Integrate SBOM generation and handling
Background
In order to improve our operation security we need to know all the "known" vulnerabilities of all our running software.
CycloneDX
A standart for exchanging vulnerability related information.
SBOM
Software Bill Of Material. Means an abstract list of all the components within a pice of software
VEX
Vulnerability Exploitability Exchange. Describes the Exploitability of a known Vulnerability within a piece of software. Example: A vulnerability describes a code injection by software configuration. If a configuration change needs the same access level as the change of the software itself, this vulnerability gives no additional exploitability and can be ignored in that context. These classifications needs to be done by a software developer so it makes sense to maintain them along the software itself.
Dependency Track
A central manager software for keeping an overview of all known risks.
Goal
Upload a SBOM and the VEX-File along the deployment of the artifact itself
Generation of the SBOM-File
The SBOM-File needs to contain the real used list of dependencies used in the application. Some generic scanners promise to distill that information magically out of a docker image. But the results are not reliable.
Maven Dependencies
There is a maven-plugin available for generating a bom file of java dependencies. It can be executed without manipulating the pom file itself.
mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.4:makeBom
On a multi-module project, it needs to be executed within the module building the deployment artifact (the binary to install).
The bom-file will be found at target/bom.json
. It contains only the Java-Packages used in the binary.
Yarn Dependencies
Trivy can read a yarn.lock
-file and generate a sbom-file out of it.
There is a official docker image from trivy: aquasec/trivy:0.37.3
/usr/local/bin/trivy fs --format cyclonedx <PATH_TO_YARN_LOCK> --output <PATH_TO_OUTPUT_FILE>
Further Processing SBOM-Files
There is a docker image with tools for handling SBOM-Files. It contains cyclonedx-cli and simple json uploader for Dependency Track: git.panter.ch:5001/open-source/dependency-track-uploader:dtrackuploader-v0.1.1
Merging 2 SBOM-Files
Using that tool you can easy merge 2 sbom files:
/cyclonedx merge --input-files backend/dist/bom.json frontend/dist/bom.json --output-file merged.json
Uploading SBOM and VEX-File to Dependency Track
The Upload needs a Authentication KEY (${DT_KEY}
). It can be configured on the UI from Dependency track. The Project Name needs to be filled in. If the project is not already created in Dependency Track, it will be created on first upload. The deployment url will be filled in instaed of the application version:
/dtrackuploader https://dep.panter.dev/ ${DT_KEY} upload PROJECT ${ROOT_URL} merged.json vex.json
The vex-file is technically optional, but it makes no sense to not maintain a vex file (it will create too much alarms at the end).
Disabling a Deployment after shutdown of the environment
When a deployment is no longer active it needs to be disabled. So the project will be hidden on the UI of Dependency Track.
/dtrackuploader https://dep.panter.dev/ ${DT_KEY} disable PROJECT ${ROOT_URL}