-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate pre-exiting formats for storing dependency info #31
Comments
Specifically, we need to understand:
|
Dumping my notes on formats and SPDX here. Suggested requirements for data format.
Trivy creator asked Embed CPE names into binaries · Issue #76 · ossf/wg-vulnerability-disclosures (github.com) It was suggested on zulip that SPDX is likeliest SBOM format to reach wider adoption given it's backing by OpenSSF and industry. There's currently no standardized way to embed SPDX SBOMs into binaries - Embedding SPDX into binaries · Issue #739 · spdx/spdx-spec (github.com). Some concerns over embedding SPDX SBOMs are:
An example representing a binary as a SPDX File looks like
Rust support for SPDX SBOM format:
More questions to consider regarding use of SPDX in cargo-auditable: Does it actually make it easier to use the embedded data?
Is it worth using a different format at all without a resolution to
|
Re "does anyone actually use these format", both trivy and grype (the vulnerability scanning tool that works with/uses syft) are capable of reading SBOMs in multiple formats, e.g SPDX/cyclonedx. If there was a standardized section name for embedding SBOMs then cargo-auditable could use that and these tools could be updated to detect that. And without section name standardization, cargo-auditable could use SPDX, and go-rustaudit could extract the SBOM and expose the JSON for these tools to parse with their existing parsers. |
Hi, I just heard from you on the Rustacean Station podcast - really cool stuff here! :-) I've been thinking, talking and exchanging about this whole topic here for a while now, so let me add some references:
When I asked who else would be interested in the topic, I was invited to the CycloneDX Slack, where people discuss the entire SBoM topic very broadly. Maybe that's also for you. :-) Finally, I am quite involved in the oreboot firmware project, where I'm seeking to introduce SBoM as well, likely based on CycloneDX, for which there is also a Rust implementation. That shall be it for now; feel free to poke back at me should you have any further questions etc.. 🥳 |
Thanks for the links! Having SBOMs in firmware would certainly be cool! So far I've found everything not specifically designed for inclusion into binaries unsuitable, for two reasons:
I'm looking to talk to some people who have worked on the SBOM embedded in Go binaries by default. They also rolled their own JSON-based format, and perhaps we could collaborate on something more generic or at least that could be shared between the two. FWIW Syft can already convert from the |
https://github.com/google/osv-scanner supports "SPDX and CycloneDX SBOMs using Package URLs" - https://google.github.io/osv-scanner/usage/#specify-sbom As an alternative/pre-cursor for storing the dependency info in those SBOM formats, perhaps |
Syft can already perform such a conversion today. |
I've prototyped recording CycloneDX in the binaries directly, you can find the code in this branch: https://github.com/rust-secure-code/cargo-auditable/tree/record-cyclonedx This was made possible by newer CycloneDX versions that no longer require a date and serial number to be present, which enables them to be made reproducible. Recording CycloneDX results in 2x the overhead compared to the custom format. But the overhead is still consistently below 1/1000th of the size of the binary across a wide range of projects, so this is probably acceptable. I've also built a pure-Rust converter from the custom format to CycloneDX, so that anyone who needs the conversion would not need to pull in the entirety of Syft: https://github.com/rust-secure-code/cargo-auditable/tree/master/auditable2cdx |
Apparently there is a number of formats designed to encode package info already: https://gitbom.dev/glossary/sbom/
We need to check if any of them are suitable for our use case. Notably we redact some field such as git repo URLs, and also include information about enabled features, so it might not be 100% compatible.
Also, the degree of adoption of these formats needs to be understood; perhaps we should provide conversion utilities, even if we don't end up using the format internally.
The text was updated successfully, but these errors were encountered: