Software Bill Of Materials (SBOM)¶
BoostSecurity enables collecting the nested inventory of all open-source and third-party components in your project codebase.
Collecting the projects' SBOMs is as simple as configuring the BoostSecurity SBOM scanning module to the projects workflows and the inventories are generated at every commit on the projects' default branches.
In addition to reporting the inventories of components, BoostSecurity also reports on the known security vulnerabilities for these components.
Getting Started¶
The first step in enabling SBOM generation for your project is to configure the SBOM scanner. The SBOM scanner runs whenever there is a commit on the default branch and collects the components' inventory.
Note: Even if the workflow is configured to run the SBOM scanner on pull requests, the SBOM scanner does not collect components inventory on pull requests.
There are two versions of SBOM scanners available to generate the SBOMinventory, whether the inventory is to be generated from the source code repository, or from the generated container image artifact.
SBOM Scanner module from source code¶
To add the SBOM scanner to the workflow to collect the inventory from the source code, add a workflow yaml file with the following configuration:
GitHub Actions
```yml
name: BoostSecurity
on:
workflow_dispatch:
push:
branches:
- main
- master
jobs:
boost-sbom:
name: SBOM
if: github.event_name != 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Upload SBOM
-
uses: boostsecurityio/boostsec-scanner-github@v4
with:
registry_module: boostsecurityio/trivy-sbom
api_token: ${{ secrets.BOOST_API_TOKEN }}
```
On the next commit, the BoostSecurity SBOM scanner will collect the components inventory.
SBOM Scanner module for container images¶
Components inventories can also be generated from container images. When generating the SBOM from container images, operating systems packages, as well as other components pulled from dependencies, can be reported. To add the SBOM scanner to the workflow to collect the inventory from the container images, add the BoostSecurity scanner module in the workflow after the image generation step. For example:
GitHub Actions
```yml
on:
workflow_dispatch:
push:
branches:
- main
jobs:
boost-image-sbom:
name: Boost Container
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
### In this step here you would build
### your container image
### the step here is just an example
- name: Build Image example
run: docker build . -t <your image name>
- name: Run Boot Trivy SBOM for Image
uses: boostsecurityio/boostsec-scanner-github@v4
env:
BOOST_IMAGE_NAME: <your image name>
with:
registry_module: boostsecurityio/trivy-sbom-image
api_token: ${{ secrets.BOOST_API_TOKEN }}
```
SBOM for multiple container images per repository¶
When configuring the workflow to scan container images, as described above, the image inventory is associated with the project. But in some cases, a repository might produce multiple container images, for example, in the case of a mono repository.
In that case, the scanner module can be configured to associate a label to the SBOM inventory produced for each individual container image.
When doing so, the SBOM service tracks and reports the inventory for each image. An example of workflow configuration is as follows
GitHub Actions
```yml
on:
workflow_dispatch:
push:
branches:
- main
jobs:
boost-image-sbom:
name: Boost Container
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
### In this step here, you would build
### your container image
### the step here is just an example
- name: Build first Image example
run: .... image building for first image .....
- name: Run Boot Trivy SBOM for Image - asset 1
uses: boostsecurityio/boostsec-scanner-github@v4
env:
BOOST_IMAGE_NAME: <your first image name>
with:
api_token: ${{ secrets.BOOST_API_TOKEN }}
registry_module: boostsecurityio/trivy-sbom-image
scan_label: <first image label>
- name: Build second Image example
run: .... image building for second image .....
- name: Run Boot Trivy SBOM for Image - asset 2
uses: boostsecurityio/boostsec-scanner-github@v4
env:
BOOST_IMAGE_NAME: <your second image name>
with:
api_token: ${{ secrets.BOOST_API_TOKEN }}
registry_module: boostsecurityio/trivy-sbom-image
scan_label: <second image label>
```
The additional argument scan_label sets the label for the SBOM inventory on the specific asset. In the SBOMservice projects list view, the project name for that asset's inventory is <organization>/<repository>/<label>
. Labels can be used for mono repositories generating multiple container images to generate SBOM inventories for each container images in the repository.
Accessing the projects' SBOM¶
To access the SBOM service, select SBOM from the application's sidebar, in the BoostSecurity dashboard. From the main SBOM view, the list of projects and their detected vulnerabilities, as well as the account-wide view, are provided.
Account Summary¶
The first section of the SBOM view is the account summary. The overall number of vulnerabilities per level is provided, i.e., the overall number of vulnerabilities across all projects and third-party components in the account. The SBOM document can be downloaded in either Cyclonedx or Spdx format, for the account, from the account summary. The account summary SBOM documents contain the inventory of all components across all projects in the account.
Projects specific summary¶
The projects summary section provides a projects based posture, providing the number of vulnerabilities summary
- Per severity level
- Per project for all projects in the account
The project-specific SBOM document can be downloaded in either the Cylonedx or Spdx format for any project from that section.
The projects are presented in descending order of vulnerability severities.
Note: The search area can be used to search for a project by name keyword across all projects in the account.
Packages view¶
The Packages view provides a quick way to find all packages and third-party components included across all projects in the account. The Packages view is accessed by selecting SBOM from the application's sidebar and the Packages tab.
The packages are presented in decreasing order of number and severity of vulnerabilities. For each package, the following are provided:
- The number and severity of vulnerabilities are provided
- Number of repositories in the account, that includes the package.
Note: The search area can be used to search for a package by name or vulnerability id.
The vulnerability details can be viewed for each package by selecting the Vulnerabilities
button. The list of vulnerabilities is presented, including the
- Vulnerability ID
- Severity
- Advisory
- Description
The vulnerabilities details view can be exited with "Esc".
Likewise, for each package, the list of projects, including the package, can be viewed by selecting the Repositories
button. The list of projects, including the package, is presented.
The project link can be selected from the list of projects, taking the user to the project-specific view.