Add sbom scan

Author: corneliusludmann

cmd/sbom-scan.go

@@ -0,0 +1,97 @@
+package cmd
+
+import (
+	"os"
+
+	"github.com/gitpod-io/leeway/pkg/leeway"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+// sbomScanCmd represents the sbom scan command
+var sbomScanCmd = &cobra.Command{
+	Use:   "scan <package>",
+	Short: "Scans a package's SBOM for vulnerabilities",
+	Long: `Scans a package's SBOM for vulnerabilities and exports the results to a specified directory.
+	
+This command uses existing SBOM files from previously built packages. It checks if SBOM is enabled
+in the workspace settings. If not, it aborts. The scan results are exported to the directory
+specified by the --output-dir flag.
+
+When used with --with-dependencies, it scans the package and all its dependencies for vulnerabilities.`,
+	Args: cobra.MinimumNArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		// Get the package
+		_, pkg, _, _ := getTarget(args, false)
+		if pkg == nil {
+			log.Fatal("sbom scan requires a package")
+		}
+
+		// Check if SBOM is enabled in workspace settings
+		if !pkg.C.W.SBOM.Enabled {
+			log.Fatal("SBOM scanning requires sbom.enabled=true in workspace settings")
+		}
+
+		// Check if vulnerability scanning is enabled
+		if !pkg.C.W.SBOM.ScanVulnerabilities {
+			log.Fatal("SBOM scanning requires sbom.scanVulnerabilities=true in workspace settings")
+		}
+
+		// Get build options and cache
+		_, cache := getBuildOpts(cmd)
+
+		// Get package location in cache
+		_, ok := cache.Location(pkg)
+		if !ok {
+			log.Fatalf("%s is not built", pkg.FullName())
+		}
+
+		// Get output directory
+		outputDir, _ := cmd.Flags().GetString("output-dir")
+		if outputDir == "" {
+			log.Fatal("--output-dir is required")
+		}
+
+		// Create output directory if it doesn't exist
+		if err := os.MkdirAll(outputDir, 0755); err != nil {
+			log.WithError(err).Fatalf("cannot create output directory %s", outputDir)
+		}
+
+		// Get with-dependencies flag
+		withDependencies, _ := cmd.Flags().GetBool("with-dependencies")
+		
+		// Scan the package for vulnerabilities
+		if withDependencies {
+			log.Infof("Scanning package %s and its dependencies for vulnerabilities", pkg.FullName())
+		} else {
+			log.Infof("Scanning package %s for vulnerabilities", pkg.FullName())
+		}
+		
+		// Create a console reporter for logging
+		reporter := leeway.NewConsoleReporter()
+		
+		// Use the ScanPackageSBOM function to scan the package
+		if err := leeway.ScanPackageSBOM(pkg, reporter, cache, outputDir, withDependencies); err != nil {
+			log.WithError(err).Fatalf("Failed to scan package %s for vulnerabilities", pkg.FullName())
+		}
+
+		if withDependencies {
+			log.Infof("Vulnerability scan completed for package %s and its dependencies", pkg.FullName())
+		} else {
+			log.Infof("Vulnerability scan completed for package %s", pkg.FullName())
+		}
+		log.Infof("Scan results exported to %s", outputDir)
+
+		// If we have failOn configured, the ScanPackageForVulnerabilities function will have already
+		// returned an error if vulnerabilities at those severity levels were found
+	},
+}
+
+func init() {
+	sbomScanCmd.Flags().String("output-dir", "", "Directory to export scan results (required)")
+	sbomScanCmd.MarkFlagRequired("output-dir")
+	sbomScanCmd.Flags().Bool("with-dependencies", false, "Scan the package and all its dependencies")
+
+	sbomCmd.AddCommand(sbomScanCmd)
+	addBuildFlags(sbomScanCmd)
+}

pkg/leeway/sbom.go

@@ -14,6 +14,8 @@ import (
 
 	"slices"
 
+	"github.com/gitpod-io/leeway/pkg/leeway/cache"
+
 	"github.com/anchore/clio"
 	"github.com/anchore/grype/grype"
 	"github.com/anchore/grype/grype/db/v6/distribution"
@@ -361,9 +363,38 @@ func ScanPackageForVulnerabilities(p *Package, buildctx *buildContext, sbomFile
 	return nil
 }
 
