This post accompanies the following video:
Commands used during the video:
Note that some commands are piped through pv -qL 500 (or another number). This slows down the output of the command so that the video capture has something interesting scrolling by slow enough to view - if not slow enough to read. If I didn’t do this, the text would whizz by very quickly, almost instantly.
I also sometimes pipe output through tr -s ' '. This truncates multiple spaces down to one space, handy when grype produces very w i d e output.
Get human-readable list of packages from a public container:
syft pytorch/pytorch:latest
Generate machine-readable SBOM from a public container:
syft pytorch/pytorch:latest -o syft-json=pytorch_pytorch_latest.json
Verify the contents of the SBOM using jq:
jq . < pytorch_pytorch_latest.json | head -n 1000
Find unfixed vulnerabilities in the container, using the SBOM:
grype pytorch_pytorch_latest.json --only-notfixed
Find critical severity vulnerabilities in the container, using the SBOM:
grype pytorch_pytorch_latest.json | grep Critical
Set a variable to the CVE found in the output from grype, above:
Note, I used head -n 1 to only pick one line, but there was in fact only one critical severity, so this was redundant for this container.
export CVE=$(grype pytorch_pytorch_latest.json | grep Critical | head -n 1 | grep -o 'CVE-[0-9]\{4\}-[0-9]\{4,\}')
We then echo the CVE variable, just to confirm it did select one:
echo $CVE
Finally we use grype explain to show the documentation, metadata, and links for the CVE selected:
grype pytorch_pytorch_latest.json -o json | grype explain --id $CVE
Questions, comments, and suggestions for improvements are very welcome below.