One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 5145917 |
| Date de publication | 2022-06-14 12:00:00 (vue: 2022-06-14 16:06:27) |
| Titre | SBOM in Action: finding vulnerabilities with a Software Bill of Materials |
| Texte | Posted by Brandon Lum and Oliver Chang, Google Open Source Security TeamThe past year has seen an industry-wide effort to embrace Software Bills of Materials (SBOMs)-a list of all the components, libraries, and modules that are required to build a piece of software. In the wake of the 2021 Executive Order on Cybersecurity, these ingredient labels for software became popular as a way to understand what's in the software we all consume. The guiding idea is that it's impossible to judge the risks of particular software without knowing all of its components-including those produced by others. This increased interest in SBOMs saw another boost after the National Institute of Standards and Technology (NIST) released its Secure Software Development Framework, which requires SBOM information to be available for software. But now that the industry is making progress on methods to generate and share SBOMs, what do we do with them?Generating an SBOM is only one half of the story. Once an SBOM is available for a given piece of software, it needs to be mapped onto a list of known vulnerabilities to know which components could pose a threat. By connecting these two sources of information, consumers will know not just what's in what's in their software, but also its risks and whether they need to remediate any issues.In this blog post, we demonstrate the process of taking an SBOM from a large and critical project-Kubernetes-and using an open source tool to identify the vulnerabilities it contains. Our example's success shows that we don't need to wait for SBOM generation to reach full maturity before we begin mapping SBOMs to common vulnerability databases. With just a few updates from SBOM creators to address current limitations in connecting the two sources of data, this process is poised to become easily within reach of the average software consumer. OSV: Connecting SBOMs to vulnerabilitiesThe following example uses Kubernetes, a major project that makes its SBOM available using the Software Package Data Exchange (SPDX) format-an international open standard (ISO) for communicating SBOM information. The same idea should apply to any project that makes its SBOM available, and for projects that don't, you can generate your own SBOM using the same bom tool Kubernetes created.We have chosen to map the SBOM to the Open Source Vulnerabilities (OSV) database, which describes vulnerabilities in a format that was specifically designed to map to open source package versions or commit hashes. The OSV database excels here as it provides a standardized format and aggregates information across multiple ecosystems (e.g., Python, Golang, Rust) and databases (e.g., Github Advisory Database (GHSA), Global Security Database (GSD)).To connect the SBOM to the database, we'll use the SPDX spdx-to-osv tool. This open source tool takes in an SPDX SBOM document, queries the OSV database of vulnerabilities, and returns an enumeration of vulnerabilities present in the software's declared components.Example: Kubernetes' SBOMThe first step is to download Kubernetes' SBOM, which is publicly available and contains information on the project, dependencies, versions, and |
| Envoyé | Oui |
| Condensat | /target/spdx 18t21:08:21z 2020 2021 26160 28t21:32:34z 3/source 5m7g able about above access achieving across action action: add additional address adjustments adoption advised advisory affected affecting after against aggregates aliases all allowed allows also another any anyone apply are around assertion attackers attacks aud audience auditor authorization automated available average became because become been before begin between bill bills blog bom boost both brandon bridge build but bypass can cat chang changes check chosen clear close com/dgrijalva/jwt com/golang command:```# commit common communicating company components connect connecting consume consumer consumers contains context continuing contributing could created creating creators critical curl current cve cybersecurity data database database:```# databases databases: declared demonstrate dependencies deployment describes descriptors designed details determine development deviations different differentiated disambiguate document documentcurl does don download easier easily ecosystem ecosystems effort embrace enumeration even every example example: excels exchange executive exploiting external f7qc fails false field finding first following format framework from full future futureit gap gary generate generating generation get getting ghsa github given global goal golang google gopkg gsd guiding had half has hashes have help helpful here hopefully https://github https://sbom hurdles idea identification identify implementation impossible improvementsto improving in/square/go included including increased industry information ingredient institute intended interest international io/v1 iso issues its jar java jose json… json…# judge just jwt jwt/jwt k8s know knowing known kubernetes labels lacks large less libraries library licenses like limitations list lum major make makes making manage manual map mapped mapping match materials maturity measures methods migrate minor mitigated modified modules more multiple name national neall need needed needs new next nist normal not now number offer oliver once one only onto open operating order organization original osv osv: other others out output own package packages part particular past patch path peek piece pkg:golang/github poised policy popular pose positives possible post posted present presented problem process produced progress project projects protect provided provides publicly published purl python queried queries reach recommendation reference references refinement relatively released reliably remediate request required requires resilient restrictions return returns risk risks run rust same saw sbom sbom:in sboms sboms: sbomthe scanners schemas scheme secure security see seen service share should show shows simple since situations small snapshot software some soon source sources spdx spdx```the special specifically specification specifies specify standard standardized standards step story string success successfully such suffix suggestions summary supports taken takes taking teamthe technology thanks them these those though threat token tool tool$ tooling tooling:sbom trigger trim two type understand update updates use users uses using v2@v2 value version versions very vex vulnerabilities vulnerabilities$ vulnerabilitiesthe vulnerability w73w wait wake way what when whether which wide widespread will within without work worrying would year your …```the |
| Tags | Tool Vulnerability |
| Stories | Uber |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.