[P1BIGROCKS-2759](https://jira.il2.dso.mil/browse/P1BIGROCKS-2759) ## Problem Statement Iron Bank currently runs scanners to analyze images for vulnerabilities. The scanners capture vulnerabilities for dependencies well, but sometimes miss application vulnerabilities. Examples: - Keycloak - https://nvd.nist.gov/vuln/detail/CVE-2021-4133 - did not show up in Anchore/Twistlock scans - Kibana - https://nvd.nist.gov/vuln/detail/CVE-2022-23707 - did not show up in Anchore/Twistlock scans ## Proposal Using a high-level list of each package's CPEs or SBOM, a tool like [Grype](https://github.com/anchore/grype) can be used to search for open vulnerabilities. Or the [NIST CVE API](https://nvd.nist.gov/developers/vulnerabilities) could be used to query the applications by its CPE for vulnerabilities. Additional metadata for each package can be added to its Chart.yaml if needed (e.g. CPE). It may make sense to have BBCTL perform the lookup. ## Acceptance - Mechanism to automatically lookup and aggregate the CPE(s)/SBOMs for each package in a Big Bang release - Mechanism to use CPEs or SBOM to discover current vulnerabilities. This process needs to be very easy for an end customer to use - Vulnerability report should be easily consumable (e.g. JSON formatted, intuitive) - Process should be documented