+// ScanPackageSBOM scans a package's SBOM for vulnerabilities and exports results to the specified directory
+// This is an exported wrapper around ScanAllPackagesForVulnerabilities for use by the sbom scan command
+// If withDependencies is true, it will also scan all dependencies of the package
+func ScanPackageSBOM(p *Package, reporter Reporter, localCache cache.LocalCache, outputDir string, withDependencies bool) error {
+	// Create a minimal buildContext with just the required fields
+	ctx := &buildContext{
+		buildOptions: buildOptions{
+			Reporter:   reporter,
+			LocalCache: localCache,
+		},
+	}
+	
+	// If we need to scan dependencies as well
+	if withDependencies {
+		// Get all dependencies
+		deps := getAllDependencies(p)
+		log.Infof("Scanning %s and %d dependencies for vulnerabilities", p.FullName(), len(deps))
+		
+		// Add the package itself to the list
+		packagesToScan := append([]*Package{p}, deps...)
+		
+		// Call the existing function with all packages and the custom output directory
+		return ScanAllPackagesForVulnerabilities(ctx, packagesToScan, outputDir)
+	}
+	
+	// Just scan the single package
+	return ScanAllPackagesForVulnerabilities(ctx, []*Package{p}, outputDir)
+}
+
 // ScanAllPackagesForVulnerabilities scans all packages for vulnerabilities
 // This function is called after the build process completes
-func ScanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Package) error {
+func ScanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Package, customOutputDir ...string) error {
 	// Skip if no packages to scan
 	if len(packages) == 0 {
 		return nil
@@ -382,14 +413,29 @@ func ScanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
 			continue
 		}
 
-		// Get the location for this package's vulnerability reports
-		reportLocation := GetVulnerabilityReportLocation(p, timestamp)
-
-		// Create the directory for this package's vulnerability reports
-		if err := os.MkdirAll(reportLocation.PackageDir, 0755); err != nil {
-			errMsg := fmt.Sprintf("failed to create vulnerability reports directory for package %s: %s", p.FullName(), err)
-			buildctx.Reporter.PackageBuildLog(p, true, []byte(errMsg+"\n"))
-			return xerrors.Errorf(errMsg)
+		// Determine the output directory
+		var outputDir string
+		if len(customOutputDir) > 0 && customOutputDir[0] != "" {
+			// Use custom output directory if provided
+			outputDir = customOutputDir[0]
+			
+			// Create the output directory if it doesn't exist
+			if err := os.MkdirAll(outputDir, 0755); err != nil {
+				errMsg := fmt.Sprintf("failed to create output directory %s: %s", outputDir, err)
+				buildctx.Reporter.PackageBuildLog(p, true, []byte(errMsg+"\n"))
+				return xerrors.Errorf(errMsg)
+			}
+		} else {
+			// Use default timestamp-based directory structure
+			reportLocation := GetVulnerabilityReportLocation(p, timestamp)
+			outputDir = reportLocation.PackageDir
+			
+			// Create the directory for this package's vulnerability reports
+			if err := os.MkdirAll(outputDir, 0755); err != nil {
+				errMsg := fmt.Sprintf("failed to create vulnerability reports directory for package %s: %s", p.FullName(), err)
+				buildctx.Reporter.PackageBuildLog(p, true, []byte(errMsg+"\n"))
+				return xerrors.Errorf(errMsg)
+			}
 		}
 
 		// Find the SBOM file for this package
@@ -458,14 +504,14 @@ func ScanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
 		sbomFile = tempFileName
 
 		// Scan the package for vulnerabilities
-		if err := ScanPackageForVulnerabilities(p, buildctx, sbomFile, reportLocation.PackageDir); err != nil {
+		if err := ScanPackageForVulnerabilities(p, buildctx, sbomFile, outputDir); err != nil {
 			buildctx.Reporter.PackageBuildLog(p, false, fmt.Appendf(nil, "Failed to scan package %s for vulnerabilities: %s\n", p.FullName(), err.Error()))
 			// Add to failed packages
 			failedPackages = append(failedPackages, p.FullName())
 			continue
 		}
 
-		buildctx.Reporter.PackageBuildLog(p, false, fmt.Appendf(nil, "Vulnerability scan completed for package %s (reports: %s)\n", p.FullName(), reportLocation.PackageDir))
+		buildctx.Reporter.PackageBuildLog(p, false, fmt.Appendf(nil, "Vulnerability scan completed for package %s (reports: %s)\n", p.FullName(), outputDir))
 	}
 
 	// Return error if any packages failed due to vulnerabilities
@@ -675,6 +721,33 @@ func loadVulnerabilityDB(p *Package, buildctx *buildContext) (vulnerability.Prov
 	return provider, status, nil
 }
 
+// Helper function to get all dependencies of a package
+func getAllDependencies(pkg *Package) []*Package {
+	// Use a map to avoid duplicates
+	depsMap := make(map[string]*Package)
+	
+	// Recursively collect dependencies
+	var collectDeps func(p *Package)
+	collectDeps = func(p *Package) {
+		for _, dep := range p.GetDependencies() {
+			if _, exists := depsMap[dep.FullName()]; !exists {
+				depsMap[dep.FullName()] = dep
+				collectDeps(dep)
+			}
+		}
+	}
+	
+	collectDeps(pkg)
+	
+	// Convert map to slice
+	deps := make([]*Package, 0, len(depsMap))
+	for _, dep := range depsMap {
+		deps = append(deps, dep)
+	}
+	
+	return deps
+}
+
 // ErrNoSBOMFile is returned when no SBOM file is found in a cached archive
 var ErrNoSBOMFile = fmt.Errorf("no SBOM file found")