Tarballs are Both Reproducible and Non-Reproducible!
TLDR: You can rely on the inputs and outputs being repeatable, as long as the tarball captures the data. (E.g. does yoru tarball capture extended attributes) You cannot rely on the .tar being bit-for-bit repeatable. You can rely on a (lossless) compression algorithm’s input and output being repeatable. You cannot rely on the actual compressed form being repeatable. Author’s Note: There’s a common suggestion that the hash of a tarball from a directory could be used to ascertain the system’s state.
On the Importance of Tracking Software Dependencies
While contributing to the development of NIST SP 800-204D, a primary objective I pursued was to address a particular deficiency in the realm of software supply chain security. Here’s the critical insight from this endeavor as written in the document:
SSC security should also account for discovering and tracking software defects rather than simply mitigating attackers.
Pick any widespread library commonly deployed through a non-distribution based package manager and ask the question: “Do I know where this is deployed in my organization?
GCP Buildpacks Old Compiler Injection Write-Up [Fixed]
[FIXED]: GCP Buildpacks Old Compiler Injection Write-Up I would like to personally thank the GCP Buildpacks team for supporting this important project and fixing this issue!
This article describes a FIXED vulnerability in GCP Buildpacks that I discovered and collaborated with the GCP team to fix. The buildpack now downloads the most recent stable compiler, effectively fixing the problem.
The short version of this report is the GCP Golang Buildpack used to pull in an old, no-longer-maintained compiler.
Overview of the OMB Memorandum MB-22-09: Zero Trust Memo
OMB Memorandum M-22-09 This post contains my notes of the entire OMB. These notes are not a full analysis of the memo but it does include some of my thoughts and opinions as of 30 January 2022.
You can read the original at https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf
One significant omission is the OMB says nothing about Software or Hardware Supply Chain provenance other than authorization may use properties of the device and environment to determine authorization.
Buildpacks and SBOM Integration Opportunities
Buildpacks and SBOM integration Buildpacks provide a natural location for integrating SBOMs into developer build environments and CI/CD workflows.
Author’s note: the goal here isn’t to bash the current state. This is fantastic work and represents a great start, and can evolve into something much more robust. The first iteration should be small in scope and demonstrate opportunity, which this does beautifully.
UPDATE: It was brought to my attention that the latest buildpacks from Paketo.
What is VEX? It’s the Vulnerability Exploitability eXchange!
The Problem CVEs play an essential role in announcing vulnerabilities for a given product or library. Recently, we saw the high-impact announcement of CVE-2021-44228 (Log4Shell). Analysts and engineers are inspecting every installation of Java for susceptibility of Log4Shell.
However, the presence of a vulnerability does not necessarily mean that a product consuming that library is affected. An implementation may not exercise the vulnerable feature. Alternatively, the data sent to the vulnerability may be sufficiently sanitized, preventing the exploit from materializing.
SBOM-A-Rama (2021) Day 2 Write Up
Read the Day 1 Write-Up First
SBOM-a-Rama, Day 2 Short note These are my notes. As such, they may be incomplete and inaccurate at times. If you feel I misrepresented a speaker or a topic, please reach out to me to collaborate on improving this article. I was also trying to participate in some of the chats simultaneously, so I could not take a complete set of notes for the latter part of the event.
SBOM-A-Rama (2021) Day 1 Write Up
SBOM-a-Rama, Day 1 Short note These are my personal notes. As such, they may be incomplete and inaccurate at times. If you feel I misrepresented a speaker or a topic, please reach out to me so that we can collaborate on improving this article. I was also trying to participate in some of the chats simultaneously, so I could not take a complete set of notes for the latter part of the event.
Analysis of a spdx-sbom-generator generated SBOM
We generated an SBOM with the SPDX SBOM Generator in a previous post. In this post, we perform an initial analysis of the contents of the generated SBOM.
The focus of this analysis is on the latest main branch of https://github.com/opensbom-generator/spdx-sbom-generator at 2d55f67b8b1fbcaa722bd22a54c3e406ffe884a9.
The SPDX SBOM Generator also supports a rich set of languages:
GoMod (go) Cargo (Rust) Composer (PHP) DotNet (.NET) Maven (Java) NPM (Node.js) Yarn (Node.js) PIP (Python) Pipenv (Python) Gems (Ruby) Swift Package Manager (Swift) The generator is still early in development, so I do not expect all languages or features to be fully available at this time.
Creating an SBOM for a golang app using spdx-sbom-generator
The SPDX community created the spdx-sbom-generator that makes it trivial to create SPDX based SBOMs. In this post, we will generate an SPDX SBOM.
We begin by installing the tool to $GOPATH/bin
git clone https://github.com/opensbom-generator/spdx-sbom-generator.git cd spdx-sbom-generator go install cmd/generator For this example, we use the example repo which was used in the NTIA SBOM plug fests: github.com/fkautz/serve.
git clone https://github.com/fkautz/serve In this scenario, we will produce an SBOM using app.
Analysis of a cyclonedx-gomod generated SBOM
We generated an SBOM with cyclonedx-gomod in a previous post. In this post, we perform an initial analysis of the contents of the generated SBOM.
The focus of this analysis is on [email protected].
Punchline Run cyclonedx-gomod with the following flags:
cyclonedx-gomod app –files –licenses –std Opening <?xml version="1.0" encoding="UTF-8"?> <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:072ddef2-5299-4131-8554-b143b41f6b86" version="1"> We begin with an initial XML version and encoding of UTF-8. The bom tag represents the root bill of materials type defined in the schema listed in the xmlns parameter.
Creating an SBOM for a golang app using cyclonedx-gomod
We can easily create CycloneDX SBOMs for Golang using a new tool from the CycloneDX team.
We begin by installing the tool to $GOPATH/bin
go install github.com/CycloneDX/[email protected] For this example, we use the example repo which was used in the NTIA SBOM plug fests: github.com/fkautz/serve.
git clone https://github.com/fkautz/serve The cyclonedx-gomod tool provides three subcommands which we can use to create the submodule.
app: generates an sbom for an application, only including what is actually in the final binary.
Creating a Software Supply Chain Landscape
We needed a software supply chain landscape, and one now exists. I look forward to seeing this grow over time.
Software Supply Chain Landscape
Please open an issue or PR at https://github.com/fkautz/zt.dev if you would like to contribute a project or fix a bug.
Thank you and enjoy!