Journey and quick overview related to SBOM (Software Bill of Materials) to highlight why it matters related to supply chain attacks.
Big overview related to SBOM by CISA
Why SBOMs matter
Software Bill of Materials (SBOM) is a detailed inventory of all the software components used in a particular product or application, including the dependencies between them. It is increasingly being recognized as an essential component of software development and supply chain management.
Here are some reasons why SBOMs are important:
- Preventing supply chain attacks: SBOMs can help prevent supply chain attacks by allowing to track and manage software components more effectively. With an SBOM, identification of vulnerabilities in their software supply chain and take steps to mitigate them. For example, if a particular software component has a known vulnerability, you could quickly identify all the products that use that component and take action to patch or replace it (remember Log4Shell?)
- Enhancing transparency: SBOMs can enhance transparency in the software supply chain. By providing a detailed inventory of all the software components used in a particular product or application, SBOMs can help to ensure that they are using only authorized software components and reduce the risk of using unapproved, wrong licenses, or potentially malicious components.
- Improving maturity with open source dependencies: Open source software is now an essential part of software development, and managing open source dependencies is critical to building secure and reliable software. With an SBOM, identify and track open source dependencies is more effectively, making it easier to manage licenses and vulnerabilities associated with those dependencies.
- Meeting compliance requirements: Many industries and governments have compliance requirements for software development and supply chain management like in the US and similar cases are expected for the EU. SBOMs can help to meet these requirements by providing a detailed inventory of all the software components used in a particular product or application.
In summary, SBOMs are essential in preventing supply chain attacks, enhancing transparency in the software supply chain, improving maturity with open source dependencies, and meeting compliance requirements. By providing a detailed inventory of software components and their dependencies, organizations can make more informed decisions about software development and supply chain management, ultimately leading to more secure and reliable software.
SBOM CLI
Within Docker, there is a dedicated CLI command for creating an SBOM based on a specific image. In short, the docker sbom
The CLI command helps retrieve the dependency details, version, and type, and also covers Python PyPi packages, for example. The SBOM can then be used to feed a dependency checking tool or a scanner to get insight into possible bugs in the image.
In action it looks like this:
┌──(benji㉿kali)-[~]
└─$ docker sbom nginx
Syft v0.43.0
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [150 packages]
NAME VERSION TYPE
adduser 3.134 deb
apt 2.6.1 deb
base-files 12.4+deb12u2 deb
base-passwd 3.6.1 deb
bash 5.2.15-2+b2 deb
bsdutils 1:2.38.1-5+b1 deb
ca-certificates 20230311 deb
coreutils 9.1-1 deb
curl 7.88.1-10+deb12u4 deb
dash 0.5.12-2 deb
debconf 1.5.82 deb
debian-archive-keyring 2023.3+deb12u1 deb
debianutils 5.7-0.5~deb12u1 deb
diffutils 1:3.8-4 deb
dpkg 1.21.22 deb
e2fsprogs 1.47.0-2 deb
findutils 4.9.0-4 deb
fontconfig-config 2.14.1-4 deb
fonts-dejavu-core 2.37-6 deb
gcc-12-base 12.2.0-14 deb
gettext-base 0.21-12 deb
gpgv 2.2.40-1.1 deb
grep 3.8-5 deb
gzip 1.12-1 deb
hostname 3.23+nmu1 deb
init-system-helpers 1.65.2 deb
libabsl20220623 20220623.1-1 deb
libacl1 2.3.1-3 deb
libaom3 3.6.0-1 deb
libapt-pkg6.0 2.6.1 deb
libattr1 1:2.5.1-4 deb
libaudit-common 1:3.0.9-1 deb
libaudit1 1:3.0.9-1 deb
libavif15 0.11.1-1 deb
libblkid1 2.38.1-5+b1 deb
libbrotli1 1.0.9-2+b6 deb
libbsd0 0.11.7-2 deb
libbz2-1.0 1.0.8-5+b1 deb
libc-bin 2.36-9+deb12u3 deb
libc6 2.36-9+deb12u3 deb
libcap-ng0 0.8.3-1+b3 deb
libcap2 1:2.66-4 deb
libcom-err2 1.47.0-2 deb
libcrypt1 1:4.4.33-2 deb
libcurl4 7.88.1-10+deb12u4 deb
libdav1d6 1.0.0-2 deb
libdb5.3 5.3.28+dfsg2-1 deb
libde265-0 1.0.11-1 deb
libdebconfclient0 0.270 deb
libdeflate0 1.14-1 deb
libedit2 3.1-20221030-2 deb
libexpat1 2.5.0-1 deb
libext2fs2 1.47.0-2 deb
libffi8 3.4.4-1 deb
libfontconfig1 2.14.1-4 deb
libfreetype6 2.12.1+dfsg-5 deb
libgav1-1 0.18.0-1+b1 deb
libgcc-s1 12.2.0-14 deb
libgcrypt20 1.10.1-3 deb
libgd3 2.3.3-9 deb
libgeoip1 1.6.12-10 deb
libgmp10 2:6.2.1+dfsg1-1.1 deb
libgnutls30 3.7.9-2 deb
libgpg-error0 1.46-1 deb
libgssapi-krb5-2 1.20.1-2+deb12u1 deb
libheif1 1.15.1-1 deb
libhogweed6 3.8.1-2 deb
libicu72 72.1-3 deb
libidn2-0 2.3.3-1+b1 deb
libintl 0.21 java-archive
libjbig0 2.1-6.1 deb
...
The build in command uses Syft to create the SBOM of an arbitrary image.
A SBOM alone is just a first step towards security and an improved container security.
To scan for vulnerabilities you have multiple options: