最近做 SCA 测试,需要获取镜像的组件和漏洞,使用 docker scout 工具,通过 sbom 获取组件名称、版本和漏洞编号。
docker scout
获取组件信息
docker scout sbom --format spdx --output 2025.05.25.sbom.spdx.json nginx:stable-perl
v SBOM of image already cached, 244 packages indexed
v Report written to 2025.05.25.sbom.spdx.json
使用 SCA 工具处理组件信息。
获取 CVE 编号
docker scout cves --format sbom nginx:stable-perl > sbom.cve.json
按行输出 CVE 编号
import json
import re
from charset_normalizer import detect
def extract_cve_ids(file_path):
"""
Extract all CVE IDs from a JSON file.
"""
cve_pattern = re.compile(r'CVE-\d{4}-\d{4,}') # Regex pattern for CVE IDs
cve_ids = []
# Detect the file encoding
with open(file_path, 'rb') as file:
raw_data = file.read()
detected = detect(raw_data)
encoding = detected['encoding']
# Read the JSON file with the detected encoding
with open(file_path, 'r', encoding=encoding) as file:
data = json.load(file)
# Recursively search for CVE IDs in the JSON structure
def search_cve(obj):
if isinstance(obj, dict):
for key, value in obj.items():
search_cve(value)
elif isinstance(obj, list):
for item in obj:
search_cve(item)
elif isinstance(obj, str):
matches = cve_pattern.findall(obj)
cve_ids.extend(matches)
search_cve(data)
return cve_ids
# File path to 1.json
file_path = "sbom.cve.json"
# Extract CVE IDs and print them
cve_ids = extract_cve_ids(file_path)
print("\n".join(cve_ids))