Creating an SBOM for a golang app using cyclonedx-gomod
We can easily create CycloneDX SBOMs for Golang using a new tool from the CycloneDX team.
We begin by installing the tool to $GOPATH/bin
go install github.com/CycloneDX/[email protected]
For this example, we use the example repo which was used in the NTIA SBOM plug fests: github.com/fkautz/serve.
git clone https://github.com/fkautz/serve
The cyclonedx-gomod tool provides three subcommands which we can use to create the submodule.
- app: generates an sbom for an application, only including what is actually in the final binary.
- bin: generates an sbom from an existing binary.
- mod: generates an sbom from all imported dependencies, ignoring build constraints.
In this scenario, we will produce an SBOM using app.
cyclonedx-gomod app > sbom.xml
We will analyze the contents of the SBOM in a future post.
The final version of the app is as follows:
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:072ddef2-5299-4131-8554-b143b41f6b86" version="1">
<metadata>
<timestamp>2021-11-11T18:48:25-08:00</timestamp>
<tools>
<tool>
<vendor>CycloneDX</vendor>
<name>cyclonedx-gomod</name>
<version>v0.0.0-unset</version>
<hashes>
<hash alg="MD5">0738f1e7bc821d0bb630f3ad00ba0b52</hash>
<hash alg="SHA-1">b2cdc16eb791d7d2c6387e9ff566abf687518132</hash>
<hash alg="SHA-256">c82f6cb776191aea89bad6513f0fde4654df6e78befc07cdaee73e3c5c9daa30</hash>
<hash alg="SHA-384">f91edd9b60b9f73a22bc479daac7638e4e6f1bbb3bd49a5bac68f7ca3a632e07ddef253c70d235fa00602b992e7ea7c0</hash>
<hash alg="SHA-512">133e9467c92948cd250cb71d24aa048cd6533c1f126baad59ff1983990a2bbfc02f7d3bc560a74f99eee7d5b10e57c20c0e8e50d6cd0e2697a7f3d795457b373</hash>
</hashes>
</tool>
</tools>
<component bom-ref="pkg:golang/github.com/fkautz/[email protected]" type="application">
<name>github.com/fkautz/serve</name>
<version>v1.0.0</version>
<purl>pkg:golang/github.com/fkautz/[email protected]</purl>
<externalReferences>
<reference type="vcs">
<url>https://github.com/fkautz/serve</url>
</reference>
</externalReferences>
<properties>
<property name="cdx:gomod:build:env:CGO_ENABLED">1</property>
<property name="cdx:gomod:build:env:GOARCH">amd64</property>
<property name="cdx:gomod:build:env:GOOS">linux</property>
<property name="cdx:gomod:build:env:GOVERSION">go1.17.3</property>
</properties>
</component>
</metadata>
<components>
<component bom-ref="pkg:golang/github.com/cpuguy83/go-md2man/[email protected]" type="library">
<name>github.com/cpuguy83/go-md2man/v2</name>
<version>v2.0.0</version>
<scope>required</scope>
<hashes>
<hash alg="SHA-256">1285034b469f6ebb17019f5843d8ddbbf999dac5e04f5ff6cb23678383c69723</hash>
</hashes>
<purl>pkg:golang/github.com/cpuguy83/go-md2man/[email protected]</purl>
<externalReferences>
<reference type="vcs">
<url>https://github.com/cpuguy83/go-md2man</url>
</reference>
</externalReferences>
</component>
<component bom-ref="pkg:golang/github.com/felixge/[email protected]" type="library">
<name>github.com/felixge/httpsnoop</name>
<version>v1.0.2</version>
<scope>required</scope>
<hashes>
<hash alg="SHA-256">fa74bd83cd8a31771c27fc29d33c915bd6411c511398c1ad924fb60934eb5b8a</hash>
</hashes>
<purl>pkg:golang/github.com/felixge/[email protected]</purl>
<externalReferences>
<reference type="vcs">
<url>https://github.com/felixge/httpsnoop</url>
</reference>
</externalReferences>
</component>
<component bom-ref="pkg:golang/github.com/gorilla/[email protected]" type="library">
<name>github.com/gorilla/handlers</name>
<version>v1.5.1</version>
<scope>required</scope>
<hashes>
<hash alg="SHA-256">f65458ea3f0311e7814f5d02bcef61196d209a4cb4069ae7bc3239bdf8541c7e</hash>
</hashes>
<purl>pkg:golang/github.com/gorilla/[email protected]</purl>
<externalReferences>
<reference type="vcs">
<url>https://github.com/gorilla/handlers</url>
</reference>
</externalReferences>
</component>
<component bom-ref="pkg:golang/github.com/russross/blackfriday/[email protected]" type="library">
<name>github.com/russross/blackfriday/v2</name>
<version>v2.1.0</version>
<scope>required</scope>
<hashes>
<hash alg="SHA-256">248387e79ff4716c8eba296bf7faa5ae6d0149795daa7ab032c7f7e4b77aee69</hash>
</hashes>
<purl>pkg:golang/github.com/russross/blackfriday/[email protected]</purl>
<externalReferences>
<reference type="vcs">
<url>https://github.com/russross/blackfriday</url>
</reference>
</externalReferences>
</component>
<component bom-ref="pkg:golang/github.com/urfave/[email protected]" type="library">
<name>github.com/urfave/cli</name>
<version>v1.22.5</version>
<scope>required</scope>
<hashes>
<hash alg="SHA-256">94dabdb001d72b6a9f748f16f86448b63084908fb6a11e1df8c107cb508a5e85</hash>
</hashes>
<purl>pkg:golang/github.com/urfave/[email protected]</purl>
<externalReferences>
<reference type="vcs">
<url>https://github.com/urfave/cli</url>
</reference>
</externalReferences>
</component>
</components>
<dependencies>
<dependency ref="pkg:golang/github.com/fkautz/[email protected]">
<dependency ref="pkg:golang/github.com/gorilla/[email protected]"></dependency>
<dependency ref="pkg:golang/github.com/urfave/[email protected]"></dependency>
</dependency>
<dependency ref="pkg:golang/github.com/cpuguy83/go-md2man/[email protected]">
<dependency ref="pkg:golang/github.com/russross/blackfriday/[email protected]"></dependency>
</dependency>
<dependency ref="pkg:golang/github.com/felixge/[email protected]"></dependency>
<dependency ref="pkg:golang/github.com/gorilla/[email protected]">
<dependency ref="pkg:golang/github.com/felixge/[email protected]"></dependency>
</dependency>
<dependency ref="pkg:golang/github.com/russross/blackfriday/[email protected]"></dependency>
<dependency ref="pkg:golang/github.com/urfave/[email protected]">
<dependency ref="pkg:golang/github.com/cpuguy83/go-md2man/[email protected]"></dependency>
</dependency>
</dependencies>
</bom>