feat: Add grype as vulnerability scanner plugin

.gitignore

@@ -17,5 +17,7 @@ site/
 ## helm chart
 output/*
 .cr-release-packages/*
+deploy/helm/*.tgz
+
 ## idea files
 *.iml

deploy/helm/templates/config.yaml

@@ -117,6 +117,98 @@ data:
 {{- end }}
 {{- end }}
 {{- end }}
+
+
+{{- if eq .Values.starboard.vulnerabilityReportsPlugin "Grype" }}
+{{- with .Values.grype}}
+{{- if .createConfig }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: starboard-grype-config
+  labels:
+    {{- include "starboard-operator.labels" $ | nindent 4 }}
+data:
+  grype.imageRef: {{ required ".Values.grype.imageRef is required" .imageRef | quote }}
+  {{- if .scheme }}
+  grype.scheme: {{ .scheme | quote }}
+  {{- end }}
+  {{- if .onlyFixed }}
+  grype.onlyFixed: {{ .onlyFixed | quote }}
+  {{- end }}
+  {{- if .platform }}
+  grype.platform: {{ .platform | quote }}
+  {{- end }}
+  {{- if .excludePaths }}
+  grype.excludePaths: {{ .excludePaths | quote }}
+  {{- end }}
+  {{- if .httpProxy }}
+  grype.httpProxy: {{ .httpProxy | quote }}
+  {{- end }}
+  {{- if .httpsProxy }}
+  grype.httpsProxy: {{ .httpsProxy | quote }}
+  {{- end }}
+  {{- if .noProxy }}
+  grype.noProxy: {{ .noProxy | quote }}
+  {{- end }}
+  {{- if .updateURL }}
+  grype.updateURL: {{ .updateURL | quote }}
+  {{- end }}
+  {{- if .addMissingCPEs }}
+  grype.addMissingCPEs: {{ .addMissingCPEs | quote }}
+  {{- end }}
+  {{- if .updateURL }}
+  grype.updateURL: {{ .updateURL | quote }}
+  {{- end }}
+  {{- if .insecureRegistryPrefixes }}
+  grype.insecureRegistryPrefixes: {{ .insecureRegistryPrefixes | quote }}
+  {{- end }}
+  {{- if .nonSSLRegistriesPrefixes }}
+  grype.nonSSLRegistriesPrefixes: {{ .nonSSLRegistriesPrefixes | quote }}
+  {{- end }}
+  {{- with .resources }}
+    {{- with .requests }}
+      {{- if .cpu }}
+  grype.resources.requests.cpu: {{ .cpu }}
+      {{- end }}
+      {{- if hasKey . "memory" }}
+  grype.resources.requests.memory: {{ .memory }}
+      {{- end }}
+    {{- end }}
+    {{- with .limits }}
+      {{- if .cpu }}
+  grype.resources.limits.cpu: {{ .cpu }}
+      {{- end }}
+      {{- if .memory }}
+  grype.resources.limits.memory: {{ .memory }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: starboard-grype-config
+  labels:
+    {{- include "starboard-operator.labels" $ | nindent 4 }}
+data:
+  {{- if .regAuthority }}
+  grype.regAuthority: {{ .regAuthority | b64enc | quote }}
+  {{- end }}
+  {{- if .regUsername }}
+  grype.regUsername: {{ .regUsername | b64enc | quote }}
+  {{- end }}
+  {{- if .regPassword }}
+  grype.regPassword: {{ .regPassword | b64enc | quote }}
+  {{- end }}
+  {{- if .regToken }}
+  grype.regToken: {{ .regToken | b64enc | quote }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{- if eq .Values.starboard.configAuditReportsPlugin "Conftest" }}
 {{- with .Values.conftest }}
 {{- if .createConfig }}

deploy/helm/values.yaml

@@ -73,7 +73,7 @@ service:
     prometheus.io/path: /metrics
 
 starboard:
-  # vulnerabilityReportsPlugin the name of the plugin that generates vulnerability reports. Either `Trivy` or `Aqua`.
+  # vulnerabilityReportsPlugin the name of the plugin that generates vulnerability reports. Either `Trivy`, `Aqua` or `Grype`.
   vulnerabilityReportsPlugin: "Trivy"
   # configAuditReportsPlugin the name of the plugin that generates config audit reports. Either `Polaris` or `Conftest`.
   configAuditReportsPlugin: "Polaris"
@@ -179,6 +179,54 @@ trivy:
 
   dbRepository: "ghcr.io/aquasecurity/trivy-db"
 
