Title: ROX-30571: roxctl sbom scan by dcaravel · Pull Request #18503 · stackrox/stackrox · GitHub
Open Graph Title: ROX-30571: roxctl sbom scan by dcaravel · Pull Request #18503 · stackrox/stackrox
X Title: ROX-30571: roxctl sbom scan by dcaravel · Pull Request #18503 · stackrox/stackrox
Description: Description Adds the roxctl sbom scan command. PR Stack: #18503 ⬅️ this PR #18658 #18484 User-facing documentation CHANGELOG.md is updated OR update is not needed documentation PR is created and is linked above OR is not needed Testing and quality the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag CI results are inspected Automated testing added unit tests modified existing tests How I validated my change $ go run ./roxctl sbom scan --file dignore/rhacs-4.9.json output { "id": "fake HashId", "scan": { "scannerVersion": "matcher=v7", "scanTime": "2026-01-16T00:48:23.865085543Z", "components": [ { "name": "Fake Package #1", "version": "v1.0.0", "vulns": [ { "cve": "Fake Vuln #1", "cvss": 3.3, "link": "https://nvd.nist.gov/vuln/detail/CVE-5678-1234", "scoreVersion": "V3", "cvssV3": { "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "exploitabilityScore": 0.8, "impactScore": 2.5, "attackComplexity": "COMPLEXITY_HIGH", "privilegesRequired": "PRIVILEGE_LOW", "userInteraction": "UI_REQUIRED", "confidentiality": "IMPACT_LOW", "integrity": "IMPACT_LOW", "score": 3.3, "severity": "LOW" }, "severity": "CRITICAL_VULNERABILITY_SEVERITY", "cvssMetrics": [ { "source": "SOURCE_NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-5678-1234", "cvssv3": { "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "exploitabilityScore": 0.8, "impactScore": 2.5, "attackComplexity": "COMPLEXITY_HIGH", "privilegesRequired": "PRIVILEGE_LOW", "userInteraction": "UI_REQUIRED", "confidentiality": "IMPACT_LOW", "integrity": "IMPACT_LOW", "score": 3.3, "severity": "LOW" } } ] }, { "cve": "Fake Vuln #2", "cvss": 3.3, "link": "https://nvd.nist.gov/vuln/detail/CVE-5678-1234", "scoreVersion": "V3", "cvssV3": { "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "exploitabilityScore": 0.8, "impactScore": 2.5, "attackComplexity": "COMPLEXITY_HIGH", "privilegesRequired": "PRIVILEGE_LOW", "userInteraction": "UI_REQUIRED", "confidentiality": "IMPACT_LOW", "integrity": "IMPACT_LOW", "score": 3.3, "severity": "LOW" }, "severity": "IMPORTANT_VULNERABILITY_SEVERITY", "cvssMetrics": [ { "source": "SOURCE_NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-5678-1234", "cvssv3": { "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "exploitabilityScore": 0.8, "impactScore": 2.5, "attackComplexity": "COMPLEXITY_HIGH", "privilegesRequired": "PRIVILEGE_LOW", "userInteraction": "UI_REQUIRED", "confidentiality": "IMPACT_LOW", "integrity": "IMPACT_LOW", "score": 3.3, "severity": "LOW" } } ] }, { "cve": "Fake Vuln #3", "cvss": 8.2, "link": "https://access.redhat.com/security/cve/CVE-1234-567", "scoreVersion": "V3", "cvssV3": { "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H", "exploitabilityScore": 2.8, "impactScore": 4.7, "attackVector": "ATTACK_ADJACENT", "scope": "CHANGED", "confidentiality": "IMPACT_LOW", "availability": "IMPACT_HIGH", "score": 8.2, "severity": "HIGH" }, "severity": "MODERATE_VULNERABILITY_SEVERITY", "cvssMetrics": [ { "source": "SOURCE_RED_HAT", "url": "https://access.redhat.com/security/cve/CVE-1234-567", "cvssv3": { "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H", "exploitabilityScore": 2.8, "impactScore": 4.7, "attackVector": "ATTACK_ADJACENT", "scope": "CHANGED", "confidentiality": "IMPACT_LOW", "availability": "IMPACT_HIGH", "score": 