SBoMs with Smithy SaaS, convenience automation at scale

How to scale your SBOM generation with Smithy

SBoMs with Smithy SaaS, convenience automation at scale featured Image
Published on

SBoMs with Smithy SaaS, convenience automation at scale

Software Bill of Materials (SBOMs) have become an important building block in application security, critical for identifying and mitigating risk in the software supply chain. It all started a decade ago, when OWASP introduced “A9 Using Components with Known Vulnerabilities” in the OWASP Top 10 2013. A9 recommended keeping an inventory of all components included in an application in order to keep track of vulnerabilities that emerge. Since then a lot of tools have been introduced that keep track of dependencies or perform Software Composition Analysis (SCA).

More recently, the requirement to create and keep up to date a SBOM has become even more prominent. The PCI Software Security Framework and the Executive Order 14028 both outline the need for a high quality Software Bill of Material.

There are many tools in the market, both commercial and open source that you can use to create SBOMs. For example, Trivy supports the creation of SBOMs from a filesystem and can produce output in the popular SBOM format CycloneDX.

OWASP Dependency-Track can ingest CycloneDX documents, store, and visualize the information within them for easy observability and management. As a convenient addition, it also monitors vulnerability databases (e.g. NVD and OSV), and notifies you in case a vulnerable component is identified in your portfolio. Let’s see how you can leverage the power of Smithy to orchestrate all these tools and create a security workflow for SBOMs. First, you can clone any repository, for example from your Github organization and run an SBOM generation solution against it. You will end up with a SBOM that includes package information and maybe package URLs, but usually lacks licensing, digests and CPEs.

Trivy-Pipeline

You can further enhance your SBOM by using Smithy’s enrichers. For example, a good idea would be to include licensing information in the SBOM. This way, an organization can avoid using software licenses that are incompatible with their operating model or that open them to legal trouble. You can easily achieve this by using Smithy’s deps.dev enricher, which queries Google’s OpenSource insights dataset for licensing information on a package.

Enricher-Stage

Now, you are ready to visualize the results using Smithy’s OWASP Dependency-Track. After Dependency Track has processed your BOM, you will get more information, such as potential vulnerabilities and a risk score. You can also visualize all of the components of the repository.

In Smithy, you can do all of the above by creating a Pipeline that runs Trivy as a producer, enriches its results with information from OpenSource insights using deps.dev enricher, and finally puts the results into the Dependency Track Producer. Therefore, with only a few clicks you have created a security workflow for SBOMs that you can easily clone to all your repositories, across your organization, to get visibility in all your applications.

Full-Pipeline

We have managed to use multiple tools to deliver high quality SBOMs to upstream Consumers like Dependency-Track, by writing barely any code, in a declarative way, that is easy to understand and maintain. Furthermore, by using Smithy enterprise, you can take advantage of its Github Application integration to schedule the SBOM pipeline to run on every single commit for every repository. This will allow your security team to get immediate visibility into your current SBOMs while also allowing you to get notified automatically when a component has a CVE, by subscribing to Dependency Track notifications.

Contact us to get more information on how you can use Smithy to create and manage high quality SBOMs.