+grype:
+  # create Grype config (true|false)
+  createConfig: true
+
+  # image ref to be used in the grype scan jobs
+  imageRef: "anchore/grype:v0.35.0"
+
+  # updateURL, where the vulnerability databases should be pulled from, refer to grype documentation for this 
+  updateURL: "https://toolbox-data.anchore.io/grype/databases/listing.json"
+
+  # if a specific scheme is required for scanning, provide it here
+  # scheme:
+
+  # if you need to specify the platform of the scanned images
+  # platform
+
+  # glob pattern of paths to exlude
+  # excludePaths:
+
+  # proxy settings
+  # httpProx:
+  # httpsPorxy:
+  # noProxy:
+
+  # add CPEs, if they are missing
+  # addMissingCPEs: "true"
+
+  # INSECURE: comma separated list of prefixes for registries where tls verification should be skipped
+  # insecureRegistryPrefixes:
+
+  # INSECURE: comaa separated list of prefixes for registries that support HTTP only
+  # nonSSLRegistriesPrefixes:
+
+  # secret values for registry authentication
+  # regAuthority: ***
+  # regUsername: ***
+  # regPassword: ***
+  # regToken: ***
+
+  # resources
+  resources:
+    requests:
+      cpu: 100m
+      memory: 100M
+    limits:
+      cpu: 500m
+      memory: 500M
+
 compliance:
   # failEntriesLimit the flag to limit the number of fail entries per control check in the cluster compliance detail report
   failEntriesLimit: 10

docs/vulnerability-scanning/grype.md

@@ -0,0 +1,33 @@
+# Grype
+
+The Grype plugin can be enabled by setting `vulnerabilityReports.scanner` to `Grype`, there is no further setup necessary. However there are additional settings available. A look at the [grype GitHub repo](https://github.com/anchore/grype) will help. 
+
+## Configuration
+
+### Options
+
+key | default value | description
+--- | --- | --- 
+`grype.imageRef` | `anchore/grype:v0.35.0` | the grype image used for scanning
+`grype.scheme` | none | if there is a specific scheme required for scanning, set it here, e.g. `podman`
+`grype.onlyFixed` | `false` | set this to true to ignore vulnerabilities without fix
+`grype.platform` | none | if you have to set a specific platform for scanning, e.g. `s390x`
+`grype.exclude` | none | glob pattern of paths to exclude from scanning
+`grype.httpProxy` | none | http proxy
+`grype.httpsProxy` | none | https proxy
+`grype.noProxy` | none | targets where no proxy should be used
+`grype.updateURL` | `https://toolbox-data.anchore.io/grype/databases/listing.json` | location of the vulnerability DB config, see grype docu for that
+`grype.addMissingCPEs` | `false` | add CPEs if they are missing
+`grype.insecureRegistryPrefixes` | none | comma separated list of registry prefixes where tls verification should be skipped
+`grype.nonSSLRegistryPrefixes` | none | comma separated list of registry prefixes that support HTTP only
+`grype.resources.requests.cpu` | `100m` | resource setting for the scan jobs
+`grype.resources.requests.memory` | `100M` | resource setting for the scan jobs
+`grype.resources.limits.cpu` | `500m` | resource setting for the scan jobs
+`grype.resources.limits.memory` | `500M` | resource setting for the scan jobs
+
+### Secrets
+The following secret keys can be provided for authentication against a protected registry:
+* `grype.regUsername`
+* `grype.regPassword`
+* `grype.regToken`
+

docs/vulnerability-scanning/index.md

@@ -20,6 +20,7 @@ Starboard may scan Kubernetes workloads that run images from [Private Registries
 
