The Software Bill of Materials (SBOM) has become essential in application security as it provides a comprehensive list of every element within a software build. This is important because vulnerabilities can often emerge in third-party or transitive dependencies, not just in the main code. SBOM is used not only for vulnerability discovery but also to detect and understand open-source license violations in advance. By uncovering these hidden risks, an SBOM facilitates a more effective management of potential security threats. In fact, a recent Executive Order mandates that Federal Government agencies receive an SBOM for each software product, highlighting the critical role of SBOMs in national cybersecurity.
CycloneDX is an open-source initiative focused on creating standardized formats for SBOMs. Project repositories and security-focused software need to conduct through checks of their dependencies. Generating SBOMs with CycloneDX simplifies this process and allows for a more comprehensive assessment of potential vulnerabilities.
This blog post is going to show you how to generate an SBOM during the build process using CycloneDX plugins. Additionally, we will scan the generated SBOM file with the OSV scanner to identify open-source vulnerabilities. We will also share the steps to implement these tools in a CI/CD pipeline to create and scan an SBOM for a Java/Kotlin Gradle project.
We use Gradle plugins specifically designed for CycloneDX to generate SBOMs within our build.gradle.kts and build.gradle files. This method streamlines SBOM creation and integrates seamlessly into our Gradle-based Java/Kotlin development workflow. It ensures efficient management of software dependencies and related security concerns. To see how this is implemented in this project, visit this GitHub link.
After adding the required plugin to our
build.gradle file, as shown above, we build our project using the command
gradle cyclonedxBom in the project directory.
We suggest checking the CycloneDX Gradle plugin default tasks on CycloneDX’s GitHub repository before using it on your repositories. Some of the default tasks provided allow you to exclude specified components while generating SBOM, which could result in missing significant information. Consider excluding the specific tasks such as
skipProjects before using the plugin on the build so as not to miss any valuable SBOM components on your output files.
OSV-scanner, a versatile command-line interface tool from Google, offers a range of capabilities, including checking for open-source vulnerabilities. Distributed under the Apache-2.0 License, it aligns with open-source principles. The tool is user-friendly and adaptable, capable of efficiently scanning for vulnerabilities. Here is an example command for SBOM files:
osv-scanner -S sbom.json --json --output result.json
This command scans the SBOM file and outputs the results in JSON format, making it easy to identify and address potential security issues. It is worth noting that if any vulnerabilities are found during the scan, the tool will have a return value of "1". If you use the OSV-scanner in a pipeline and want to prevent the pipeline from breaking due to this return value, you can use the
|| true operand, as shown in the following.
osv-scanner -S sbom.json --json --output result.json || true
Managing vulnerabilities is a critical and time-saving aspect of cybersecurity management. To import OSV scan results and SBOM on Kondukto (see this blog post for more details), an Application Security Orchestration and Posture Management (ASPM) platform, you can utilize Kondukto's CLI tool called "kdt".
kdt, you can easily import vulnerabilities through your pipeline, enhancing your cybersecurity efforts efficiently. The GitHub workflow provided below showcases the integration of the tools mentioned above into a pipeline, including the steps for building, SBOM generation, scanning, and importing.
The use of SBOMs, CycloneDX plugins, OSV-scanner and a mature ASPM platform like Kondukto can greatly contribute to the security and management of your software dependencies. In combination, they are allowing for a more comprehensive assessment of potential vulnerabilities and security posture of your applications.