|
| 1 | +| | | |
| 2 | +| :----------- | :------------------------------ | |
| 3 | +| Feature Name | Multi-Scan | |
| 4 | +| Start Date | 6 November 2025 | |
| 5 | +| Category | Architecture | |
| 6 | +| RFC PR | [fill this in after opening PR] | |
| 7 | +| State | **ACCEPTED** | |
| 8 | + |
| 9 | +# Summary |
| 10 | + |
| 11 | +[summary]: #summary |
| 12 | + |
| 13 | +Support multiple scanning tools. |
| 14 | + |
| 15 | +# Motivation |
| 16 | + |
| 17 | +[motivation]: #motivation |
| 18 | + |
| 19 | +We want to add support for multiple scanning tools (such as grype) in order to enrich the vulnerability reports, making it more complete and accurate. |
| 20 | + |
| 21 | +This will also allow us to be less vendor centric, since we are currently relying only on trivy to generate SBOMs and scan for vulnerabilities. |
| 22 | + |
| 23 | +## Examples / User Stories |
| 24 | + |
| 25 | +[examples]: #examples |
| 26 | + |
| 27 | +### User story 1 |
| 28 | + |
| 29 | +As a user, I want to make use of KEV and the EPSS score (which are currently provided by grype) to prioritize vulnerability remediation efforts. |
| 30 | + |
| 31 | +# Detailed design |
| 32 | + |
| 33 | +[design]: #detailed-design |
| 34 | + |
| 35 | +## Scan |
| 36 | + |
| 37 | +For the multiscan feature, we are going to double the following operations: |
| 38 | + |
| 39 | +* sbom generation |
| 40 | + |
| 41 | +* sbom scan |
| 42 | + |
| 43 | +This will let grype to generate its own report, so that we can then compare and merge with the one obtained with trivy. |
| 44 | + |
| 45 | +Since grype and trivy are different tools, we must to take care about their scan processes, synchronizing their flows, to be able to analyze and merge the results. |
| 46 | + |
| 47 | +This will require a synchronization mechanism to allow both of them to generate and scan SBOMs. To achieve this, we must set a timeout for their execution and define a default tool from which to take the results. In this case, we can adopt the following logic to avoid starvation: |
| 48 | + |
| 49 | +``` |
| 50 | +if trivy fails: |
| 51 | + return error |
| 52 | +if grype fails: |
| 53 | + return trivy.result |
| 54 | +if trivy succed && grype succed: |
| 55 | + return trivy.result and grype.result |
| 56 | +``` |
| 57 | + |
| 58 | +## Merge |
| 59 | + |
| 60 | +The second phase, of the multiscan process, is about merging results. |
| 61 | + |
| 62 | +We already have defined our own `VulnerabilityReport` format [here](./0004_vulnerability_report.md). Starting from here, we are going to enrich the struct with information that are exclusively provided by `grype`: |
| 63 | + |
| 64 | +* `kev` is a list of known exploits from the CISA KEV dataset. |
| 65 | + |
| 66 | +* `epss` is a list of Exploit Prediction Scoring System (EPSS) scores for the vulnerability. |
| 67 | + |
| 68 | +# Drawbacks |
| 69 | + |
| 70 | +[drawbacks]: #drawbacks |
| 71 | + |
| 72 | +<!--- |
| 73 | +Why should we **not** do this? |
| 74 | +
|
| 75 | + * obscure corner cases |
| 76 | + * will it impact performance? |
| 77 | + * what other parts of the product will be affected? |
| 78 | + * will the solution be hard to maintain in the future? |
| 79 | +---> |
| 80 | + |
| 81 | +# Alternatives |
| 82 | + |
| 83 | +[alternatives]: #alternatives |
| 84 | + |
| 85 | +<!--- |
| 86 | +- What other designs/options have been considered? |
| 87 | +- What is the impact of not doing this? |
| 88 | +---> |
| 89 | + |
| 90 | +# Unresolved questions |
| 91 | + |
| 92 | +[unresolved]: #unresolved-questions |
| 93 | + |
| 94 | +<!--- |
| 95 | +- What are the unknowns? |
| 96 | +- What can happen if Murphy's law holds true? |
| 97 | +---> |
0 commit comments