SBOM with VulnerableCode.io

pawelpiwosz

Paweł Piwosz

Posted on November 15, 2022

SBOM with VulnerableCode.io

In the previous episode we generated SBOM and we checked its content. But I mentioned the issues with vulnerability scan. Let's try to use another tool to complete this part now.

$ git clone https://github.com/nexB/vulnerablecode.git
$ cd vulnerablecode
$ make envfile
$ docker-compose build
Enter fullscreen mode Exit fullscreen mode

So far, the process is the same like for ScanCode.

No surprise, we run the stack here as well

$ docker-compose up -d
Enter fullscreen mode Exit fullscreen mode

This time we have three containers

$ docker-compose ps

vulnerablecode_db_1               docker-entrypoint.sh postgres    Up      5432/tcp
vulnerablecode_nginx_1            /docker-entrypoint.sh ngin ...   Up      0.0.0.0:443->443/tcp, 0.0.0.0:80->80/tcp
vulnerablecode_vulnerablecode_1   /bin/sh -c  ./manage.py mi ...   Up      8000/tcp
Enter fullscreen mode Exit fullscreen mode

According to documentation, we need to import data on this point.

$ docker-compose run vulnerablecode ./manage.py import --list
$ docker-compose exec vulnerablecode ./manage.py import --all
$ docker-compose exec vulnerablecode ./manage.py improve --all
Enter fullscreen mode Exit fullscreen mode

This way we imported / updated the whole data. Documentation shows also how to collect only part of information (to save time, space and transfer), however I believe that the only way is to import everything to have full visibility of issues.

The process is long. I mean it. The cause lies more in my configuration and having containers running in WSL2.

I found that some importers need additional configuration.

For example GitHubAPIImporter:

Importing data using vulnerabilities.importers.github.GitHubAPIImporter
Cannot call GitHub API without a token set in the GH_TOKEN environment variable.
Traceback (most recent call last):
  File "/app/vulnerabilities/management/commands/import.py", line 61, in import_data
    ImportRunner(importer).run()
  File "/app/vulnerabilities/import_runner.py", line 44, in run
    count = process_advisories(advisory_datas=advisory_datas, importer_name=importer_name)
  File "/app/vulnerabilities/import_runner.py", line 54, in process_advisories
    for data in advisory_datas:
  File "/app/vulnerabilities/importers/github.py", line 171, in advisory_data
    response = utils.fetch_github_graphql_query(graphql_query)
  File "/app/vulnerabilities/utils.py", line 241, in fetch_github_graphql_query
    raise GitHubTokenError(msg)
vulnerabilities.utils.GitHubTokenError: Cannot call GitHub API without a token set in the GH_TOKEN environment variable.
Failed to run importer vulnerabilities.importers.github.GitHubAPIImporter. Continuing...
Enter fullscreen mode Exit fullscreen mode

Well, I had other issues, so I decided to take a look on importers I can use

$ docker-compose exec vulnerablecode ./manage.py import --list
Vulnerability data can be imported from the following importers:
vulnerabilities.importers.nginx.NginxImporter
vulnerabilities.importers.alpine_linux.AlpineImporter
vulnerabilities.importers.github.GitHubAPIImporter
vulnerabilities.importers.nvd.NVDImporter
vulnerabilities.importers.openssl.OpensslImporter
vulnerabilities.importers.redhat.RedhatImporter
vulnerabilities.importers.pysec.PyPIImporter
vulnerabilities.importers.debian.DebianImporter
vulnerabilities.importers.gitlab.GitLabAPIImporter
vulnerabilities.importers.pypa.PyPaImporter
vulnerabilities.importers.archlinux.ArchlinuxImporter
vulnerabilities.importers.ubuntu.UbuntuImporter
vulnerabilities.importers.debian_oval.DebianOvalImporter
Enter fullscreen mode Exit fullscreen mode

I imported a few of them one by one.

After the import, we need to run last command

$ docker-compose exec vulnerablecode ./manage.py improve --all
Enter fullscreen mode Exit fullscreen mode

This takes ages (I mentioned the cause eariler). We can, fortunately, improve them one by one, selecting proper item from the list

$ docker-compose exec vulnerablecode ./manage.py improve --list
Enter fullscreen mode Exit fullscreen mode

Ok... As I lost my patience, the day after I came back to the table and started again. I created an EC2 instance in AWS this time and I executed the commands above simultaneously, on my WSL2 based docker and on EC2. And you know what? No difference.

Ok, I said. Let's try once again, this time I will not interrupt.

5 hours later... "Something" happened and my process died.

Oh f****....

I decided to go with improve command. It also took a lot of time, so I resigned. It is not functional at all. I wonder, if this happened to me only, or your experience is the same? Share your opinion with me!


Preparations are not complete, but let's take a look what we can get from the service.

When we enter the website, we see very simple GUI

GUI

We can provide the package name to find any vulnerabilities in it

Packages

At this point we should be able to get more details by clicking package name, but I got only errors. Not funny.

Another option is a search for vulnerability by its ID.

Vulnerabilitites

We have some data there.


A few more words about the collecting data. I said the process took good part of the day. I would say, around 10 hours and wasn't finished. It is totally dissapointing. I checked the performance a few times and this part is also dissapointing. Here is a performance snapshot

Performance

Summary

I don't like this tool. It is very uneffective, does not add any value to the chain. And most importantly, I have no idea if the collecting process can work effectivelly or not. What I observed is useless.

The general idea of this tool is quite ok. If it can be incorporated with ScanCode (by the way, both of the tools are part of the suit on AboutCode) and serve as service providing details about vulnerabilitites - I go with it. Right now, as I can see, it is not the missing tool (which I mentioned in previous episode).

To be clear, this tool doesn't generate any SBOMs, it is not its function. I didn't spent much time on it, my approach is to find reasonable, quickly implementable and easy tool to add to CI/CD processes.

The project is quite young. The current version is 0.1. So, hopefully, it will work better soon :)


Cover image by Suzy from Pixabay

💖 💪 🙅 🚩
pawelpiwosz
Paweł Piwosz

Posted on November 15, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

SBOM with FOSSology
sbom SBOM with FOSSology

November 16, 2022

SBOM with VulnerableCode.io
sbom SBOM with VulnerableCode.io

November 15, 2022