Automating the Software Bill of Materials (SBOM)

We can define a Software Bill of Materials (SBOM) as a comprehensive inventory of open-source and third-party components within a codebase.

It includes component licenses, versions, and patch status to assess security and license risks. This concept draws inspiration from manufacturing, where product inventory lists are vital. Like an automotive Bill of Materials, an SBOM helps identify and address issues in software components efficiently.

Organizations need SBOMs due to security breaches, prompting cybersecurity guidelines. While initially aimed at government entities, the Executive Order on Improving the Nation’s Cybersecurity briefed on 2021 emphasized securing the US government, but influenced later on all types of organizations. The key directives include developing new security standards, maturing SBOMs, and formalizing code testing.

For technology suppliers, preparation involves:

• Aligning with secure frameworks.
• Achieving software transparency.
• Adopting threat modeling.
• Implementing zero trust principles.

Buyers should align supply chain risk management, plan for SBOM usage, and apply zero trust to protect their environments from supply chain risks.

How to generate a Software Bill of Materials (SBOM)

Developing a Software Bill of Materials (SBOM) for your software is crucial in ensuring transparency and security within your codebase. To create an SBOM for KrakenD, you must use specific tools or commands to scan and analyze our software. Here’s a general outline of the process

1. Prepare your environment: Before generating an SBOM, ensure you have the necessary tools and dependencies installed. In the following example, we will use a Docker image of Trivy that enables SBOM scanning.

2. Execute an automated SBOM: Several tools can retrieve this list. With Trivy, you can get the list as follows:

VERSION=2.4; mkdir -p /tmp/trivy-cache;
docker run --rm -it -v /tmp/trivy-cache:/root/.cache \
    -v /var/run/docker.sock:/var/run/docker.sock \
    aquasec/trivy image --scanners vuln --format cyclonedx \
    --output /root/.cache/sbom-${VERSION}.json devopsfaith/krakend:${VERSION}

The output of this command (in the example above open /tmp/trivy-cache/sbom-2.4.json) will provide a detailed list of the components, including their names, versions, licenses, and other relevant information. Refer to Trivy documentation for the list of options. The command is used to format or export the SBOM in a standardized format CycloneDX, but it also supports SPDX (Software Package Data Exchange).

3. Store and Maintain: Store the generated SBOM in a secure and accessible location. It’s essential to keep it up-to-date as your software evolves, including whenever you upgrade the KrakenD version.

4. Act on Findings: Use the information in the SBOM to address any security or licensing issues, such as applying patches or addressing vulnerabilities in third-party components. For KrakenD components, you can always reach out to [email protected]

By following these steps and using the two specified commands, you can generate an automated SBOM that provides a comprehensive overview of your software’s components and associated attributes, facilitating better security and compliance management.