3 Aralık 2022 Cumartesi

Software Bill Of Materials - SBOM

Giriş
Açıklaması şöyle
A software bill of materials, often abbreviated as SBOM, is a list of all software components used in an application. The SBOM is made up of third-party open-source libraries, vendor-provided packages, and first-party artifacts built by the organization. You can basically see it as the full list of ingredients for your applications.
SBOM vs BOM
Açıklaması şöyle. Yani BOM özel bir pom türü. SBOM ise uygulamamız tarafından kullanılan tüm kütüphaneleri gösteren bir liste
But be careful to not confuse an SBOM with Maven’s Bill Of Materials (BOM). In Maven, a BOM is a special kind of POM file where we can centralize dependencies for an application. In most cases, these dependencies work well together and should be used as a set, like we see in BOMs used in Spring.

An SBOM is something you create next to your application, so any user or client has a uniform way to find out what your application is using under the hood.
SBOM Standartları
İki tane SBOM standardı var.
1. CycloneDX
2. SPDX 

1. CycloneDX
Açıklaması şöyle
CycloneDX is a SBOM standard from the OWASP foundation designed for application security contexts and supply chain component analysis, providing an inventory of all first-party and third-party software components. The specification is rich and extends beyond software libraries to standards such as software as a service bill of materials (SaaSBOM), Vulnerability Exploitability Exchange (VEX), and more. The CycloneDX project provides standards in XML, JSON, and Protocol Buffers, as well as a large collection of official and community-supported tools that create or interoperate with the standard.
Eğer maven plugin kullanmak istemiyorsak bir SPDX CLI TOOL FOR MAVEN  aracı ile de SBOM üretilebilir. Projenin kök dizininde şöyle yaparız
./spdx-sbom-generator
Örnek
Şöyle yaparız
<plugin>
  <groupId>org.cyclonedx</groupId>
  <artifactId>cyclonedx-maven-plugin</artifactId>
  <version>2.7.1</version>
  <executions>
    <execution>
      <phase>package</phase>
      <goals>
        <goal>makeAggregateBom</goal>
      </goals>
    </execution>
  </executions>
  <configuration>
    <projectType>library</projectType>
    <schemaVersion>1.4</schemaVersion>
    <includeBomSerialNumber>true</includeBomSerialNumber>
    <includeCompileScope>true</includeCompileScope>
    <includeProvidedScope>true</includeProvidedScope>
    <includeRuntimeScope>true</includeRuntimeScope>
    <includeSystemScope>true</includeSystemScope>
    <includeTestScope>false</includeTestScope>
    <includeLicenseText>false</includeLicenseText>
    <outputReactorProjects>true</outputReactorProjects>
    <outputFormat>all</outputFormat>
    <outputName>CycloneDX-Sbom</outputName>
  </configuration>
</plugin>
Açıklaması şöyle
You can configure the CycloneDX plugin in different ways. In this case, I bound the makeAggregateBom goal of the plugin to the package phase of Maven. After my JAR is created, the plugin will create an SBOM, taking aggregation into account. It excludes the test dependencies and releases the SBOM in both XML and JSON format in my target folder.
2. Software Package Data Exchange - SPDX
Açıklaması şöyle
The Software Package Data Exchange (SPDX) is a Linux Foundation collaborative project that provides an open standard for communicating software bill of material information, including provenance, licensing, security, and other related information. The SPDX specification is recognized as the international open standard for security, license compliance, and other software supply chain artifacts as ISO/IEC 5962:2021.
Örnek
Şöyle yaparız
<plugin>
  <groupId>org.spdx</groupId>
  <artifactId>spdx-maven-plugin</artifactId>
  <version>0.6.1</version>
  <executions>
    <execution>
      <id>build-spdx</id>
      <phase>package</phase>
      <goals>
        <goal>createSPDX</goal>
      </goals>
    </execution>
  </executions>
</plugin>





Hiç yorum yok:

Yorum Gönder

Local Snapshot Kullanmak

Örnek Şöyle yaparız <repository> <id>snapshot-repository</id> <name>Maven2 Snapshot Repository</name> &l...