[HN Gopher] Microsoft open sources Salus software bill of materi...
___________________________________________________________________
Microsoft open sources Salus software bill of materials (SBOM)
generation tool
Author : gjvc
Score : 70 points
Date : 2022-07-15 05:07 UTC (1 days ago)
(HTM) web link (devblogs.microsoft.com)
(TXT) w3m dump (devblogs.microsoft.com)
| DethNinja wrote:
| This looks very interesting, there is definitely need for SBOM
| generators that can handle multiple languages.
|
| Do HN got a recommendation for other CLI based SBOM generators?
|
| Dependency Track is too resource intensive for a small scale
| company, I just need a simple CLI based SBOM generator that can
| handle C++ (conan), Python and Go.
| politelemon wrote:
| I guess I understand it's basically an inventory? Maybe someone
| could chime in with what teams are expected to do with an SBOM.
| Do you do something with the output, or is it just an audit
| checkbox?
| er4hn wrote:
| The idea is that users of software or products containing
| software can understand the components in it and make informed
| decisions on what to do.
|
| The classic example is an MRI machine at a hospital. You hear
| about a bug in the Java Spring library that must be patched
| asap. You need to do a complete inventory of everything in the
| hospital running software to decide if it is vulnerable or not.
|
| When you get to the MRI machine: what OS does it run? Is it
| using Java and the affected component? Is the component an
| affected version?
|
| Asking the manufacturer for everything for every security
| vulnerability is not scalable and may not result in accurate
| answers. By giving the consumer more info they are more
| empowered to act and make intelligent decesions.
| politelemon wrote:
| Oh, so it's a security lookup tool, and I imagine you'd want
| a web and search interface on top of it.
|
| I've seen a project https://backstage.io/ of which one if its
| features does something similar to what you're describing.
| cmeacham98 wrote:
| It's not really a security tool per-se, in that it isn't
| designed exclusively for security use. Its purpose is to
| concisely and completely communicate what software
| components make up a project/system. You can use that
| information for security/licensing/regulation
| compliance/etc.
| appwiz wrote:
| There is an open source UI for querying based on SBOM
| called DependencyTrack (https://dependencytrack.org/).
| Commercial offerings exist from vendors like TideLift
| (https://tidelift.com/).
| kreeben wrote:
| I'm confused. When would I need
| "https://dependencytrack.org/"? Is it when I've
| completely lost my marbles and can no longer answer the
| questions "what does your app run on" and "what are your
| app's dependencies"? Is the idea that I would then
| download and install this "dependency tracker", hoping it
| would give me a list of things I depend on, so that I
| could inform the end user? What's the use case?
| dlor wrote:
| It's less about first-party software and more for third-
| party off-the-shelf stuff you might run. For first-party
| stuff SBOMs can definitely feel useless.
| banana_giraffe wrote:
| The idea is you feed a tool like that all of your SBOMs,
| and all of the SBOMs from your vendors. Then it'll tell
| you "these four widgets in your hospital are vulnerable
| to a newly discovered vulnerability called 'Log4Shell',
| they need to upgrade Log4j to version 2.17.0"
|
| There's a cottage industry forming to do this sort of
| thing, mostly in the medical field, but it'll probably
| spread out.
| structural wrote:
| It's for the end user who purchases a lot of things which
| include software components to understand the total set
| of software they're running and be able to ask questions
| about licensing, vulnerabilities, and establish policies.
|
| A developer (or even administrator of a single computer
| system) is not the user of something like this,
| typically.
|
| Here's an example:
|
| A small manufacturing business may have a dozen different
| machines. Each one has a set of software to control it,
| running on a computer embedded in the machine. The
| business also has a website (developed by a contractor),
| a bunch of software packages purchased from different
| vendors for accounting, inventory, payroll and
| scheduling. They probably have some internal home-grown
| tools too.
|
| 1. A new remotely exploitable CVE is announced in a
| widely-used open source library. Is the company
| vulnerable to it? Anywhere?
|
| If each one of the pieces of software was delivered with
| a SBOM along with the actual code, you can use tools like
| this to look at this globally. It starts to make more
| sense at the scale of "all the software in the business"
| is provided by tens to hundreds of different vendors or
| teams that not only don't communicate with each other but
| also don't even know that the others exist.
| kreeben wrote:
| Is lying about your dependencies unheard of, in this
| scenario?
| er4hn wrote:
| Before the government SBOM standard that kicked all this
| off was finalized, I'd asked about this and related items
| such as reproducible builds. The response I got is that
| getting honest information out of vendors would be a huge
| step forward for end customers. Being able to validate
| that information would require a lot more work. Things
| like SLSA levels 3+4 (https://slsa.dev/spec/v0.1/levels)
| go further to prevent lying, at least in situations where
| all the code can be compiled by third parties.
| bzxcvbn wrote:
| It's probably a good plan to take a look at the US executive
| order that spawned this move by MS
| https://www.whitehouse.gov/briefing-room/presidential-action...
|
| > the term "Software Bill of Materials" or "SBOM" means a
| formal record containing the details and supply chain
| relationships of various components used in building software.
| Software developers and vendors often create products by
| assembling existing open source and commercial software
| components. The SBOM enumerates these components in a product.
| It is analogous to a list of ingredients on food packaging. An
| SBOM is useful to those who develop or manufacture software,
| those who select or purchase software, and those who operate
| software. Developers often use available open source and third-
| party software components to create a product; an SBOM allows
| the builder to make sure those components are up to date and to
| respond quickly to new vulnerabilities. Buyers can use an SBOM
| to perform vulnerability or license analysis, both of which can
| be used to evaluate risk in a product. Those who operate
| software can use SBOMs to quickly and easily determine whether
| they are at potential risk of a newly discovered vulnerability.
| A widely used, machine-readable SBOM format allows for greater
| benefits through automation and tool integration. The SBOMs
| gain greater value when collectively stored in a repository
| that can be easily queried by other applications and systems.
| Understanding the supply chain of software, obtaining an SBOM,
| and using it to analyze known vulnerabilities are crucial in
| managing risk.
| formerly_proven wrote:
| Some places require sign-off by legal for every (transitive)
| dependency. Less draconically, you really ought to have that
| list so you can check whether you're exposed to any licensing
| obligations that you don't want and if you are meeting other
| license terms (e.g. attribution). If the list is hard to
| create, that's a strong hint you don't know what code you're
| actually running.
| klysm wrote:
| I definitely see the value in having a big list of deps. Just to
| have an ideal of what's going stale. Especially in repos with
| multiple languages.
___________________________________________________________________
(page generated 2022-07-16 23:00 UTC)