In this fourth blog of our SBOM generation for various ecosystems series, we explore generating a Software Bill of Materials (SBOM) for the Go language ecosystem and review the significance of Software Composition Analysis (SCA) in maintaining the security and integrity of Go projects.
What does SBOM mean? SBOM stands for Software Bill of Materials and features a detailed inventory of all the software components and dependencies within a project. In the Go ecosystem, maintaining an accurate SBOM is essential due to the dynamic nature of Go modules and dependencies. Software Composition Analysis (SCA) tools help identify and manage vulnerabilities in these components, ensuring your projects remain secure.
Go, also known as Golang, is an open-source programming language developed by Google. It is known for its simplicity, efficiency, and strong support for concurrent programming.
First, why Syft? As we tested each ecosystem, we found that Syft generated the most well-formed SBOM. As such, Syft is our chosen tool in this series for generating SBOMs. In addition, Syft offers SPDX/CycloneDX compliance specifications and compatibility with Vigiles.
`curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.3.0`
go mod download`
Note: By default, transitive dependencies are not included and are typically not needed. However, if you need them in the SBOM you can optionally run the below command before running the previous command:
mkdir cache_module
SET GOMODCACHE=<your-project-directory/cache_module>
`syft scan dir:./ -o spdx-json=go.json`
Vigiles is a comprehensive SBOM management, vulnerability monitoring, and remediation tool offered by Timesys. To view the SBOM generated above and generate a vulnerability report, follow these steps:
`vigiles -k </path/to/key> manifest upload </path/to/sbom>`
Note: If you don’t have one already, you will need an active Vigiles Enterprise subscription.
In the Vigiles WebUI, you can view the SBOM component details such as name, version, and license information.
In this view, you can see all the vulnerabilities associated with each package and available fixes.
Vigiles pulls from multiple security advisories, including but not limited to NVD, OSV (GitHub Security Advisory, PyPI Advisory, Go Vulnerability Database, Rust Advisory, Haskell Security Advisories, OSS-Fuzz, Debian Security Advisories, RConsortium Advisory).
At the time of writing, Syft does not contain all the elements prescribed in the NTIA minimum elements for an SBOM. Below are the missing fields in the CycloneDX JSON format:
The combination of Syft and Vigiles offers a powerful solution for generating and managing SBOMs in the Go ecosystem. Syft excels at creating well-formed SBOMs with high accuracy and Vigiles further enhances this process by providing robust vulnerability monitoring and remediation capabilities.
This synergy ensures your software remains secure and compliant with the constantly evolving industry standards.
By combining Syft’s accurate SBOM generation with Vigiles’ comprehensive vulnerability management within the Go ecosystem, you can greatly enhance your software’s security posture. Not only does Vigiles help in identifying vulnerabilities, but Vigiles will also provide you with direct links to patches and remediation options, streamlining the process of securing your software.
Ready to experience the full benefits of SBOM and vulnerability management with Vigiles? Try Vigiles Prime for free for 30 days and to unlock a streamlined vulnerability management process, safeguard your software, and accelerate compliance workflows.
———————————————