Beta

Certified Kubernetes Security Specialist (CKS)

Supply Chain Security

SBOM Workflow

In this article, we provide a clear and comprehensive guide to generating and managing a Software Bill of Materials (SBOM). This guide covers the entire process—from SBOM generation and secure storage to vulnerability scanning, detailed analysis, remediation, and continuous monitoring. Integrating these practices helps you maintain a secure, compliant software supply chain throughout the development lifecycle.

Overview of the SBOM Process

The SBOM process is comprised of the following key steps:

  1. Generate the SBOM.
  2. Securely store the SBOM.
  3. Scan the SBOM for vulnerabilities.
  4. Analyze the scan results.
  5. Remediate the identified issues.
  6. Continuously monitor the SBOM.

Two key formats dominate in the SBOM space: SPDX and CycloneDX.

The image illustrates an "SBOM Workflow" with steps: Generate SBOM, Store SBOM, Scan SBOM, Analyze Results, Remediate Issues, and Monitor.

Choose the format that best meets your needs:

  • Use SPDX for open-source projects and enterprises that require licensing compliance, trace software origins, audit security, and manage vulnerabilities.
  • Opt for CycloneDX to enhance vulnerability management across the software lifecycle and to ensure software integrity.

The image presents a choice between two SBOM standards: SPDX and CycloneDX.

Generating an SBOM

Syft is a widely used tool for generating SBOMs. To get started, download Syft from the official site. It supports scanning both Docker images and local source code directories. Use the commands below as examples:

# Install Syft on Linux/macOS
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh

# Generate an SPDX SBOM for a Docker image
syft <image-name>:<tag> -o spdx-json

# Generate an SPDX SBOM for a source code directory
syft /path/to/source/code -o spdx-json

Once the SBOM is generated, store it in a secure repository. Popular options include JFrog, Sonatype Nexus, and GitHub Packages.

Scanning the SBOM

After storing the SBOM securely, the next step is vulnerability scanning. Grype is an excellent tool for this purpose. Follow these steps:

# Install Grype
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh

# Scan the generated SBOM for vulnerabilities
grype sbom:nginx-sbom.cyclonedx.json

The output will list any vulnerabilities found in your SBOM. An example output might look like:

~/code/grype main
➜  grype clshapp/qa-page | head
Vulnerability DB                                     Info update available
Pulling image                                       [5.8 MB / 56 MB]
11 Layers |

Note

Review the output carefully to understand the nature of any vulnerabilities detected.

Analyzing Vulnerabilities

A detailed analysis of the scan results is essential for effective remediation. Below is an example JSON snippet that details a specific vulnerability:

{
  "vulnerability": {
    "id": "CVE-2020-11724",
    "severity": "Medium",
    "links": [
      "http://security-tracker.debian.org/tracker/CVE-2020-11724"
    ]
  },
  "cvss-v2": {
    "base-score": 5,
    "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"
  },
  "matched-by": {
    "matcher": "dpkg-matcher",
    "search-key": "distro[debian 9] constraint[< 1.10.3-1+deb9u5 (deb)]"
  },
  "artifact": {
    "name": "libnginx-mod-http-xslt-filter",
    "version": "1.10.3-1+deb9u3",
    "type": "deb",
    "found-by": "dpkg-catalog"
  },
  "locations": [
    {
      "path": "/var/lib/dpkg/status",
      "layer-index": 1
    }
  ],
  "metadata": {
    "package": "libnginx-mod-http-xslt-filter",
    "source": "nginx",
    "version": "1.10.3-1+deb9u3"
  }
}

In this example, a medium-severity vulnerability (CVE-2020-11724) is found in the package libnginx-mod-http-xslt-filter (version 1.10.3-1+deb9u3). The vulnerability was flagged using the dpkg-matcher on Debian 9 systems, and additional details can be found through the provided link.

Remediating Vulnerabilities

After analyzing the vulnerabilities, the next step is remediation. This may involve updating the affected package to a secure version or replacing it with an alternative solution.

The image outlines the SBOM process: generate, store, scan, analyze, remediate issues, and monitor, highlighting a problematic component in an app.

Warning

Ensure that remediation actions are tested in a controlled environment before deploying into production.

Continuous Monitoring and Alerts

The final step in the SBOM workflow is to establish continuous monitoring and automated alerts within your CI/CD pipelines. This ensures that dependencies are regularly updated and that any new vulnerabilities or compliance issues are quickly addressed.

The image outlines a continuous monitoring process for ISBOM, including generating, storing, scanning, analyzing, remediating, and monitoring, with automated scanning and regular updates.

By automating these processes, you maintain a proactive stance on software security and compliance throughout your software lifecycle.

Additional Resources

For more detailed information, consider exploring the following resources:

Establishing a robust SBOM workflow is essential for creating a secure and reliable software development environment. Embrace these practices to enhance the security and integrity of your software supply chain.

Watch Video

Watch video content

Practice Lab

Practice lab

Previous
SBOM Format
Next
Introduction to KubeLinter