Understanding the Importance of CVE Scanning with SBOMs
Scanning your open source software for CVEs (Common Vulnerabilities and Exposures) is a very important maintenance step for any software project.
An Introduction to CVE Scanning and SBOMs
Generally, these CVEs are stored in publicly accessible databases (such as the National Vulnerability Database or NVD) with an associated package name (openssl, openssh, busybox, mbedtls, etc.). Security scanning tools can then access these databases and process this available CVE information appropriately.
For example, each entry in the NVD has an associated severity score and attack vector. As you would expect, the most concerning CVEs tend to be ones with a high vulnerability score and a network-based attack vector. Security scanning tools can help you sort for these specific criteria, so you know which CVEs should be patched most urgently.
So, how do these security scanning tools know which packages you are using in your software? This is what the Software Bill of Materials (SBOM) and associated specifications like SPDX, CycloneDX, and SWID are attempting to solve.
What’s an SBOM?
An SBOM is essentially a manifest containing all of the software items which are included in your build. For a Linux distribution, this could be thousands of different packages and associated open source projects.
For a Real-Time Operating System (RTOS), the scope is usually much smaller.
How do You Generate SBOMs with FreeRTOS?
There are various tools which can help you with cataloging and generating an SBOM. The best ones are generally the ones which are included in the associated build system or software package you’re building (The Yocto Project, Buildroot, FreeRTOS, Zephyr, etc).
How to Leverage Pre-Generated SBOMs
In this post, we’ll be looking at how to generate an SBOM using FreeRTOS.
Looking at FreeRTOS, they provide pregenerated SBOMs in their source code. For example, the FreeRTOS kernel has an SBOM located here.
Pulling down their latest sources and searching for SBOMs results in many:
$ wget https://github.com/FreeRTOS/FreeRTOS/releases/download/202212.01/FreeRTOSv202212.01.zip
$ unzip FreeRTOSv202212.01.zip
$ cd FreeRTOSv202212.01
$ find . -name sbom.spdx
./FreeRTOS-Plus/Source/coreJSON/sbom.spdx
./FreeRTOS-Plus/Source/corePKCS11/sbom.spdx
./FreeRTOS-Plus/Source/Application-Protocols/coreMQTT-Agent/source/dependency/coreMQTT/sbom.spdx
./FreeRTOS-Plus/Source/Application-Protocols/coreHTTP/sbom.spdx
./FreeRTOS-Plus/Source/Application-Protocols/coreMQTT/sbom.spdx
./FreeRTOS-Plus/Source/Application-Protocols/coreSNTP/sbom.spdx
./FreeRTOS-Plus/Source/AWS/jobs/sbom.spdx
./FreeRTOS-Plus/Source/AWS/device-shadow/sbom.spdx
./FreeRTOS-Plus/Source/AWS/ota/sbom.spdx
./FreeRTOS-Plus/Source/AWS/device-defender/sbom.spdx
./FreeRTOS-Plus/Source/AWS/sigv4/sbom.spdx
./FreeRTOS-Plus/Source/AWS/fleet-provisioning/sbom.spdx
./FreeRTOS-Plus/Source/FreeRTOS-Plus-TCP/sbom.spdx
./FreeRTOS-Plus/Source/Utilities/backoff_algorithm/sbom.spdx
./FreeRTOS-Plus/Source/FreeRTOS-Cellular-Interface/sbom.spdx
./FreeRTOS/Source/sbom.spdx
At the time of this article, FreeRTOS has three associated source trees which are found in the NVD. The identifiers for these are called Common Platform Enumerations (CPEs). For FreeRTOS, they are:
| Package/Source Tree | CPE |
|---|---|
| FreeRTOS-Kernel | cpe:2.3:o:amazon:freertos:*:*:*:*:-:*:*:* |
| mbedtls | cpe:2.3:a:arm:mbed_tls:*:*:*:*:-:*:*:* |
| llhttp | cpe:2.3:a:llhttp:llhttp:*:*:*:*:*:*:*:* |
Note: CPE identifiers are only available in SBOMs which were generated by newer versions of FreeRTOS version > V11.0.1. The commits for this support were merged here (1, 2, 3).
