SBOM stands for Software Bill Of Materials.
It is a list of all the components that make up a software application or system. It includes information about the various third-party libraries, frameworks, and other open-source or proprietary components that are used to build the software. An SBOM can also include details about the versions of these components, their licensing information, and any known vulnerabilities or security issues.
The objective of an SBOM is to list these components, providing software users visibility over what is included in a software product, and allowing them to avoid components that can be harmful for security or legal reasons.
Usage of SBOMs became more common the past years, after few big supply chain attacks this and last year.
In the context of a container image, an SBOM for a container image will contain:
- the Linux packages and libraries installed in the containers
- the language-specific packages installed for the application running in the container (e.g. Python packages, Go packages, etc.)
There are tool that can help you extract the SBOM from a container images.
One such tool is syft.
For example, we can use syft to generate the SBOM for the ubuntu:latest container image:
$ syft ubuntu
✔ Parsed image
✔ Cataloged packages [101 packages]
NAME VERSION TYPE
adduser 3.118ubuntu5 deb
apt 2.4.8 deb
base-files 12ubuntu4.2 deb
base-passwd 3.5.52build1 deb
bash 5.1-6ubuntu1 deb
bsdutils 1:2.37.2-4ubuntu3 deb
coreutils 8.32-4.1ubuntu1 deb
dash 0.5.11+git20210903+057cd650a4ed-3build1 deb
debconf 1.5.79ubuntu1 deb
debianutils 5.5-1ubuntu2 deb
diffutils 1:3.8-0ubuntu2 deb
dpkg 1.21.1ubuntu2.1 deb
e2fsprogs 1.46.5-2ubuntu1.1 deb
findutils 4.8.0-1ubuntu3 deb
gcc-12-base 12.1.0-2ubuntu1~22.04 deb
gpgv 2.2.27-3ubuntu2.1 deb
grep 3.7-1build1 deb
gzip 1.10-4ubuntu4.1 deb
hostname 3.23ubuntu2 deb
init-system-helpers 1.62 deb
libacl1 2.3.1-1 deb
libapt-pkg6.0 2.4.8 deb
libattr1 1:2.5.1-1build1 deb
libaudit-common 1:3.0.7-1build1 deb
libaudit1 1:3.0.7-1build1 deb
libblkid1 2.37.2-4ubuntu3 deb
libbz2-1.0 1.0.8-5build1 deb
libc-bin 2.35-0ubuntu3.1 deb
libc6 2.35-0ubuntu3.1 deb
libcap-ng0 0.7.9-2.2build3 deb
libcap2 1:2.44-1build3 deb
libcom-err2 1.46.5-2ubuntu1.1 deb
libcrypt1 1:4.4.27-1 deb
libdb5.3 5.3.28+dfsg1-0.8ubuntu3 deb
libdebconfclient0 0.261ubuntu1 deb
libext2fs2 1.46.5-2ubuntu1.1 deb
libffi8 3.4.2-4 deb
libgcc-s1 12.1.0-2ubuntu1~22.04 deb
libgcrypt20 1.9.4-3ubuntu3 deb
libgmp10 2:6.2.1+dfsg-3ubuntu1 deb
libgnutls30 3.7.3-4ubuntu1.1 deb
libgpg-error0 1.43-3 deb
libgssapi-krb5-2 1.19.2-2 deb
libhogweed6 3.7.3-1build2 deb
libidn2-0 2.3.2-2build1 deb
libk5crypto3 1.19.2-2 deb
libkeyutils1 1.6.1-2ubuntu3 deb
libkrb5-3 1.19.2-2 deb
libkrb5support0 1.19.2-2 deb
liblz4-1 1.9.3-2build2 deb
liblzma5 5.2.5-2ubuntu1 deb
libmount1 2.37.2-4ubuntu3 deb
libncurses6 6.3-2 deb
libncursesw6 6.3-2 deb
libnettle8 3.7.3-1build2 deb
libnsl2 1.3.0-2build2 deb
libp11-kit0 0.24.0-6build1 deb
libpam-modules 1.4.0-11ubuntu2 deb
libpam-modules-bin 1.4.0-11ubuntu2 deb
libpam-runtime 1.4.0-11ubuntu2 deb
libpam0g 1.4.0-11ubuntu2 deb
libpcre2-8-0 10.39-3ubuntu0.1 deb
libpcre3 2:8.39-13ubuntu0.22.04.1 deb
libprocps8 2:3.3.17-6ubuntu2 deb
libseccomp2 2.5.3-2ubuntu2 deb
libselinux1 3.3-1build2 deb
libsemanage-common 3.3-1build2 deb
libsemanage2 3.3-1build2 deb
libsepol2 3.3-1build1 deb
libsmartcols1 2.37.2-4ubuntu3 deb
libss2 1.46.5-2ubuntu1.1 deb
libssl3 3.0.2-0ubuntu1.7 deb
libstdc++6 12.1.0-2ubuntu1~22.04 deb
libsystemd0 249.11-0ubuntu3.6 deb
libtasn1-6 4.18.0-4build1 deb
libtinfo6 6.3-2 deb
libtirpc-common 1.3.2-2ubuntu0.1 deb
libtirpc3 1.3.2-2ubuntu0.1 deb
libudev1 249.11-0ubuntu3.6 deb
libunistring2 1.0-1 deb
libuuid1 2.37.2-4ubuntu3 deb
libxxhash0 0.8.1-1 deb
libzstd1 1.4.8+dfsg-3build1 deb
login 1:4.8.1-2ubuntu2 deb
logsave 1.46.5-2ubuntu1.1 deb
lsb-base 11.1.0ubuntu4 deb
