In our twelfth blog of the ecosystem series, we explore how to generate a Software Bill of Materials (SBOM) for the Ruby (RubyGems) ecosystem. We’ll also be underscoring the vital role of Software Composition Analysis (SCA) in maintaining the safety and robustness of Ruby applications.
For the other ecosystem blogs in our series on how to generate SBOMs in different environments, check out this blog here.
RubyGems is the package manager for Ruby, a dynamic, open-source programming language with a focus on simplicity and productivity. RubyGems allows developers to easily distribute and manage the libraries or gems they create.
A Software Bill of Materials (SBOM) is a detailed inventory of all software components and dependencies within a project. In the Ruby ecosystem, maintaining an accurate SBOM is essential due to the dynamic nature of RubyGems packages and dependencies. Software Composition Analysis (SCA) tools help identify and manage vulnerabilities in these components, ensuring your projects remain secure.
What makes Syft stand out? Through rigorous testing, we discovered that Syft produces the highest quality SBOMs. Because of this and its seamless compatibility with Vigiles, we have chosen Syft as our go-to tool for generating SBOMs in this blog series.
`curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.3.0`
`bundle config set --local path './'`
`bundle install`
`syft scan dir:./ -o cyclonedx-json=gems.json`
Timesys offers Vigiles, a powerful tool for SBOM management, vulnerability monitoring, and remediation. To examine the SBOM generated by Syft and produce a vulnerability report, follow these steps:
`vigiles -k </path/to/key> manifest upload </path/to/sbom>`
Note: Remember, an active Vigiles Enterprise subscription is needed to accomplish these steps. Find out more about Vigiles and get a subscription here.
In the Vigiles WebUI, you have access to SBOM component details, including each component’s name, version, and license information. Below is a demonstration of this view.
In this next sample view, all vulnerabilities tied to each package and the available fixes are displayed.
Vigiles retrieves data from multiple security advisories, such as NVD, OSV (GitHub Security Advisory), PyPI Advisory, Go Vulnerability Database, Rust Advisory, Haskell Security Advisories, OSS-Fuzz, Debian Security Advisories, and RConsortium Advisory.
At the present time, Syft lacks some elements specified in the NTIA minimum elements for an SBOM. The CycloneDX JSON format is missing the following fields:
The partnership of Syft and Vigiles delivers an effective solution for generating and managing SBOMs in the Ruby ecosystem. Syft’s proficiency in creating detailed SBOMs is amplified by Vigiles’ extensive vulnerability monitoring and remediation capabilities, keeping your software secure and compliant with industry standards. How? By providing you with:
Contact us to try Vigiles Prime free for 30 days, or get a free evaluation of Vigiles Enterprise, and discover how it can streamline your vulnerability management process, safeguard your software, and accelerate compliance workflows.