What’s the Custom SBOM Generation Process?
The SBOM generation is performed in FreeRTOS as part of their CI/CD process. The associated repository for that is here.
If you want to manually generate the SBOM for the FreeRTOS kernel, you can run the associated script via:
$ cd FreeRTOSv202212.01 $ git clone https://github.com/FreeRTOS/CI-CD-Github-Actions.git $ export GITHUB_REPOSITORY="FreeRTOS/FreeRTOS-Kernel" $ python3 CI-CD-Github-Actions/sbom-generator/scan_dir.py --source-path=FreeRTOS/Source/ --repo-root-path=FreeRTOS/Source/ -> sbom.spdx should now be generated in your current directory
Note: GITHUB_REPOSITORY, –source-path, and –repo-root-path can be adjusted depending on which source tree’s SBOM you want to generate.
For demonstration purposes, I will be using an SBOM which also includes mbedtls (because it has lots of CVEs):
$ cd FreeRTOSv202212.01 $ cd ./FreeRTOS-Plus/Source/corePKCS11/source/dependency/3rdparty/ && git clone https://github.com/ARMmbed/mbedtls.git $ cd - $ export GITHUB_REPOSITORY="FreeRTOS/corePKCS11" $ python3 CI-CD-Github-Actions/sbom-generator/scan_dir.py --repo-root-path=./FreeRTOS-Plus/Source/corePKCS11/ --source-path=./FreeRTOS-Plus/Source/corePKCS11 -> sbom.spdx should now be generated in your current directory
Integrating SBOMs with Security Scanning Tools to Identify CVEs
So, now that we have an SBOM available… how do we feed it into an associated security scanning tool and identify if we have concerning CVE threats?
How to Upload SBOMs to Vigiles
If we’re using Vigiles, we can upload it with:
$ git clone https://github.com/TimesysGit/vigiles-cli.git $ cd vigiles-cli $ pip3 install . $ vigiles -k /path/to/linuxlink_key manifest upload sbom.spdx
Note: key is generated through the preferences menu in LinuxLink. See here if you need more help.
After running this command, you should see a JSON list of identified CVEs being returned. The Vigiles web dashboard will also have the associated workspace.
For the corePKCS11 SBOM, I currently see 10 associated CVEs:
Similarly, the same thing can be done with other tools. Using Intel’s cve-bin-tool:
$ cve-bin-tool --sbom spdx --sbom-file sbom.spdx
The Advantages of Vigiles for CVE Scanning
Why use Vigiles when there are other tools available?
-
- It’s a workflow tool which your company can use to manage CVEs from end to end.
-
- Manage multiple SBOMs
- Manage multiple products and releases
- Create, share, and compare reports
- Add custom filters
- Add JIRA Integration
- Receive notifications
- … and more!
-
- We do more filtering to save our customers more time:
-
- Package option filtering
- Kernel config filtering (usually cuts CVEs down by > 50%)
- U-Boot config filtering
-
- Fewer false positives. Timesys has put a great amount of time and effort into reducing false positives during our scanning.
-
- For LTS Linux kernels, we also track backported fixes to reduce false positives
-
- Our curated database pulls information from multiple sources, not just the NVD.
- It’s a workflow tool which your company can use to manage CVEs from end to end.
Conclusion: How to Embrace Security Best Practices with FreeRTOS and SBOMs
I hope this post was a helpful tool for understanding the importance of utilizing security scanning tools via SBOM generation. SBOMs give us a great way to easily convey which source packages are being used in our projects.
In turn, this enables many different security scanning tools to interpret the same data and provide us with source and version based security analyses (like CVE lists). Using SBOMs for CVE scanning with FreeRTOS is just one example. Most major operating system build tools now provide SBOM generation mechanisms, so make sure to look for (and use) them!
Need Help with Collaborative Solutions for Embedded Software Security?
As always, we offer professional engineering services to help you with your project. Whether you wish for us to integrate our security feature implementation, called Vigishield, into your project, scan your project for CVEs using Vigiles, or just need another set of hands to help with general embedded software engineering and security, we’re available to help!
