[HN Gopher] Microsoft open sources Salus software bill of materi... ___________________________________________________________________ Microsoft open sources Salus software bill of materials (SBOM) generation tool Author : gjvc Score : 70 points Date : 2022-07-15 05:07 UTC (1 days ago) (HTM) web link (devblogs.microsoft.com) (TXT) w3m dump (devblogs.microsoft.com) | DethNinja wrote: | This looks very interesting, there is definitely need for SBOM | generators that can handle multiple languages. | | Do HN got a recommendation for other CLI based SBOM generators? | | Dependency Track is too resource intensive for a small scale | company, I just need a simple CLI based SBOM generator that can | handle C++ (conan), Python and Go. | politelemon wrote: | I guess I understand it's basically an inventory? Maybe someone | could chime in with what teams are expected to do with an SBOM. | Do you do something with the output, or is it just an audit | checkbox? | er4hn wrote: | The idea is that users of software or products containing | software can understand the components in it and make informed | decisions on what to do. | | The classic example is an MRI machine at a hospital. You hear | about a bug in the Java Spring library that must be patched | asap. You need to do a complete inventory of everything in the | hospital running software to decide if it is vulnerable or not. | | When you get to the MRI machine: what OS does it run? Is it | using Java and the affected component? Is the component an | affected version? | | Asking the manufacturer for everything for every security | vulnerability is not scalable and may not result in accurate | answers. By giving the consumer more info they are more | empowered to act and make intelligent decesions. | politelemon wrote: | Oh, so it's a security lookup tool, and I imagine you'd want | a web and search interface on top of it. | | I've seen a project https://backstage.io/ of which one if its | features does something similar to what you're describing. | cmeacham98 wrote: | It's not really a security tool per-se, in that it isn't | designed exclusively for security use. Its purpose is to | concisely and completely communicate what software | components make up a project/system. You can use that | information for security/licensing/regulation | compliance/etc. | appwiz wrote: | There is an open source UI for querying based on SBOM | called DependencyTrack (https://dependencytrack.org/). | Commercial offerings exist from vendors like TideLift | (https://tidelift.com/). | kreeben wrote: | I'm confused. When would I need | "https://dependencytrack.org/"? Is it when I've | completely lost my marbles and can no longer answer the | questions "what does your app run on" and "what are your | app's dependencies"? Is the idea that I would then | download and install this "dependency tracker", hoping it | would give me a list of things I depend on, so that I | could inform the end user? What's the use case? | dlor wrote: | It's less about first-party software and more for third- | party off-the-shelf stuff you might run. For first-party | stuff SBOMs can definitely feel useless. | banana_giraffe wrote: | The idea is you feed a tool like that all of your SBOMs, | and all of the SBOMs from your vendors. Then it'll tell | you "these four widgets in your hospital are vulnerable | to a newly discovered vulnerability called 'Log4Shell', | they need to upgrade Log4j to version 2.17.0" | | There's a cottage industry forming to do this sort of | thing, mostly in the medical field, but it'll probably | spread out. | structural wrote: | It's for the end user who purchases a lot of things which | include software components to understand the total set | of software they're running and be able to ask questions | about licensing, vulnerabilities, and establish policies. | | A developer (or even administrator of a single computer | system) is not the user of something like this, | typically. | | Here's an example: | | A small manufacturing business may have a dozen different | machines. Each one has a set of software to control it, | running on a computer embedded in the machine. The | business also has a website (developed by a contractor), | a bunch of software packages purchased from different | vendors for accounting, inventory, payroll and | scheduling. They probably have some internal home-grown | tools too. | | 1. A new remotely exploitable CVE is announced in a | widely-used open source library. Is the company | vulnerable to it? Anywhere? | | If each one of the pieces of software was delivered with | a SBOM along with the actual code, you can use tools like | this to look at this globally. It starts to make more | sense at the scale of "all the software in the business" | is provided by tens to hundreds of different vendors or | teams that not only don't communicate with each other but | also don't even know that the others exist. | kreeben wrote: | Is lying about your dependencies unheard of, in this | scenario? | er4hn wrote: | Before the government SBOM standard that kicked all this | off was finalized, I'd asked about this and related items | such as reproducible builds. The response I got is that | getting honest information out of vendors would be a huge | step forward for end customers. Being able to validate | that information would require a lot more work. Things | like SLSA levels 3+4 (https://slsa.dev/spec/v0.1/levels) | go further to prevent lying, at least in situations where | all the code can be compiled by third parties. | bzxcvbn wrote: | It's probably a good plan to take a look at the US executive | order that spawned this move by MS | https://www.whitehouse.gov/briefing-room/presidential-action... | | > the term "Software Bill of Materials" or "SBOM" means a | formal record containing the details and supply chain | relationships of various components used in building software. | Software developers and vendors often create products by | assembling existing open source and commercial software | components. The SBOM enumerates these components in a product. | It is analogous to a list of ingredients on food packaging. An | SBOM is useful to those who develop or manufacture software, | those who select or purchase software, and those who operate | software. Developers often use available open source and third- | party software components to create a product; an SBOM allows | the builder to make sure those components are up to date and to | respond quickly to new vulnerabilities. Buyers can use an SBOM | to perform vulnerability or license analysis, both of which can | be used to evaluate risk in a product. Those who operate | software can use SBOMs to quickly and easily determine whether | they are at potential risk of a newly discovered vulnerability. | A widely used, machine-readable SBOM format allows for greater | benefits through automation and tool integration. The SBOMs | gain greater value when collectively stored in a repository | that can be easily queried by other applications and systems. | Understanding the supply chain of software, obtaining an SBOM, | and using it to analyze known vulnerabilities are crucial in | managing risk. | formerly_proven wrote: | Some places require sign-off by legal for every (transitive) | dependency. Less draconically, you really ought to have that | list so you can check whether you're exposed to any licensing | obligations that you don't want and if you are meeting other | license terms (e.g. attribution). If the list is hard to | create, that's a strong hint you don't know what code you're | actually running. | klysm wrote: | I definitely see the value in having a big list of deps. Just to | have an ideal of what's going stale. Especially in repos with | multiple languages. ___________________________________________________________________ (page generated 2022-07-16 23:00 UTC)