Software Supply Chain Awareness at Scale
Florian Heubeck
Posted on January 30, 2024
Securing the software supply chain is hip nowadays.
About Dependencies
You know these jokes about Windows users fearing updates, MacOS disciples paying updates and Linux nerds awaiting updates?
I've always loved updates, even long before I became a Linux user. New versions ship new features, fix bugs, look better (sometimes), run faster (hopefully) and recently: provide security.
Some eye-opening samples from the newer history raised awareness, be it well-intended features becoming exploitable like with "log4shell" or npm packages hijacked like "coa".
It's obviously not only necessary to keep dependencies up-to-date, but also to observe them for potential vulnerabilities.
Software Bill of Material
To achieve supply chain security there's, first of all, need for taking inventory. We need to know which components we are depending on.
That's what the so called SBOM is about. It's the ingredients a system is made of, with lots of metadata like checksums or licenses attached.
There are two major formats out there, "SPDX" driven by the Linux foundation, and "CycloneDX" by OWASP.
OWASP Projects
The CycloneDX standard glares with better tool support, mainly because the OWASP provides lots of tooling around it. There are plugins for nearly every programming language or build framework to create an SBOM file. And there's a kind of orchestration tool named cdxgen that recently joined the official CycloneDX umbrella.
Cdxgen wraps around ~30 different things (at time of writing) to create a SBOM for nearly every project by a single command.
That's very useful for a heterogenous project zoo like in an enterprise environment.
Another great tool provided by OWASP is Dependency-Track which consumes SBOMs, visualizes projects and dependencies and makes them searchable.
But that's not all: Dependency-Track also consumes vulnerability databases from public as well as commercial services and matches CVEs to the dependencies of our projects, AND scans artifact repositories for updates of our dependencies 🤯.
That provides us with risk assessment at a glance together with precise pointers where to take action.
Connecting Ends
Building a holistic inventory of all dependencies for an entire organization would require each and every project to create and upload a SBOM. While this is of course possible, it's not very efficient and comes with some management overhead of distributing Dependency-Track API keys.
That's where our GitHub app Technolinator comes in. GitHub apps can be installed on organization level and instrument all contained repositories.
Technolinator wraps around cdxgen and gets notified on GitHub push events. For every update on a repository's default branch, a fresh SBOM is created and uploaded to Dependency-Track:
Feedback about the process is provided as commit status:
Using this approach we are able to efficiently create an inventory of all our dependencies, and in addition provide all teams some insights on potential risks.
Hello Open-Source World
Since our Dependency-Track installation shows thousands of open-source projects, and this solution of course also makes use of awesome projects, we are happy to announce that Technolinator became the first open-source software project we provide as MediaMarktSaturn Technology, together with a public Helm chart repository that contains our Dependency-Track configuration as publicly available chart.
Just have a look into Technolinator - whose name has no meaning beyond its beautiful sound. It's easy to adopt to your needs, its documentation contains already everything to get started, just start a discussion or file an issue to get your questions answered, if any.
We hope to help other organizations solving software supply chain issues using Technolinator as well, and of course welcome any contribution.
get to know us 👉 https://mms.tech 👈
Posted on January 30, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.