Hi,
I have tried implementing Grype in a jenkins job to use for security purposes. I got it to use syft’s sbom (which is also in a container) and give a report but the output looks like the image below. Is this an issue with grype and if yes is it fixable?
It looks like Grype rendered the template you provided. There are multiple HTML templates floating around; maybe you could find a better one to suit your purposes?
There appears to be a nice looking template here: Templates for grype output. HTML template · Issue #724 · anchore/grype · GitHub
It does render some part of it. The template I am using is the one from the official grype repo. I tried to run it locally and the report looked different(with all the styling and colors and stuff).
In fact I think it is exactly the one you linked to(lead to when I click the link).
Is Jenkins doing anything to sanitize the HTML like removing referenced JS and CSS files/etc.? Have you inspected the page in the browser – does it seem like it’s missing elements that were present in the template when you looked at it directly? I haven’t been involved with Jenkins for some time, but if it looks different when you look at the result directly vs. the Jenkins UI, it sounds like something else is going on here not really related to Grype that’s making it appear as it does in your screenshot.
Could you explain exactly the steps you took - or better the steps someone like me who has waning familiarity with Jenkins - could take to reproduce this?
Once we get to the bottom of this, it would be great to get an updated template specific to Jenkins and put it in the repo here.
Hey,
Apologies for the late reply. I figured out the reason the report was displayed that way. Jenkins has a Content Security Policy that strips all the CSS, JS scripts and etc. There are 2 ways to fix this. The first is to soften the security policy which would leave you vulnerable to Cross-Site Scripting attacks (as warned in the official jenkins documentation). The 2nd way and more secure is to configure a Resource Root URL which makes it so the static content is viewed on another domain which prevents the hi-jack of sessions and could offload some stress on the original domain. Just as a disclaimer I am not a specialist by any means this is just the information I found during the research I did. Something might be a bit off or not worded the best way but the idea should be right.
Thanks for following up @sboyadjiev!
Jenkins is pretty popular; it might be a good idea to add a note to the template README for other users – at least a warning that Jenkins may need some extra steps to get the template working. If there was a link to a page with more info, that would be great. If you could capture the extra stuff you needed to do somewhere – maybe even a new issue in the repo or the wiki, it could be helpful for the next user.
I’d love to help someone out! I will gather my process, write it out and contact you to let me know where you want me to put it/post it.