8.2, "severity": "HIGH" } }, { "source": "SOURCE_NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-1234-567", "cvssv2": { "vector": "AV:N/AC:M/Au:M/C:C/I:N/A:P", "attackVector": "ATTACK_NETWORK", "accessComplexity": "ACCESS_MEDIUM", "confidentiality": "IMPACT_COMPLETE", "availability": "IMPACT_PARTIAL", "exploitabilityScore": 5.5, "impactScore": 7.8, "score": 6.4, "severity": "MEDIUM" } } ] }, { "cve": "Fake Vuln #4", "cvss": 3.3, "link": "https://nvd.nist.gov/vuln/detail/CVE-5678-1234", "scoreVersion": "V3", "cvssV3": { "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "exploitabilityScore": 0.8, "impactScore": 2.5, "attackComplexity": "COMPLEXITY_HIGH", "privilegesRequired": "PRIVILEGE_LOW", "userInteraction": "UI_REQUIRED", "confidentiality": "IMPACT_LOW", "integrity": "IMPACT_LOW", "score": 3.3, "severity": "LOW" }, "severity": "LOW_VULNERABILITY_SEVERITY", "cvssMetrics": [ { "source": "SOURCE_NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-5678-1234", "cvssv3": { "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "exploitabilityScore": 0.8, "impactScore": 2.5, "attackComplexity": "COMPLEXITY_HIGH", "privilegesRequired": "PRIVILEGE_LOW", "userInteraction": "UI_REQUIRED", "confidentiality": "IMPACT_LOW", "integrity": "IMPACT_LOW", "score": 3.3, "severity": "LOW" } } ] } ] }, { "name": "Fake Package #2", "version": "v2.3.4", "vulns": [ { "cve": "Fake Vuln #3", "cvss": 8.2, "link": "https://access.redhat.com/security/cve/CVE-1234-567", "scoreVersion": "V3", "cvssV3": { "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H", "exploitabilityScore": 2.8, "impactScore": 4.7, "attackVector": "ATTACK_ADJACENT", "scope": "CHANGED", "confidentiality": "IMPACT_LOW", "availability": "IMPACT_HIGH", "score": 8.2, "severity": "HIGH" }, "severity": "MODERATE_VULNERABILITY_SEVERITY", "cvssMetrics": [ { "source": "SOURCE_RED_HAT", "url": "https://access.redhat.com/security/cve/CVE-1234-567", "cvssv3": { "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H", "exploitabilityScore": 2.8, "impactScore": 4.7, "attackVector": "ATTACK_ADJACENT", "scope": "CHANGED", "confidentiality": "IMPACT_LOW", "availability": "IMPACT_HIGH", "score": 8.2, "severity": "HIGH" } }, { "source": "SOURCE_NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-1234-567", "cvssv2": { "vector": "AV:N/AC:M/Au:M/C:C/I:N/A:P", "attackVector": "ATTACK_NETWORK", "accessComplexity": "ACCESS_MEDIUM", "confidentiality": "IMPACT_COMPLETE", "availability": "IMPACT_PARTIAL", "exploitabilityScore": 5.5, "impactScore": 7.8, "score": 6.4, "severity": "MEDIUM" } } ] }, { "cve": "Fake Vuln #4", "cvss": 3.3, "link": "https://nvd.nist.gov/vuln/detail/CVE-5678-1234", "scoreVersion": "V3", "cvssV3": { "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "exploitabilityScore": 0.8, "impactScore": 2.5, "attackComplexity": "COMPLEXITY_HIGH", "privilegesRequired": "PRIVILEGE_LOW", "userInteraction": "UI_REQUIRED", "confidentiality": "IMPACT_LOW", "integrity": "IMPACT_LOW", "score": 3.3, "severity": "LOW" }, "severity": "LOW_VULNERABILITY_SEVERITY", "cvssMetrics": [ { "source": "SOURCE_NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-5678-1234", "cvssv3": { "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "exploitabilityScore": 0.8, "impactScore": 2.5, "attackComplexity": "COMPLEXITY_HIGH", "privilegesRequired": "PRIVILEGE_LOW", "userInteraction": "UI_REQUIRED", "confidentiality": "IMPACT_LOW", "integrity": "IMPACT_LOW", "score": 3.3, "severity": "LOW" } } ] } ] } ], "operatingSystem": "unknown", "dataSource": { "id": "a87471e6-9678-4e66-8348-91e302b6de07", "name": "Scanner V4" } } } $ go run ./roxctl sbom scan --file=dignore/rhacs-4.9.json --output json output { "result": { "summary": { "CRITICAL": 1, "IMPORTANT": 