Vulnerability analysis based on SBOMs: A model proposal for automated vulnerability scanning for CI/CD pipelines

Abstract

The software bill of materials (SBOM) emerged in 2018 as an important component in software security and software supply chain management. SBOM is an inventory presented as a list of the components that make up software. In recent years, whether software products contain vulnerabilities is a phenomenon that should be checked regularly by the users of that product. This paper deals with the systematic identification and vulnerability analysis of software components based on the concept of software bill of materials. The fact that a software product itself does not contain vulnerabilities does not mean that the software product is secure. Even if software projects do not contain any vulnerabilities when examined alone, there may be vulnerabilities in their components. Vulnerabilities in the dependencies or components of the product may be sufficient for cyber attackers to exploit that product. Minimizing the damage caused by vulnerabilities in software components is the basis of cyber security efforts. In this study, the necessity of automatically generating software bill of materials in software development/deployment environments (CI/CD) and performing vulnerability analysis on this bill of materials is demonstrated and a suitable model is proposed.

Keywords

• Software Bill of Materials
• Vulnerability analysis
• Software security

References

1. [1] E. Peters and G. K. Aggrey, “An iso 25010 based quality model for erp systems,” Adv. Sci. Technol. Eng. Syst. J, vol. 5, no. 2, pp. 578–583, 2020.
2. [2] A. A. Pratama and A. B. Mutiara, “Software quality analysis for halodoc application using iso 25010: 2011,” Int. J. Adv. Comput. Sci. Appl, vol. 12, no. 8, pp. 383–392, 2021.
3. [3] A. Arora and C. Garman, “Analysis of software bill of materials tools,” Cyber Security: A Peer-Reviewed Journal, vol. 6, no. 4, pp. 334–355, 2023.
4. [4] S. Butler, J. Gamalielsson, B. Lundell, C. Brax, A. Mattsson, T. Gustavsson, J. Feist, B. Kvarnstr¨om, and E. L¨onroth, “Considerations and challenges for the adoption of open source components in software-intensive businesses,” Journal of Systems and Software, vol. 186, p. 111152, 2022.
5. [5] V. Axelsson and F. Larsson, “Understanding the software bill of material for supply-chain management in open source projects,” 2023.
6. [6] A. Adewumi, S. Misra, and N. Omoregbe, “Evaluating open source software quality models against iso 25010,” in 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing. IEEE, 2015, pp. 872–877.
7. [7] J. T. Stoddard, M. A. Cutshaw, T. Williams, A. Friedman, and J. Murphy, “Software bill of materials (sbom) sharing lifecycle report,” Idaho National Lab.(INL), Idaho Falls, ID (United States), Tech. Rep., 2023.
8. [8] L. J. Camp and V. Andalibi, “Sbom vulnerability assessment & corresponding requirements,” NTIA Response to Notice and Request for Comments on Software Bill of Materials Elements and Considerations, 2021.

9. [9] B. Xia, D. Zhang, Y. Liu, Q. Lu, Z. Xing, and L. Zhu, “Trust in software supply chains: Blockchain-enabled sbom and the aibom future,” arXiv preprint arXiv:2307.02088, 2023.
10. [10] X. Ding, F. Zhao, L. Yan, and X. Shao, “The method of building sbom based on enterprise big data,” in 2019 3rd International Conference on Electronic Information Technology and Computer Engineering (EITCE). IEEE, 2019, pp. 1224– 1228.
11. [11] P. Kemppainen, “Managing 3rd party software components with software bill of materials,” 2023.
12. [12] A. Chaora, N. Ensmenger, and L. J. Camp, “Discourse, challenges, and prospects around the adoption and dissemination of software bills of materials (sboms),” in 2023 IEEE International Symposium on Technology and Society (ISTAS). IEEE, 2023, pp. 1–4.
13. [13] J. A. Harer, L. Y. Kim, R. L. Russell, O. Ozdemir, L. R. Kosta, A. Rangamani, L. H. Hamilton, G. I. Centeno, J. R. Key, P. M. Ellingwood et al., “Automated software vulnerability detection with machine learning,” arXiv preprint arXiv:1803.04497, 2018.
14. [14] V. V. Sehgal and P. Ambili, “A taxonomy and survey of software bill of materials (sbom) generation approaches,” in Analytics Global Conference. Springer, 2023, pp. 40–51.
15. [15] E´ . O´ . Muir´ı, “Framing software component transparency: Establishing a common software bill of material (sbom),” NTIA, Nov, vol. 12, 2019.
16. [16] J. Jacobs, S. Romanosky, B. Edwards, I. Adjerid, and M. Roytman, “Exploit prediction scoring system (epss),” Digital Threats: Research and Practice, vol. 2, no. 3, pp. 1–17, 2021.
17. [17] H. Kek¨ul, B. Ergen, and H. Arslan, “A multiclass hybrid approach to estimating software vulnerability vectors and severity score,” Journal of Information Security and Applications, vol. 63, p. 103028, 2021.
18. [18] J. A. Kupsch, B. P. Miller, V. Basupalli, and J. Burger, “From continuous integration to continuous assurance,” in 2017 IEEE 28th Annual Software Technology Conference (STC). IEEE, 2017, pp. 1–8.
19. [19] GitHub Ranking, “GitHub stars and forks ranking list,” Accessed Nov. 20, 2023. [Online]. Available: https://github. com/EvanLi/Github-Ranking/blob/master/Top100/CSharp.md
20. [20] C. Hankin, P. Malacaria et al., “Attack dynamics: an automatic attack graph generation framework based on system topology, capec, cwe, and cve databases,” Computers & Security, vol. 123, p. 102938, 2022.
21. [21] S. Neuhaus and T. Zimmermann, “Security trend analysis with cve topic models,” in 2010 IEEE 21st International Symposium on Software Reliability Engineering. IEEE, 2010, pp. 111–120.
22. [22] SBOM Tool, “The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts,” Accessed Nov. 1, 2023. [Online]. Available: https://github.com/microsoft/sbom-tool
23. [23] Component Detection, “Scans your project to determine what components you use,” Accessed Nov. 1, 2023. [Online]. Available: https://github.com/microsoft/component-detection
24. [24] Bomber, “Scans Software Bill of Materials (SBOMs) for security vulnerabilities,” Accessed Nov. 1, 2023. [Online]. Available: https://github.com/devops-kung-fu/bomber [25] P. Ferreira, F. Caldeira, P. Martins, and M. Abbasi, “Log4j vulnerability,” in International Conference on Information Technology & Systems. Springer, 2023, pp. 375–385.