Grype - Vulnerability scanner for container images and filesystems.

Now here is why you need Grype: You believe your Linux system is 100% secure, it is not. Why is there not a tool like this for Windows? Yes, they do not want you to know.

Anyways in Linux you will atleast find one problem from Google™, way back in 2015 in GoLang, so I threw it out completely.

The other problem is LibreOffices Java, so my recommendation is just simply remove LibreOffice completely and replace it with FreeOffice2021.

Now I decided to install Grype it on its default path, because this is just a test system I am using. It contains no data of personal value and is easily restored when needed.

Grype Features:

Scan the contents of a container image or filesystem to find known vulnerabilities. By default, Grype automatically manages this database for you. Grype checks for new updates to the vulnerability database to make sure that every scan uses up-to-date vulnerability information.

For normal usage, there is no need for users to manage Grype's database! Grype manages its database behind the scenes. However, for users that need more control, Grype provides options to manage the database more explicitly.

Find vulnerabilities for major operating system packages:

• Alpine
• Amazon Linux
• BusyBox
• CentOS
• Debian / LMDE5
• Distroless
• Oracle Linux
• Red Hat (RHEL)
• Ubuntu / Linux Mint

Find vulnerabilities for language-specific packages:

• Ruby (Gems)
• Java (JAR, WAR, EAR, JPI, HPI)
• JavaScript (NPM, Yarn)
• Python (Egg, Wheel, Poetry, requirements.txt/setup.py files)
• Dotnet (deps.json)
• Golang (go.mod)
• PHP (Composer)
• Rust (Cargo)
• Supports Docker, OCI and Singularity image formats.
• Consume SBOM attestations.

Now the not so good part:

It only finds "known" as in reported vulnerabilities from sources like:

• Alpine Linux SecDB: https://secdb.alpinelinux.org/
• Amazon Linux ALAS: https://alas.aws.amazon.com/AL2/alas.rss
• RedHat RHSAs: https://www.redhat.com/security/data/oval/
• Debian Linux CVE Tracker: https://security-tracker.debian.org/tracker/data/json
• Github GHSAs: https://github.com/advisories
• National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/data-feeds
• Oracle Linux OVAL: https://linux.oracle.com/security/oval/
• RedHat Linux Security Data: https://access.redhat.com/hydra/rest/securitydata/
• Suse Linux OVAL: https://ftp.suse.com/pub/projects/security/oval/
• Ubuntu Linux Security: https://people.canonical.com/~ubuntu-security/

Most problems are in Python Pillow for now, but you should really install this as well as others I recommended to secure your system.

Grype is not available in Debian 11 "Bullseye" repository nor LMDE5 repository.

How to install:

First download grype and install it via a terminal window:

curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

Press Enter.

I will be installed here:

/usr/local/bin/grype

How to use it:

To do a complete scan of your system:

grype dir:/

Press Enter.

Note: It will not be able to scan some parts that are encrypted.

There are commands to exclude dirs and ignore vulnerabilities not patched, but I think you would want to know, right ?

You can learn more at the developers site...

►Developers website