Demo server
https://goharbor.io/docs/2.4.0/install-config/demo-server/
Register to https://demo.goharbor.io API: https://demo.goharbor.io/devcenter-api-2.0
https://demo.goharbor.io/api/v2.0/users
{"username":"harbor-demo-account","email":"[email protected]","realname":"Harbor Demo","password":"Password123","comment":null}
docker login demo.goharbor.io -u harbor-demo-account -p Password123
docker logout
Create new project “enrichman” curl -u 'harbor-demo-account:Password123' -H 'Content-Type: application/json' https://demo.goharbor.io/api/v2.0/projects -d '{"project_name": "test-proj-demo"}'
docker tag nginx:latest demo.goharbor.io/test-proj-demo/nginx
docker push demo.goharbor.io/test-proj-demo/nginx
curl -u 'harbor-demo-account:Password123' https://demo.goharbor.io/api/v2.0/projects/test-proj-demo/repositories/nginx/artifacts/latest
curl -u 'harbor-demo-account:Password123' https://demo.goharbor.io/api/v2.0/projects/test-proj-demo/repositories/nginx/artifacts/latest/additions/vulnerabilities
{
"application/vnd.security.vulnerability.report; version=1.1": {
"generated_at": "2024-08-01T09:37:05.561615505Z",
"scanner": {
"name": "Trivy",
"vendor": "Aqua Security",
"version": "v0.51.2"
},
"severity": "Critical",
"vulnerabilities": [
{
"id": "CVE-2024-5171",
"package": "libaom3",
"version": "3.6.0-1",
"fix_version": "",
"severity": "Critical",
"description": "Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers:\n\n\n * Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.\n * Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.\n * Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.",
"links": [
"https://avd.aquasec.com/nvd/cve-2024-5171"
],
"artifact_digests": [
"sha256:4ac65f23061de2faef157760fa2125c954b5b064bc25e10655e90bd92bc3b354"
],
"preferred_cvss": {
"score_v3": 9.8,
"score_v2": null,
"vector_v3": "",
"vector_v2": ""
},
"cwe_ids": [
"CWE-190",
"CWE-20"
],
"vendor_attributes": {
"CVSS": {
"nvd": {
"V3Score": 9.8,
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"redhat": {
"V3Score": 7,
"V3Vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
}
}
},
...
]
}
}docker login demo.goharbor.io
docker image pull nginx
docker tag nginx demo.goharbor.io/enrichman/nginx
docker push demo.goharbor.io/enrichman/nginx
curl -u 'enrichman:Password123' https://demo.goharbor.io/api/v2.0/projects/enrichman/repositories/nginx/artifacts/latest
curl -u 'enrichman:Password123' https://demo.goharbor.io/api/v2.0/projects/enrichman/repositories/nginx/artifacts/latest/additions/vulnerabilities
https://github.com/anchore/grype
Clone and build (not found a ready image)
git clone https://github.com/openclarity/grype-server openclarity/grype-server
docker build -t openclarity/grype-server .
Run with:
docker run -d -p 9991:9991 --name grype-server grype-server run --log-level infoInstall syft to get a SBOM:
brew install syft
Use Syft to POST the SBOM to the Grype server, and get a list of vulnerabilities.
Get SBOM and base64 encode it:
syft nginx:latest -o spdx-json | jq | base64 -w0
Prepare the POST body that should be {"sbom": "<BASE64 ENCODED SBOM>"} and curl it to http://localhost:9991/api/scanSBOM
The response is base64 encoded.
