUP_PATH/trivy fs - --format=cyclonedx - --license-full - --no-progress - --scanners vuln - --cache-dir=/tmp/trivy/ - --skip-version-check - . 2>&1 + run: | + TEMP_SOLN_FILE="temp" + SCAN_TARGET=$TEMP_SOLN_FILE".sln" + + # Find all .csproj files (excluding test directories) + ALL_PROJECTS=$(find . -maxdepth 5 -name "*.csproj" -type f) + + if [ -z "$ALL_PROJECTS" ]; then + echo "{}" + exit 0 + fi + + # Test each project - only include ones that restore successfully + # This filters out template projects or any broken projects + VALID_PROJECTS_FILE=$(mktemp) + + while IFS= read -r proj; do + if [ -n "$proj" ] && dotnet restore "$proj" --ignore-failed-sources --no-cache >/dev/null 2>&1; then + echo "$proj" >> "$VALID_PROJECTS_FILE" + fi + done </dev/null 2>&1 || true + + # Add all found .csproj files to the solution + echo "$PROJECT_LIST" | while IFS= read -r proj; do + [ -n "$proj" ] && dotnet sln $SCAN_TARGET add "$proj" >/dev/null 2>&1 || true + done + + # Restore packages while ignoring errors. + if [ -n "$SCAN_TARGET" ]; then + dotnet restore "$SCAN_TARGET" --ignore-failed-sources --no-cache >/dev/null 2>&1 || true + fi + + # Generate SBOM to temporary directory + OUTPUT_DIR="temp_sbom_output" + rm -rf "$OUTPUT_DIR" || true + + if [ -n "$SCAN_TARGET" ] && $SETUP_PATH/scan-tools/.dotnet-tools/dotnet-CycloneDX "$SCAN_TARGET" \ + --disable-package-restore \ + --output "$OUTPUT_DIR" \ + --output-format json \ + >/dev/null 2>&1; then + + if [ -f "$OUTPUT_DIR/bom.json" ]; then + cat "$OUTPUT_DIR/bom.json" + else + echo "SBOM result missing." + exit 1 + fi + else + echo "CycloneDX failed to generate SBOM." + exit 1 + fi + format: cyclonedx - post-processor: - docker: - image: public.ecr.aws/boostsecurityio/boost-scanner-trivy-sbom:9b693ef@sha256:249ee707158424d8bd333198e1512ca295fe30c6fff2d2b1adff9e8f914b42cb - command: process - environment: - PYTHONIOENCODING: utf-8 + From bb14c4fa4fa89da380deb579fc8daf2802bc3deb Mon Sep 17 00:00:00 2001 From: stlef14 Date: Tue, 3 Mar 2026 14:40:46 -0500 Subject: [PATCH 2/6] Remove output redirection from dotnet commands Signed-off-by: stlef14 --- scanners/boostsecurityio/trivy-sbom/module.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scanners/boostsecurityio/trivy-sbom/module.yaml b/scanners/boostsecurityio/trivy-sbom/module.yaml index ab15238b..1fff5085 100644 --- a/scanners/boostsecurityio/trivy-sbom/module.yaml +++ b/scanners/boostsecurityio/trivy-sbom/module.yaml @@ -68,7 +68,7 @@ steps: # Add all found .csproj files to the solution echo "$PROJECT_LIST" | while IFS= read -r proj; do - [ -n "$proj" ] && dotnet sln $SCAN_TARGET add "$proj" >/dev/null 2>&1 || true + [ -n "$proj" ] && dotnet sln $SCAN_TARGET add "$proj" || true done # Restore packages while ignoring errors. @@ -84,7 +84,7 @@ steps: --disable-package-restore \ --output "$OUTPUT_DIR" \ --output-format json \ - >/dev/null 2>&1; then + ; then if [ -f "$OUTPUT_DIR/bom.json" ]; then cat "$OUTPUT_DIR/bom.json" From a1ce201a02fc1e64aa6a172d267b4b00d4f02af4 Mon Sep 17 00:00:00 2001 From: stlef14 Date: Tue, 3 Mar 2026 16:57:16 -0500 Subject: [PATCH 3/6] Remove error suppression from dotnet commands Signed-off-by: stlef14 --- scanners/boostsecurityio/trivy-sbom/module.