This topic tells you how to add vulnerability scan reports or Software Bill of Materials (SBoM) files to your Supply Chain Security Tools (SCST) - Store.
Currently, only CycloneDX XML and JSON files are accepted.
Source commits and image files have been tested. Additional file types might work, but are not fully supported (for example, JAR files).
If you are not using a source commit or image file, you must ensure the component.version
field in the CycloneDX file is non-null.
A CycloneDX file is needed to post data. Supply Chain Security Tools - Scan outputs CycloneDX files automatically. For more information, see Supply Chain Security Tools - Scan.
To generate a file to post manually, use Grype or another tool in the CycloneDX Tool Center.
To use Grype to scan an image and generate an image report in CycloneDX format:
Install Grype.
Scan the image and generate a report by running:
grype REPO:TAG -o cyclonedx > IMAGE-CVE-REPORT
Where:
REPO
is the name of your repositoryTAG
is the name of a tagIMAGE-CVE-REPORT
is the resulting file name of the Grype image scan reportFor example:
$ grype docker.io/checkr/flagr:1.1.12 -o cyclonedx > image-cve-report
✔ Vulnerability DB [updated]
✔ Parsed image
✔ Cataloged packages [21 packages]
✔ Scanned image [8 vulnerabilities]
Use the following commands to add data:
image add
source add
If you are not using a source commit or image file, you can select either option.
To use a CycloneDX-formatted image report, run:
tanzu insight image add --cyclonedxtype TYPE --path IMAGE-CVE-REPORT
Where:
TYPE
specifies XML or JSON, the two supported file typesIMAGE-CVE-REPORT
is the location of a Cyclone DX formatted fileFor example:
$ tanzu insight image add --cyclonedxtype xml --path downloads/image-cve-report
Image report created.
NoteThe Metadata Store only stores a subset of CycloneDX file data. Support for more data might be added in the future.
To use a CycloneDX-formatted source report, run:
tanzu insight source add --cyclonedxtype TYPE --path SOURCE-CVE-REPORT
Where:
TYPE
specifies XML or JSON, the two supported file typesSOURCE-CVE-REPORT
is the location of a Cyclone DX formatted fileFor example:
$ tanzu insight source add --cyclonedxtype json --path source-cve-report
Source report created.
NoteSupply Chain Security Tools - Store only stores a subset of a CycloneDX file’s data. Support for more data might be added in the future.