mawk 1.3.4.20200120-3 deb
mount 2.37.2-4ubuntu3 deb
ncurses-base 6.3-2 deb
ncurses-bin 6.3-2 deb
passwd 1:4.8.1-2ubuntu2 deb
perl-base 5.34.0-3ubuntu1.1 deb
procps 2:3.3.17-6ubuntu2 deb
sed 4.8-1ubuntu2 deb
sensible-utils 0.0.17 deb
sysvinit-utils 3.01-1ubuntu1 deb
tar 1.34+dfsg-1build3 deb
ubuntu-keyring 2021.03.26 deb
usrmerge 25ubuntu2 deb
util-linux 2.37.2-4ubuntu3 deb
zlib1g 1:1.2.11.dfsg-2ubuntu9.2 debWe see that the SBOM not only contains the packages and libraries installed inside the container image, but also list their types and versions. We can use now cross-reference this list with a vulnerability database to see whether we have any vulnerabilities inside the container.
So what is a Vulnerability Database?
A vulnerability database is a collection of information about known vulnerabilities in software, hardware, and other systems. It typically includes details about the nature of the vulnerability, such as the type of vulnerability, the severity of the vulnerability, and the potential impact of the vulnerability. A vulnerability database may also include information about how the vulnerability can be exploited, and about any available patches or fixes for the vulnerability.
Some vulnerability databases are vuldb.com, NIST, cvedetails.com and Snyk Vulnerability Database.
They provide APIs or raw data that you can download, and cross-reference the packages in our SBOM with the vulnerability information about. This way, we can find if any of our packages has vulnerabilities that we need to care about.
Usually we can also find information about the library version in which this vulnerability has been introduced and whether it has been fixed in a newer version. Using this information, we can decide whether to update/downgrade our dependency to mitigate the vulnerability. As we already established in Day 14, updating a dependency is not always trivial, because sometimes this update comes with behaviour or API changes.
Another important piece of information about a vulnerability is its CVSS Score.
CVSS stands for Common Vulnerability Scoring System.
It provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
Basically, one vulnerability can be more severe than another. We need a system that can objectively rank vulnerabilities based on how easy they are to exploit and how much damage they can cause.
This is where CVSS comes in.
CVSS v3 defines 8 criteria based on which the CVSS score is calculated. These criteria are:
Reflects the context by which vulnerability exploitation is possible.
Possible values: Network(N), Adjacent(A), Local(L), Physical(P)
Describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.
Possible values: Low(L), High(H)
Describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.
Possible values: None(N), Low(L), High(H)
The requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.
Possible values: None(N), Required(R)
The ability for a vulnerability in one software component to impact resources beyond its means, or privileges.
Possible values: Unchanged(U), Changed(C)
The impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.
Possible values: None(N), Low(L), High(H)
The impact to integrity of a successfully exploited vulnerability.
Possible values: None(N), Low(L), High(H)
The impact to the availability of the impacted component resulting from a successfully exploited vulnerability.
Possible values: None(N), Low(L), High(H)
The combination of these 8 vectors determines the CVSS score. It is between 0 and 10. 0 being the lowest possible, and 10 being the highest (most critical).
Here you can find a CVSS calculator, wher you can calculate the score of each vulnerability.
https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity
https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/
On Day 16 we will take a look into "Fuzzing" or Fuzz Testing.