One shot command:
printf '{"sbom": "'$(syft nginx:latest -o spdx-json | jq | base64 -w0)'"}' | \
curl -s -H 'Content-Type: application/json' http://localhost:9991/api/scanSBOM -d @- | \
jq -r .vulnerabilities | \
base64 -d | jq
{
"matches": [
{
"vulnerability": {
"id": "CVE-2024-5171",
"dataSource": "https://security-tracker.debian.org/tracker/CVE-2024-5171",
"namespace": "debian:distro:debian:12",
"severity": "Critical",
"urls": [
"https://security-tracker.debian.org/tracker/CVE-2024-5171"
],
"description": "Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers: * Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid. * Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.",
"cvss": [],
"fix": {
"versions": [],
"state": "not-fixed"
},
"advisories": []
},
"relatedVulnerabilities": [
{
"id": "CVE-2024-5171",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2024-5171",
"namespace": "nvd:cpe",
"severity": "Critical",
"urls": [
"https://issues.chromium.org/issues/332382766",
"https://lists.fedoraproject.org/archives/list/[email protected]/message/6HYUEHZ35ZPY2EONVZCGO6LPT3AMLZCP/",
"https://lists.fedoraproject.org/archives/list/[email protected]/message/U5NRNCEYS246CYGOR32MF7OGKWOWER22/"
],
"description": "Integer overflow in libaom internal function img_alloc_helper can lead to heap buffer overflow. This function can be reached via 3 callers:\n\n\n * Calling aom_img_alloc() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.\n * Calling aom_img_wrap() with a large value of the d_w, d_h, or align parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.\n * Calling aom_img_alloc_with_border() with a large value of the d_w, d_h, align, size_align, or border parameter may result in integer overflows in the calculations of buffer sizes and offsets and some fields of the returned aom_image_t struct may be invalid.",
"cvss": [
{
"source": "[email protected]",
"type": "Primary",
"version": "3.1",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"metrics": {
"baseScore": 9.8,
"exploitabilityScore": 3.9,
"impactScore": 5.9
},
"vendorMetadata": {}
}
]
}
],
"matchDetails": [
{
"type": "exact-indirect-match",
"matcher": "dpkg-matcher",
"searchedBy": {
"distro": {
"type": "debian",
"version": "12"
},
"namespace": "debian:distro:debian:12",
"package": {
"name": "aom",
"version": "3.6.0-1"
}
},
"found": {
"versionConstraint": "none (deb)",
"vulnerabilityID": "CVE-2024-5171"
}
}
],
"artifact": {
"id": "a4c7bb9eb5dc4e12",
"name": "libaom3",
"version": "3.6.0-1",
"type": "deb",
"locations": [],
"language": "",
"licenses": [
"BSD-2-Clause AND BSD-2-Clause AND BSD-3-Clause AND LicenseRef-Expat AND ISC AND LicenseRef-public-domain-md5"
],
"cpes": [
"cpe:2.3:a:libaom3:libaom3:3.6.0-1:*:*:*:*:*:*:*"
],
"purl": "pkg:deb/debian/[email protected]?arch=amd64&upstream=aom&distro=debian-12",
"upstreams": [
{
"name": "aom"
}
]
}
},
...
],
"source": {
"type": "image",
"target": {
"userInput": "nginx:sha256:578a4c4bb02012ad343b495f635a5c96a7273202bd3d82c8a678c9700f5f7e24",
"imageID": "DocumentRoot-Image-nginx",
"manifestDigest": "sha256:578a4c4bb02012ad343b495f635a5c96a7273202bd3d82c8a678c9700f5f7e24",
"mediaType": "",
"tags": [],
"imageSize": 0,
"layers": null,
"manifest": null,
"config": null,
"repoDigests": [],
"architecture": "",
"os": ""
}
},
"distro": {
"name": "debian",
"version": "12",
"idLike": [
"debian"
]
},
"descriptor": {
"name": "",
"version": "",
"db": {
"built": "2024-08-02T01:31:29Z",
"schemaVersion": 5,
"location": "/data/5",
"checksum": "sha256:ba1b1812cc51550aa6a892ea101e29f7e9d6e852d6f3fba5fbc836a89f5fbe07",
"error": null
},
"timestamp": "2024-08-02T10:53:35.07778987Z"
}
}