Welcome back to our blog series on generating SBOMs and monitoring vulnerabilities for different ecosystems. In this second blog of the series, let’s explore how to generate an SBOM for the Debian Linux distribution and examine the significance of Software Composition Analysis (SCA) in ensuring the security and integrity of your software projects.
First, it’s important to have an understanding of what an SBOM is. “SBOM” is an acronym that stands for Software Bill of Materials. An SBOM features a comprehensive inventory of the software components and dependencies used in a project.
In the Debian ecosystem, maintaining an accurate SBOM is crucial due to the extensive use of deb packages and various components within the file system. SCA tools, or Software Composition Analysis tools, can help in identifying and managing vulnerabilities in these components, ensuring your projects remain secure.
Next, let’s briefly review the Debian ecosystem. Debian is a free operating system (OS) for your computer. An operating system is the set of basic programs and utilities that make your computer run. Debian is known for its stability and reliability and is widely used in servers and desktop environments.
Now that we have an understanding of SBOMs, SCA tools, and Debian, let’s get into the process of generating an SBOM for Debian by leveraging Syft and Vigiles.
Why are we using Syft in this process? Our thorough testing showed that Syft creates the most well-structured SBOMs. This, along with its compatibility with Vigiles, is why we are using Syft as our primary tool for SBOM generation throughout this blog series.
1. This may seem like a very basic first step but it’s among the most important. If you don’t have Syft installed, download and install the tool now:
`curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.4.1`
2. With that done, we can now generate the SBOM by running the below command:
`sudo syft scan dir:/ --select-catalogers debian -o cyclonedx-json=syft-debian-sbom.json`
3. The command above only generates the SBOM for packages installed using the Debian package manager. In order to generate an SBOM for the entire root filesystem, including packages installed by other package managers (such as pip) or download external binaries, we’ll need to use the below command:
`sudo syft scan dir:/ -o cyclonedx-json=syft-debian-sbom.json`
Vigiles is a comprehensive SBOM management, vulnerability monitoring, and remediation tool offered by Timesys that helps bridge the gap with vulnerability reporting. To view the SBOM generated by Syft and generate a vulnerability report, follow these steps:
1. First, download the fixup script located here.
2. Next, run the Fixup Script:
`python vigiles_deb_sbom_fix_up.py <generated/sbom/path> -o <optional: output/sbom/file/name>`
For Example:
`python vigiles_deb_sbom_fix_up.py syft-debian-sbom.json -o debian-updated-sbom.json`
3. Afterwards, upload to Vigiles using the WebUI or the vigiles-cli tool as shown below. Once uploaded, the tool will return a URL to the webUI.
`vigiles -k </path/to/key> manifest upload </path/to/sbom>`
Important Note: In order to complete these steps and others in our following ecosystem blog series, you will need an active Vigiles Enterprise subscription. Not sure about getting one? No worries! You can try Vigiles Prime for free for 30-days by clicking here.
Let’s take a look at some sample views that Vigiles provides for Debian now. In the following Vigiles WebUI, you can see the SBOM component details such as name, version, and license information.
In this next sample view, you can see all the vulnerabilities associated with each package and fixes available for them.
Vigiles pulls from multiple security advisories for enhanced accuracy, including but not limited to NVD and OSV (GitHub Security Advisory, PyPI Advisory, Go Vulnerability Database, Rust Advisory, Haskell Security Advisories, OSS-Fuzz, Debian Security Advisories, RConsortium Advisory).
Vigiles relies on the Debian security advisory (DSA) / Debian Long Term Support Security Advisory (DLA) to report vulnerabilities and fixes for OS packages. Vulnerabilities for Debian-installed packages without a DSA or DLA will not be reported by Vigiles. These are typically issues the Debian security team has deemed as minor issues, or packages that have reached the end of their life.
At the time of writing this blog, Syft does not contain all the elements prescribed in the NTIA (National Telecommunications and Information Administration) minimum elements for an SBOM. Below are the missing fields in the CycloneDX JSON format:
Other quirks:
The combination of Syft and Vigiles offers a powerful solution for generating and managing SBOMs in the Debian ecosystem. While Syft excels at creating well-formed SBOMs with high accuracy, Vigiles enhances this process by providing robust vulnerability monitoring and remediation capabilities.
This synergy ensures your software remains secure and compliant with industry standards. In addition, Vigiles offers numerous benefits that make it an ideal companion to Syft:
Experience the full benefits of SBOM and vulnerability management with Vigiles. Try Vigiles Prime free for 30 days and discover how it can streamline your vulnerability management process, safeguard your software, and accelerate compliance workflows. Contact us for a free evaluation of Vigiles Enterprise and take the first step towards a more secure development journey.