You can query the Supply Chain Security Tools - Store to understand vulnerability, image, and dependency relationships. Before you query, you must add scan reports or SBoMs to the Supply Chain Security Tools - Store from the Supply Chain Security Tools - Scan or manually.
There are two different ways of querying the database:
The following example instructions use the CLI to query.
The following use cases apply to Supply Chain Security Tools - Store: * What images contain a specific dependency? * What dependencies are affected by a specific CVE? * How many CVEs does a specific image or dependency contain?
Once the CVE report is created, you can query information about the image using
image get. You need the image's component version from the earlier CycloneDX report. Pass the component version as a parameter to the
--digest flag. Run:
$ insight image get --digest sha256:407d7099d6ce7e3632b6d00682a43028d75d3b088600797a833607bd629d1ed5 Registry: docker.io Image Name: checkr/flagr:1.1.12 Digest: sha256:407d7099d6ce7e3632b6d00682a43028d75d3b088600797a833607bd629d1ed5 Packages: 1. firstname.lastname@example.org 2. email@example.com 3. firstname.lastname@example.org CVEs: 1. CVE-2021-30139 (High) 2. CVE-2021-36159 (Critical) 4. email@example.com CVEs: 1. CVE-2021-28831 (High) ...
It will return the found packages of the repo as well as any discovered CVEs for those images.