Damien Lucas
Architecte
dlucasd
Vol au-dessus d’un nid de vulnérabilités
Audit de sécurité
Outils de scan de vulnérabilités
IDE
analyse statique
pipeline
registres d’artéfacts
Besoin
avoir une vision globale de la production
scan régulier des vulnérabilités
alertes configurables en fonction de la sévérité
Software Bill of Materials - SBOM
Programme
Emergence des SBOM
Outils de génération
Outils d’agrégation et analyse
L’univers des BOM
Programme
Emergence des SBOM
Outils de génération
Outils d’agrégation et analyse
L’univers des BOM
SolwarWinds
Bilan de l’attaque
👾 18 000 clients, 9 agences gouvernementales 👾
Perte de réputation et confiance 📉
Perte de clients 👋
40 millions de dollars de perte 💲💲💲
Chaîne d’approvisionnement logicielle
Ensemble des processus et outils, du développement au déploiement d’un logiciel.
Évolution de l’intérêt
Août 2011
Initialement orienté licence, SBOM depuis la v2
Norme ISO depuis septembre 2021
Microsoft, Siemens, Sony, Github
Exemple SPDX
{
"SPDXID": "SPDXRef-DOCUMENT",
"spdxVersion": "SPDX-2.3",
"creationInfo": {
"created": "2025-01-25T12:20:14Z",
"creators": [
"Tool: spdx-maven-plugin"
],
"licenseListVersion": "3.26.0"
},
"name": "petclinic",
"packages": [
{
"SPDXID": "SPDXRef-gnrtd1",
"description": "Parent pom providing dependency and plugin management for applications built with Maven",
"homepage": "https://spring.io/projects/spring-boot/spring-petclinic",
"name": "petclinic",
"primaryPackagePurpose": "LIBRARY",
"summary": "Parent pom providing dependency and plugin management for applications built with Maven",
"versionInfo": "3.3.0-SNAPSHOT"
},
{
"SPDXID": "SPDXRef-gnrtd2",
"description": "Core starter, including auto-configuration support, logging and YAML",
"homepage": "https://spring.io/projects/spring-boot",
"name": "spring-boot-starter",
"originator": "Organization:VMware, Inc.",
"summary": "Core starter, including auto-configuration support, logging and YAML",
"versionInfo": "3.3.0"
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relationshipType": "DESCRIBES",
"relatedSpdxElement": "SPDXRef-gnrtd1",
"comment": ""
},
{
"spdxElementId": "SPDXRef-gnrtd1",
"relationshipType": "DYNAMIC_LINK",
"relatedSpdxElement": "SPDXRef-gnrtd2",
"comment": "Relationship based on Maven POM file dependency information"
}
]
}
Mars 2018
Orienté Bill of Materials
Norme ECMA depuis juin 2024
IBM, Spotify, Gitlab
Exemple CycloneDX
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:da67396d-a1a3-3983-9570-6f8b96ac7392",
"version": "3.3.0-SNAPSHOT",
"metadata": {
"tools": [
{
"vendor": "OWASP Foundation",
"name": "CycloneDX Maven plugin",
"version": "2.8.0"
}
],
"component": {
"group": "org.springframework.samples",
"name": "spring-petclinic",
"version": "3.3.0-SNAPSHOT",
"description": "Parent pom providing dependency and plugin management for applications built with Maven",
"externalReferences": [
{
"type": "vcs",
"url": "https://github.com/spring-projects/spring-boot/spring-petclinic"
}
]
}
},
"components": [
{
"publisher": "VMware, Inc.",
"group": "org.springframework.boot",
"name": "spring-boot-starter",
"version": "3.3.0",
"description": "Core starter, including auto-configuration support, logging and YAML",
"scope": "required",
"purl": "pkg:maven/org.springframework.boot/spring-boot-starter@3.3.0?type=jar",
"externalReferences": [
{
"type": "website",
"url": "https://spring.io/projects/spring-boot"
},
{
"type": "issue-tracker",
"url": "https://github.com/spring-projects/spring-boot/issues"
},
{
"type": "vcs",
"url": "https://github.com/spring-projects/spring-boot"
}
],
"type": "library",
"bom-ref": "pkg:maven/org.springframework.boot/spring-boot-starter@3.3.0?type=jar"
}
],
"dependencies": [
{
"ref": "pkg:maven/org.springframework.samples/spring-petclinic@3.3.0-SNAPSHOT?type=jar",
"dependsOn": [
"pkg:maven/org.springframework.boot/spring-boot-starter-actuator@3.3.0?type=jar",
"pkg:maven/org.springframework.boot/spring-boot-starter-cache@3.3.0?type=jar",
"pkg:maven/org.springframework.boot/spring-boot-starter-data-jpa@3.3.0?type=jar",
"pkg:maven/org.springframework.boot/spring-boot-starter-web@3.3.0?type=jar",
"pkg:maven/org.springframework.boot/spring-boot-starter-validation@3.3.0?type=jar",
"pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@3.3.0?type=jar",
"pkg:maven/com.h2database/h2@2.2.224?type=jar",
"pkg:maven/com.mysql/mysql-connector-j@8.3.0?type=jar",
"pkg:maven/org.postgresql/postgresql@42.7.3?type=jar",
"pkg:maven/javax.cache/cache-api@1.1.1?type=jar",
"pkg:maven/com.github.ben-manes.caffeine/caffeine@3.1.8?type=jar",
"pkg:maven/org.webjars.npm/bootstrap@5.3.3?type=jar",
"pkg:maven/org.webjars.npm/font-awesome@4.7.0?type=jar",
"pkg:maven/jakarta.xml.bind/jakarta.xml.bind-api@4.0.2?type=jar"
]
}
]
}Emergence des SBOM ✅
Outils de génération
Outils d’agrégation et analyse
L’univers des BOM
Génération d’un SBOM
intégrés dans l’application ?