1, "LOW": 1, "MODERATE": 1, "TOTAL-COMPONENTS": 2, "TOTAL-VULNERABILITIES": 4 }, "vulnerabilities": [ { "cveId": "Fake Vuln #1", "cveSeverity": "CRITICAL", "cveCVSS": 3.3, "cveInfo": "https://nvd.nist.gov/vuln/detail/CVE-5678-1234", "advisoryId": "", "advisoryInfo": "", "componentName": "Fake Package #1", "componentVersion": "v1.0.0", "componentFixedVersion": "" }, { "cveId": "Fake Vuln #2", "cveSeverity": "IMPORTANT", "cveCVSS": 3.3, "cveInfo": "https://nvd.nist.gov/vuln/detail/CVE-5678-1234", "advisoryId": "", "advisoryInfo": "", "componentName": "Fake Package #1", "componentVersion": "v1.0.0", "componentFixedVersion": "" }, { "cveId": "Fake Vuln #3", "cveSeverity": "MODERATE", "cveCVSS": 8.2, "cveInfo": "https://access.redhat.com/security/cve/CVE-1234-567", "advisoryId": "", "advisoryInfo": "", "componentName": "Fake Package #1", "componentVersion": "v1.0.0", "componentFixedVersion": "" }, { "cveId": "Fake Vuln #4", "cveSeverity": "LOW", "cveCVSS": 3.3, "cveInfo": "https://nvd.nist.gov/vuln/detail/CVE-5678-1234", "advisoryId": "", "advisoryInfo": "", "componentName": "Fake Package #1", "componentVersion": "v1.0.0", "componentFixedVersion": "" }, { "cveId": "Fake Vuln #3", "cveSeverity": "MODERATE", "cveCVSS": 8.2, "cveInfo": "https://access.redhat.com/security/cve/CVE-1234-567", "advisoryId": "", "advisoryInfo": "", "componentName": "Fake Package #2", "componentVersion": "v2.3.4", "componentFixedVersion": "" }, { "cveId": "Fake Vuln #4", "cveSeverity": "LOW", "cveCVSS": 3.3, "cveInfo": "https://nvd.nist.gov/vuln/detail/CVE-5678-1234", "advisoryId": "", "advisoryInfo": "", "componentName": "Fake Package #2", "componentVersion": "v2.3.4", "componentFixedVersion": "" } ] } } go run ./roxctl sbom scan --file=dignore/rhacs-4.9.json --output table output Scan results for image: dignore/rhacs-4.9.json (TOTAL-COMPONENTS: 2, TOTAL-VULNERABILITIES: 4, LOW: 1, MODERATE: 1, IMPORTANT: 1, CRITICAL: 1) +-----------------+---------+--------------+-----------+------+-----------------------------------------------------+---------------+----------+---------------+ | COMPONENT | VERSION | CVE | SEVERITY | CVSS | LINK | FIXED VERSION | ADVISORY | ADVISORY LINK | +-----------------+---------+--------------+-----------+------+-----------------------------------------------------+---------------+----------+---------------+ | Fake Package #1 | v1.0.0 | Fake Vuln #1 | CRITICAL | 3.3 | https://nvd.nist.gov/vuln/detail/CVE-5678-1234 | - | - | - | | | +--------------+-----------+------+-----------------------------------------------------+---------------+----------+---------------+ | | | Fake Vuln #2 | IMPORTANT | 3.3 | https://nvd.nist.gov/vuln/detail/CVE-5678-1234 | - | - | - | | | +--------------+-----------+------+-----------------------------------------------------+---------------+----------+---------------+ | | | Fake Vuln #3 | MODERATE | 8.2 | https://access.redhat.com/security/cve/CVE-1234-567 | - | - | - | | | +--------------+-----------+------+-----------------------------------------------------+---------------+----------+---------------+ | | | Fake Vuln #4 | LOW | 3.3 | https://nvd.nist.gov/vuln/detail/CVE-5678-1234 | - | - | - | +-----------------+---------+--------------+-----------+------+-----------------------------------------------------+---------------+----------+---------------+ | Fake Package #2 | v2.3.4 | Fake Vuln #3 | MODERATE | 8.2 | https://access.redhat.com/security/cve/CVE-1234-567 | - | - | - | | | +--------------+-----------+------+-----------------------------------------------------+---------------+----------+---------------+ | | | Fake Vuln #4 | LOW | 3.3 | https://nvd.nist.gov/vuln/detail/CVE-5678-1234 | - | - | - | +-----------------+---------+--------------+-----------+------+-----------------------------------------------------+---------------+----------+---------------+ WARN: A total of 4 unique vulnerabilities were found in 2 components $ go run ./roxctl sbom scan --file=rhacs-4.9.json --output csv output COMPONENT,VERSION,CVE,SEVERITY,CVSS,LINK,FIXED_VERSION,ADVISORY,ADVISORY_LINK Fake Package #1,v1.0.0,Fake Vuln #1,CRITICAL,3.3,https://nvd.nist.gov/vuln/detail/CVE-5678-1234,-,-,- Fake Package #1,v1.0.0,Fake Vuln #2,IMPORTANT,3.3,https://nvd.nist.gov/vuln/detail/CVE-5678-1234,-,-,- Fake Package #1,v1.0.0,Fake Vuln #3,MODERATE,8.2,https://access.redhat.com/security/cve/CVE-1234-567,-,-,- Fake Package #1,v1.0.0,Fake Vuln #4,LOW,3.3,https://nvd.nist.gov/vuln/detail/CVE-5678-1234,-,-,- Fake Package #2,v2.3.4,Fake Vuln #3,MODERATE,8.2,https://access.redhat.com/security/cve/CVE-1234-567,-,-,- Fake Package #2,v2.3.4,Fake Vuln #4,LOW,3.3,https://nvd.nist.gov/vuln/detail/CVE-5678-1234,-,-,- $ go run ./roxctl sbom scan --file NOPE.json ERROR: SBOM file does not exist: "NOPE.json" $ go run ./roxctl sbom scan --file dignore/rhacs-4.9.invalid.json ERROR: auto detecting media type: SBOM file does not appear to be valid JSON $ go run ./roxctl sbom scan --file dignore/rhacs-4.9.notspdx.json ERROR: auto detecting media type: unsupported SBOM format $ go run ./roxctl sbom scan --file dignore/rhacs-4.9.json --content-type WRONG ERROR: received unexpected status code 400. Response Body: {"code":3,"message":"validating media type: unsupported media type \"WRONG\", supported types [text/spdx+json application/spdx+json]"}
Open Graph Description: Description Adds the roxctl sbom scan command. PR Stack: #18503 ⬅️ this PR #18658 #18484 User-facing documentation CHANGELOG.md is updated OR update is not needed documentation PR is created ...
X Description: Description Adds the roxctl sbom scan command. PR Stack: #18503 ⬅️ this PR #18658 #18484 User-facing documentation CHANGELOG.md is updated OR update is not needed documentation PR is created ...
Opengraph URL: https://github.com/stackrox/stackrox/pull/18503
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:a30f2e07-32f2-f709-a30b-a3aafed5c287 |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | E932:2FA5EC:10AEC8B:17036DB:6A4DD8A9 |
| html-safe-nonce | 701e5c589dd0d15eaa987f32b26305426343f4f6e0119773d875a6ad7758715e |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFOTMyOjJGQTVFQzoxMEFFQzhCOjE3MDM2REI6NkE0REQ4QTkiLCJ2aXNpdG9yX2lkIjoiMTYwMTAwMTI3OTU3OTg3MTQwMSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 8c5bda63a572ba2604472dc4f267f6424de91cf3fa9d676fb6fade02a2f09f9d |
| hovercard-subject-tag | pull_request:3175987808 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/stackrox/stackrox/pull/18503/files |
| twitter:image | https://avatars.githubusercontent.com/u/119438707?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/119438707?s=400&v=4 |
| og:image:alt | Description Adds the roxctl sbom scan command. PR Stack: #18503 ⬅️ this PR #18658 #18484 User-facing documentation CHANGELOG.md is updated OR update is not needed documentation PR is created ... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/stackrox/stackrox git https://github.com/stackrox/stackrox.git |
| octolytics-dimension-user_id | 40638982 |
| octolytics-dimension-user_login | stackrox |
| octolytics-dimension-repository_id | 434017296 |
| octolytics-dimension-repository_nwo | stackrox/stackrox |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 434017296 |
| octolytics-dimension-repository_network_root_nwo | stackrox/stackrox |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width