Generating Software Bill of Material for Vulnerability Management and License Compliance

No Thumbnail Available
Journal Title
Journal ISSN
Volume Title
Perustieteiden korkeakoulu | Master's thesis
Author
Date
2023-01-23
Department
Major/Subject
Lu Lin
Mcode
SCI3084
Degree programme
Master’s Programme in Computer, Communication and Information Sciences
Language
en
Pages
64+9
Series
Abstract
As the proportion of open source software in applications continues to rise, it has substantially improved the efficiency of development while posing challenges to software supply chain security. The relationship between dependencies is intricate. Direct dependencies can be obtained from the package manager; however, transitive dependencies should be identified through association. Tracking vulnerabilities in transitive dependencies and patching them becomes one of the challenges in DevSecOps. Currently, the industry employs software bill of materials (SBOM) for dependency tracking. SBOM integration into DevSecOps is difficult due to the absence of a unified standard and practical procedures. This thesis explores how to ensure the security and compliance of open source components in the software supply chain. The goal is to implement a Software Composition Analysis (SCA) system that will continuously monitor dependencies. We analyzed and compared existing SBOM generation tools and selected native CycloneDX plug-ins and libraries based on the accuracy of the results and the adaptability of the SBOM, which we then integrated with Dependency Track for vulnerability tracking. mBy communicating with the company's legal department, we clarified distinct compliance policies for each software in different application areas and put up rules in Dependency Track to automate the compliance process. As a result, we have developed a SCA system applicable to company research and development process. Through the CI/CD pipeline of the DevOps system, we were able to obtain the latest information regarding dependencies and their licenses in real time. The generated SBOMs were forwarded to the internal Dependency Track server, which facilitated tracking of vulnerabilities, auditing of licenses, and ensuring compliance. During this experiment, we found that SBOM is not immutable and that hackers can still avoid detection because integrity checks are not performed. Therefore, future study should put emphasis on SBOM integrity checking.
Description
Supervisor
Aura, Tuomas
Thesis advisor
Koskenheimo, Kirsi
Keywords
open source software, software composition analysis, SBOM, vulnerability management, license compliance
Other note
Citation