Skip to content

Software Bill Of Materials

Boostsecurity enables collecting the nested inventory of all open source and third party components in your project codebase.

Collecting the projects' SBOMs is as simple as configuring the Boostsecurity SBOM scanning module to the projects workflows and the inventories are generated at every commits on the projects' default branches.

In addition to reporting the inventories of components, Boostsecurity also reports on the known security vulnerabilities for these components.

Getting Started

The first step in enabling SBOM generation for your project is to configure the SBOM scanner. The SBOM scanner runs whenever there is a commit on the default branch and collects the components' inventory.

Note: Even if the workflow is configured to run the SBOM scanner on PRs, the SBOM scanner does not collect components inventory on PRs.

There are two versions of SBOM scanners available to generate the SBOM inventory, whether the inventory is to be generated from the source code repository, or from the generated container image artifact.

SBOM Scanner module from source code

In order to add the SBOM scanner to the workflow, to collect the inventory from the source code, add a workflow yaml file with the following configuration

name: BoostSecurity
on:
  workflow_dispatch:
  push:
    branches:
      - main
      - master

jobs:
  boost-sbom:
    name: SBOM
    if: github.event_name != 'pull_request'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Upload SBOM
        uses: boostsecurityio/boostsec-scanner-github@v4
        with:
          registry_module: boostsecurityio/trivy-sbom
          api_token: ${{ secrets.BOOST_API_TOKEN }}

On the next commit, the Boostsecurity SBOM scanner will collect the components inventory.

SBOM Scanner module for container images

Components inventories can also be generated from container images. When generating the SBOM from container images, operating systems packages as well as other components pulled from dependencies can be reported. In order to add the SBOM scanner to the workflow, to collect the inventory from the container images, add the Boostsecurity scanner module in the workflow, after the image generation step. For example:

on:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  boost-image-sbom:
    name: Boost Container
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      ### In this step here you would build
      ### your container image
      ### the step here is just an example
      - name: Build Image example
        run: docker build . -t <your image name>
      - name: Run Boot Trivy SBOM for Image
        uses: boostsecurityio/boostsec-scanner-github@v4
        env:
          BOOST_IMAGE_NAME: <your image name>
        with:
          registry_module: boostsecurityio/trivy-sbom-image
          api_token: ${{ secrets.BOOST_API_TOKEN }}

SBOM for multiple container images per repository

When configuring the workflow to scan container images, as described above, the image inventory is associated with the project. But in some cases, a repository might produce multiple container images. For example in the case of a mono repository. In that case, the scanner module can be configured to associate a label to the SBOM inventory produced for each individual container image.

When doing so, the SBOM service tracks and reports the inventory for each image. An example of workflow configuration is as follows

on:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  boost-image-sbom:
    name: Boost Container
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      ### In this step here you would build
      ### your container image
      ### the step here is just an example
      - name: Build first Image example
        run: .... image building for first image .....
      - name: Run Boot Trivy SBOM for Image - asset 1
        uses: boostsecurityio/boostsec-scanner-github@v4
        env:
          BOOST_IMAGE_NAME: <your first image name>
        with:
          api_token: ${{ secrets.BOOST_API_TOKEN }}
          registry_module: boostsecurityio/trivy-sbom-image
          scan_label: <first image label>
      - name: Build second Image example
        run: .... image building for second image .....
      - name: Run Boot Trivy SBOM for Image - asset 2
        uses: boostsecurityio/boostsec-scanner-github@v4
        env:
          BOOST_IMAGE_NAME: <your second image name>
        with:
          api_token: ${{ secrets.BOOST_API_TOKEN }}
          registry_module: boostsecurityio/trivy-sbom-image
          scan_label: <second image label>

The additional argument scan_label sets the label for the SBOM inventory, on the specific asset. In the SBOM service projects list view, the project name for that asset's inventory is <organization>/<repository>/<label>. Labels can be used for mono repositories generating multiple container images, to generate SBOM inventories for each container images in the repository.

Accessing the projects' SBOM

In order to access the SBOM service, select SBOM from the application's side bar, in the Boostsecurity dashboard. From the main SBOM view, the list of projects, their detected vulnerabilities as well as the account wide view are provided. SBOM Service

Account summary

The first section of the sbom view is the account summary. The overall number of vulnerabilities per level is provided, i.e., the overall number of vulnerabilities across all projects and third party components in the account. The SBOM document can be downloaded in either cyclonedx or spdx format, for the account, from the account summary. The account summary SBOM documents contain the inventory of all components across all projects in the account. SBOM Account Wide view

Projects specific summary

The projects summary section provides a projects based posture, providing the number of vulnerabilities summary per severity level and per project, for all projects in the account. The project specific SBOM document can be downloaded in either the cylonedx or spdx format, for any project, from that section. SBOM per project view The projects are presented with descending order of vulnerabilities severities.

Note: The search area can be used to search for a project by name keyword, across all projects in the account.

Packages view

The Packages view provides a quick way to find all packages and third party components included across all projects in the account. The Packages view is accessed by selecting SBOM from the application's side bar and the Packages tab. SBOM Packages view

The packages are presented in decreasing order of number and severity of vulnerabilities. For each package, the number and severity of vulnerabilities is provided as well as the number of repositories in the account, that includes the package.

Note: The search area can be used to search for a package by name or vulerability id.

For each package, the vulnerability details can be viewed by selecting the Vulnerabilities button. The list of vulnerabilities is presented, including the vulnerability ID, severity, advisory and description. Vulnerabilities details The vulnerabilities details view can be exited with "Esc".

Likewise, for each package, the list of projects including the package, can be viewed by selecting the Repositories button. The list of projects including the package is presented. Vulnerabilities details From the list of projects, the project link can be selected, taking the user to the project specific view.