OC3 registrations are now open! Join the premier event for confidential computing online or in Berlin on March 27.

My favorite tools to keep a zero vulnerabilities posture for Constellation

Blog

My favorite tools to keep a zero vulnerabilities posture for Constellation

Fabian Kammel


Constellation, our Confidential Kubernetes engine, is now open source. Check it out on GitHub or say Hi on Discord.

In our last post, we explored how Software Bill of Materials (SBOMs) provide us with a transparent view of all dependencies in Constellation. In this post, we explore how we can use this information to continuously monitor vulnerabilities and upgrade to patched versions as soon as they are available.


Grype


Grype is a vulnerability scanner for container images and filesystems. It supports reading SBOMs we've previously generated with Syft. Grype is great for engineers working on Constellation to get the latest vulnerability information.


Dependency Track


Dependency Track is a mature vulnerability detection and management system. It is used by many enterprises to keep track of vulnerabilities in their used applications and helps to manage risk in a transparent manner.

Constellation makes it easy for users to get all information right into Dependency Track, using the SBOMs we publish with each release.


Add Constellation CLI as a project in Dependency Track.


Since Dependency Track only supports CycloneDX, we need to convert the SBOM from SPDX to CyloneDX first.

Afterward, we can simply create a new project in Dependency Track and import the converted SBOM.



The first vulnerability is a false positive, where a vulnerability for the v3 package is reported for the v2 version. This was fixed in some, but not all vulnerability databases.

The K8s-related versions are already fixed in Constellation since we have upgraded to the K8s patch version v1.24.6.

Make sure to also import all Constellation container images into Dependency Track to get the full view!


Conclusion


Scanning and analyzing SBOMs is essential for us and our users to stay informed about known vulnerabilities in Constellation and update as soon as possible!

Follow Edgeless Systems, to learn why we also sign our SBOMs using Cosign, in our next post!


Author: Fabian Kammel


Related reading

View all