Email Us |TEL: 050-1720-0641 | LinkedIn

CycloneDX is a full-stack Bill of Materials (BOM)

Since the PeppermintOS developers began implementing their Bill of Materials (BOM) processes, I've been closely monitoring the standards and tools they've adopted. Initially, the complexity of this endeavor can be overwhelming and confusing.....not gonna make that sound easy peasy...LOL, but it's fascinating to see their choice of the CycloneDX standard

What is it?

CycloneDX is a specification for creating Software Bills of Materials (SBOMs). It's a standardized format for documenting and sharing information about the components that make up a software product in this case it is a Linux distribution. It focuses on providing detailed information about software components, their dependencies, and associated security vulnerabilities

What is PeppermintOS doing?

From what I have learned from them is, being based on Debian/Devuan, there are a wealth of open-source tools and technologies, that they can use. Implementing CycloneDX involves integrating tools that can generate, manage, or consume CycloneDX SBOMs into their software development or deployment processes.

The steps they are taking

They identify the components that the team wants to create SBOMs for. For example they are developing applications or managing system configurations on Peppermint OS, these will be the focus. CycloneDX can be used to document the application dependencies, system configurations, and even the hardware components of the Peppermint OS system.

Next, they research and select appropriate tools that support CycloneDX. Several open-source and commercial tools can generate CycloneDX SBOMs. Some popular options that they ran across are:

• Dependency-Track - This is an open-source platform that consumes CycloneDX SBOMs and provides vulnerability analysis, license risk assessment, and component management capabilities. They can install Dependency-Track on Peppermint OS server or use a hosted instance.
• CycloneDX Maven Plugin, Gradle Plugin, and CLI - These tools can be integrated into the build process to automatically generate CycloneDX SBOMs as part of the application builds. They can install them using the system package manager.
• Syft - This tool can generate SBOMs from container images, file systems, and other sources, supporting the CycloneDX format. They can use it to inventory the software packages installed on the Peppermint OS system.
• Grype - A vulnerability scanner that consumes CycloneDX SBOMs to identify vulnerabilities in the software components. They can use it to scan the application dependencies and system packages for known vulnerabilities

As the team figures out what tools they need the next step is to install the necessary tools on the Peppermint OS system or integrate them into their development pipelines. For example, they are using buildbot for their pipelines they can add the CycloneDX CLI and CycloneDX-Buildroot in their build configuration to automatically generate SBOMs.

From there they configure the tools to generate CycloneDX SBOMs for the target components. This may involve specifying the project dependencies, build configurations, and output formats.

Once they have generated CycloneDX SBOMs, they can use them for various purposes, such as:

• Vulnerability Management- Use Dependency-Track or Grype to analyze the SBOMs and identify potential vulnerabilities in the software components.
• License Compliance - Identify the licenses of the software components and ensure compliance with open-source licenses.
• Supply Chain Security - Share the SBOMs with thier users or partners to provide transparency into the composition of the software products.
• Incident Response- Use the SBOMs to quickly identify affected components in the event of a security incident.

Implementing CycloneDX is an ongoing process for the PeppermintOS team. Regular updated SBOMs are needed to reflect changes in the software components and dependencies, and continuously monitoring them for vulnerabilities and other security risks. This effectively helps the Peppermint OS system and improve their software supply chain security.

There is so much to learn in the process...