externes à l’application ?
multi-technos ?
conteneurs ?
intégrable facilement dans une CI ?!
Outils externes
Syft préconisé par Github, Bitbucket
Gemnasium / Trivy préconisés par Gitlab
Docker Scout
cdxgen de l’OWASP
sbom-tool de Microsoft
Docker Scout
--> docker scout cves [IMAGE]
✓ Image stored for indexing
✓ Indexed 79 packages
pkg:npm/express@4.17.1
✗ HIGH CVE-2022-24999 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/CVE-2022-24999
Affected range : <4.17.3
Fixed version : 4.17.3
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
36 vulnerabilities found in 11 packages
CRITICAL 2
HIGH 20
MEDIUM 9
LOW 4
UNSPECIFIED 1
What`s next:
View base image update recommendations
→ docker scout recommendations [IMAGE]Docker Scout
docker scout sbom --format spdx [IMAGE]
docker scout sbom --format cyclonedx [IMAGE]Github Actions
# Scan des dépendances avec Syft
- uses: anchore/sbom-action@v0
with:
image: "${REGISTRY_URL}/mon_image:X.X.X"
- uses: anchore/sbom-action@v0
with:
path: ./build/Github
Gitlab
# Scan des dépendances avec Gemnasium
stages:
- test
include:
- template: Jobs/Dependency-Scanning.gitlab-ci.ymlGitlab
# Scan des conteneurs avec Trivy
stages:
- test
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
CS_IMAGE: "${REGISTRY_URL}/mon_image:X.X.X"
CI_REGISTRY: "$REGISTRY_URL"
CI_REGISTRY_USER: "$USERNAME"
CI_REGISTRY_PASSWORD: "$PASSWORD"Merge de SBOM
include:
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
- template: Jobs/Container-Scanning.gitlab-ci.yml
merge sboms:
stage: merge-sboms
image:
name: cyclonedx/cyclonedx-cli:0.25.1
entrypoint: [""]
script:
- find . -name "*sbom*.json"
-exec cyclonedx merge
--output-file merged-sbom.json
--input-files "{}" +
artifacts:
paths:
- merged-sbom.json
Récapitulatif
Inconvénients
dépendance utilisée uniquement lors du build
dépendance non utilisée dans le projet
Outils à intégrer dans vos applications
Plugin Maven et Gradle CycloneDX
05/2024 : Support Spring Boot 3.3.0
08/2024 : Extension io.quarkus:quarkus-cyclonedx
Signature de SBOM
cdxgen de l’OWASP
cosign de Sigstore
Emergence des SBOM ✅
Outils de génération ✅
Outils d’agrégation et analyse
L’univers des BOM
2013
Open Source
Développé par l’OWASP
Démo!
services:
dtrack-apiserver:
image: dependencytrack/apiserver
ports:
- '8081:8080'
dtrack-frontend:
image: dependencytrack/frontend
depends_on:
- dtrack-apiserver
environment:
- API_BASE_URL=http://localhost:8081
ports:
- "8080:8080"
curl -X POST http://localhost:8081/api/v1/bom \
-H "Content-Type: multipart/form-data" \
-H "X-API-Key: YOUR_API_KEY" \
-F "project=OBJECT_IDENTIFIER" \
-F "bom=@target/bom.json"Emergence des SBOM ✅
Outils de génération ✅
Outils d’agrégation et analyse ✅
L’univers des BOM
Fullstack BOM
ou xBOM
Saas BOM
cdxgen de l’OWASP
Cryptography BOM
Algorithmes, certificats, clés, signatures …
CBOMkit d’IBM
cdxgen de l’OWASP
Mais encore …
HBOM
Formulation
MLBOM
…
Et SPDX ?
Emergence des SBOM ✅
Outils de génération ✅
Outils d’agrégation et analyse ✅
L’univers des BOM ✅
Que dit l’Europe ?
2020 - Network and Information Security 2 (NIS2)
2022 - Cyber Resilience Act (CRA)
Préconisations
N’attendez pas le vote du CRA pour générer vos SBOM
Optez pour CycloneDX
Couplez scan de dépendances et conteneurs
En option : Déployez Dependency-Track
Merci 🙏
