syft

"A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Exceptional for vulnerability detection when used with a scanner tool like Grype." (1)

Install

(Last checked for relevance: 13-Dec-2021)

As 'root'...

curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

Other steps on this page assume /usr/local/bin in in your PATH

Usage

For example, to generate a SBOM for Oracle SQL Developer installed in /opt/sqldeveloper...

cd /opt/sqldeveloper

syft . | more

To check for specific files...

For example we know that log4j prior to version 2.14 has a critical vulnerability; let's see which version our version of SQL Developer is using...

syft . | grep log4j


 ✔ Indexed . ✔ Cataloged packages [993 packages]log4j-1.2-api 2.11.0 java-archive log4j-api 2.11.0 java-archive log4j-core 2.11.0 java-archive oracle.external.log4j java-archive

Bibliography & References


(1) https://github.com/anchore/syft