Generating Software Bill of Material for Vulnerability Management and License Compliance

No Thumbnail Available

URL

Journal Title

Journal ISSN

Volume Title

Perustieteiden korkeakoulu | Master's thesis

Authors

Date

2023-01-23

Department

Major/Subject

Lu Lin

Mcode

SCI3084

Degree programme

Master’s Programme in Computer, Communication and Information Sciences

Language

en

Pages

64+9

Series

Abstract

As the proportion of open source software in applications continues to rise, it has substantially improved the efficiency of development while posing challenges to software supply chain security. The relationship between dependencies is intricate. Direct dependencies can be obtained from the package manager; however, transitive dependencies should be identified through association. Tracking vulnerabilities in transitive dependencies and patching them becomes one of the challenges in DevSecOps. Currently, the industry employs software bill of materials (SBOM) for dependency tracking. SBOM integration into DevSecOps is difficult due to the absence of a unified standard and practical procedures. This thesis explores how to ensure the security and compliance of open source components in the software supply chain. The goal is to implement a Software Composition Analysis (SCA) system that will continuously monitor dependencies. We analyzed and compared existing SBOM generation tools and selected native CycloneDX plug-ins and libraries based on the accuracy of the results and the adaptability of the SBOM, which we then integrated with Dependency Track for vulnerability tracking. mBy communicating with the company's legal department, we clarified distinct compliance policies for each software in different application areas and put up rules in Dependency Track to automate the compliance process. As a result, we have developed a SCA system applicable to company research and development process. Through the CI/CD pipeline of the DevOps system, we were able to obtain the latest information regarding dependencies and their licenses in real time. The generated SBOMs were forwarded to the internal Dependency Track server, which facilitated tracking of vulnerabilities, auditing of licenses, and ensuring compliance. During this experiment, we found that SBOM is not immutable and that hackers can still avoid detection because integrity checks are not performed. Therefore, future study should put emphasis on SBOM integrity checking.

Description

Supervisor

Aura, Tuomas

Thesis advisor

Koskenheimo, Kirsi

Keywords

open source software, software composition analysis, SBOM, vulnerability management, license compliance

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202301291736

Collections

[dipl] Perustieteiden korkeakoulu / SCI