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scanners/boostsecurityio/trivy-sbom/module.yaml b/scanners/boostsecurityio/trivy-sbom/module.yaml index 1fff5085..5e1863e1 100644 --- a/scanners/boostsecurityio/trivy-sbom/module.yaml +++ b/scanners/boostsecurityio/trivy-sbom/module.yaml @@ -64,11 +64,11 @@ steps: fi # Create temporary solution to merge all projects - dotnet new sln -n $TEMP_SOLN_FILE --force >/dev/null 2>&1 || true + dotnet new sln -n $TEMP_SOLN_FILE --force # Add all found .csproj files to the solution echo "$PROJECT_LIST" | while IFS= read -r proj; do - [ -n "$proj" ] && dotnet sln $SCAN_TARGET add "$proj" || true + [ -n "$proj" ] && dotnet sln $SCAN_TARGET add "$proj" done # Restore packages while ignoring errors. From c8d9903c5229b3f7554b937df8e52499ca7bb9e6 Mon Sep 17 00:00:00 2001 From: stlef14 Date: Tue, 3 Mar 2026 17:11:22 -0500 Subject: [PATCH 4/6] Update dotnet new sln command with format option Signed-off-by: stlef14 --- scanners/boostsecurityio/trivy-sbom/module.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scanners/boostsecurityio/trivy-sbom/module.yaml b/scanners/boostsecurityio/trivy-sbom/module.yaml index 5e1863e1..e1a776e9 100644 --- a/scanners/boostsecurityio/trivy-sbom/module.yaml +++ b/scanners/boostsecurityio/trivy-sbom/module.yaml @@ -64,7 +64,7 @@ steps: fi # Create temporary solution to merge all projects - dotnet new sln -n $TEMP_SOLN_FILE --force + dotnet new sln -n $TEMP_SOLN_FILE --force --format sln # Add all found .csproj files to the solution echo "$PROJECT_LIST" | while IFS= read -r proj; do From 7dfcc91a3c621bafde0c2304397ed154c4142169 Mon Sep 17 00:00:00 2001 From: stlef14 Date: Tue, 3 Mar 2026 17:25:50 -0500 Subject: [PATCH 5/6] Silence output for dotnet solution commands Suppress output of solution creation and project addition commands. Signed-off-by: stlef14 --- scanners/boostsecurityio/trivy-sbom/module.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scanners/boostsecurityio/trivy-sbom/module.yaml b/scanners/boostsecurityio/trivy-sbom/module.yaml index e1a776e9..9aa7ae70 100644 --- a/scanners/boostsecurityio/trivy-sbom/module.yaml +++ b/scanners/boostsecurityio/trivy-sbom/module.yaml @@ -64,11 +64,11 @@ steps: fi # Create temporary solution to merge all projects - dotnet new sln -n $TEMP_SOLN_FILE --force --format sln + dotnet new sln -n $TEMP_SOLN_FILE --force --format sln > /dev/null 2>&1 || true # Add all found .csproj files to the solution echo "$PROJECT_LIST" | while IFS= read -r proj; do - [ -n "$proj" ] && dotnet sln $SCAN_TARGET add "$proj" + [ -n "$proj" ] && dotnet sln $SCAN_TARGET add "$proj" >/dev/null 2>&1 || true done # Restore packages while ignoring errors. From 9b2a829dc1ebbd31d3dccd88b6de98842c888799 Mon Sep 17 00:00:00 2001 From: stlef14 Date: Tue, 3 Mar 2026 23:20:20 -0500 Subject: [PATCH 6/6] Enable output visibility for dotnet commands Removed redirection of output to /dev/null for several dotnet commands to allow error visibility. Signed-off-by: stlef14 --- scanners/boostsecurityio/trivy-sbom/module.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scanners/boostsecurityio/trivy-sbom/module.yaml b/scanners/boostsecurityio/trivy-sbom/module.yaml index 9aa7ae70..c955d529 100644 --- a/scanners/boostsecurityio/trivy-sbom/module.yaml +++ b/scanners/boostsecurityio/trivy-sbom/module.yaml @@ -64,16 +64,16 @@ steps: fi # Create temporary solution to merge all projects - dotnet new sln -n $TEMP_SOLN_FILE --force --format sln > /dev/null 2>&1 || true + dotnet new sln -n $TEMP_SOLN_FILE --force --format sln # Add all found .csproj files to the solution echo "$PROJECT_LIST" | while IFS= read -r proj; do - [ -n "$proj" ] && dotnet sln $SCAN_TARGET add "$proj" >/dev/null 2>&1 || true + [ -n "$proj" ] && dotnet sln $SCAN_TARGET add "$proj" done # Restore packages while ignoring errors. if [ -n "$SCAN_TARGET" ]; then - dotnet restore "$SCAN_TARGET" --ignore-failed-sources --no-cache >/dev/null 2>&1 || true + dotnet restore "$SCAN_TARGET" --ignore-failed-sources --no-cache fi # Generate SBOM to temporary directory