 [VulnerabilityReport]: ./../crds/vulnerability-report.md
 [Trivy]: ./trivy.md
+[Grpye]: ./grype.md
 [Aqua Enterprise]: ./aqua-enterprise.md
 [Private Registries]: ./private-registries.md
 [Managed Registries]: ./managed-registries.md

pkg/plugin/factory.go

@@ -7,6 +7,7 @@ import (
 	"github.com/aquasecurity/starboard/pkg/ext"
 	"github.com/aquasecurity/starboard/pkg/plugin/aqua"
 	"github.com/aquasecurity/starboard/pkg/plugin/conftest"
+	"github.com/aquasecurity/starboard/pkg/plugin/grype"
 	"github.com/aquasecurity/starboard/pkg/plugin/polaris"
 	"github.com/aquasecurity/starboard/pkg/plugin/trivy"
 	"github.com/aquasecurity/starboard/pkg/starboard"
@@ -16,6 +17,7 @@ import (
 
 const (
 	Trivy    starboard.Scanner = "Trivy"
+	Grype    starboard.Scanner = "Grype"
 	Aqua     starboard.Scanner = "Aqua"
 	Polaris  starboard.Scanner = "Polaris"
 	Conftest starboard.Scanner = "Conftest"
@@ -81,6 +83,8 @@ func (r *Resolver) GetVulnerabilityPlugin() (vulnerabilityreport.Plugin, starboa
 	switch scanner {
 	case Trivy:
 		return trivy.NewPlugin(ext.NewSystemClock(), ext.NewGoogleUUIDGenerator(), r.client), pluginContext, nil
+	case Grype:
+		return grype.NewPlugin(ext.NewSystemClock(), ext.NewGoogleUUIDGenerator(), r.client), pluginContext, nil
 	case Aqua:
 		return aqua.NewPlugin(ext.NewGoogleUUIDGenerator(), r.buildInfo), pluginContext, nil
 	}

pkg/plugin/grype/README.md

@@ -0,0 +1,16 @@
+# grype plugin for Starboard
+
+This plugin is derived from the Trivy plugin.
+
+* [grype](https://github.com/anchore/grype)
+* [grype config](https://github.com/anchore/grype#configuration)
+
+# Notes on configuration
+Most of the settings correspond directly to the settings mentioned in grype documentation.
+In order to set optional parameters, e.g. `grype.onlyFixed`, they have to be set to `true`
+There are two settings that are specific to this plugin:
+
+key | description 
+--- | --- 
+`grype.insecureRegistryPrefixes` | comma separated list of prefixes of registries where TLS verification will be skipped 
+`grype.nonSSLRegistyPrefixes` | comma separated list of prefixes of registries that use http

pkg/plugin/grype/doc.go

@@ -0,0 +1,2 @@
+// Package grype provides primitives for working with Grype.
+package grype

pkg/plugin/grype/model.go

@@ -0,0 +1,56 @@
+package grype
+
+type ScanReport struct {
+	Matches    []Match    `json:"matches"`
+	Source     Source     `json:"source"`
+	Descriptor Descriptor `json:"descriptor"`
+}
+
+type Match struct {
+	Vulnerability          Vulnerability   `json:"vulnerability"`
+	Artifact               Artifact        `json:"artifact"`
+	RelatedVulnerabilities []Vulnerability `json:"relatedVulnerabilities"`
+}
+
+type Vulnerability struct {
+	Id          string   `json:"id"`
+	DataSource  string   `json:"dataSource"`
+	Severity    string   `json:"severity"`
+	URLs        []string `json:"urls"`
+	Description string   `json:"description"`
+	CVSs        []CVS    `json:"cvss"`
+	Fix         Fix      `json:"fix"`
+}
+
+type Artifact struct {
+	Name    string `json:"name"`
+	Version string `json:"version"`
+}
+
+type Fix struct {
+	Versions []string `json:"versions"`
+	State    string   `json:"state"`
+}
+
+type CVS struct {
+	Version string     `json:"version"`
+	Metrics CVSMetrics `json:"metrics"`
+}
+
+type CVSMetrics struct {
+	BaseScore *float64 `json:"baseScore"`
+}
+
+type Source struct {
+	Target Target `json:"target"`
+}
+
+type Target struct {
+	UserInput      string `json:"userInput"`
+	ManifestDigest string `json:"manifestDigest"`
+}
+
+type Descriptor struct {
+	Name    string `json:"name"`
+	Version string `json:"version"`
+}

pkg/plugin/grype/model_test.go

@@ -0,0 +1 @@
+package grype_test