Feature Request: Batch processing of sbom file with count of components more then 2000 (AWS Inspector limit) #80
Comments
|
Hello, thank you for reaching out. |
bluesentinelsec
changed the title
|
Hello, thank you again for creating this issue. I'm going to mark this issue as on-hold until we begin work on the feature. |
|
@iriabov Hello, we recently increased the permitted component count to 5,000. |
|
Hi @bluesentinelsec Thank you! |
Contributions are certainly welcome. :) #1. First generate a large sbom
./inspector-sbomgen container --image large_image:latest -o large_sbom.json
#2. Now scan the SBOM; the program will need to handle chunking the scan into multiple requests,
# and then reassembling the responses into a single JSON document.
./scan_sbom_in_chunks.py --f your_large_sbom.json --profile your_aws_profile
# You'll need to use the AWS SDK to interact with Inspector's ScanSbom API.Be advised, I think this is a non-trivial program to write; no worries if you need to back out because this is likely a moderate amount of work. Otherwise, feel free to take a stab and we'll provide feedback if you open a pull request. |
bluesentinelsec
added
Backlog
|
@bluesentinelsec any idea roughly when chunking would be implemented? I'm hitting the 5000 limit at the moment |
@raelyz Thank you for inquiring about chunking large SBOMs to work around the 5,000 component limit. Unfortunately we do not have a firm ETA for this feature, as we are currently focusing on improving the performance and accuracy of our inventory collection engine. To work around the 5,000 component limit, you may consider splitting up your scans into smaller tasks, for example, first scan OS packages, then perform subsequent scans for 3rd party packages. The action provides arguments that can help with this, specifically, "scanners," "skip_scanners," and "skip_files." |
|
@bluesentinelsec I've attempted to use specific scanners for a java application and I am still hitting the 5000 component limit. Really do hope the team is able to find time to address this issue. I've since disabled the action for several of our applications as a result. |
@raelyz |
|
@bluesentinelsec, sure thing! I've sent you an email we can continue over there. |
|
Can you please increase the limit beyond 5,000 - upto 10,000 would be wonderful |
|
@fs-david-harrington One potential solution is for you to push your image to AWS ECR and scan with Inspector (e.g. Inspector Enhanced Scanning for ECR). If you have further questions, please feel encouraged to reach out to us at |
|
Hi @bluesentinelsec, thanks a lot for the update! To summarise, if someone runs into this issue, the current options are:
Please correct me if I'm wrong. |
Description
We catch the limitation error in the AWS Inpector CLI command to scan SBOM files. Error log message:
An error occurred (ValidationException) when calling the ScanSbom operation: Input SBOM failed validation: Max number of components exceeded (2000)You can find the package limit in AWS documentation:
https://docs.aws.amazon.com/inspector/v2/APIReference/API_scan_ScanSbom.html#API_scan_ScanSbom_RequestSyntax
Expected Behavior
Divide the SBOM file by chunks (with the same metadata and max count of components - 2000). The next step is scanning these files independently. The last step is calculating vulnerabilities from all files.
Actual Behavior
We have an error in the scanning GH action:
An error occurred (ValidationException) when calling the ScanSbom operation: Input SBOM failed validation: Max number of components exceeded (2000)Steps to Reproduce
Build the image with more the 2000 of components in SBOM file.
Other Information
Please provide any additional information such as logs or screenshots.
The text was updated successfully, but these errors were encountered: