Welcome back to our blog series on generating SBOMs and monitoring vulnerabilities for different ecosystems. In this second blog of the series, let’s explore how to generate an SBOM for the Debian Linux distribution and examine the significance of Software Composition Analysis (SCA) in ensuring the security and integrity of your software projects.


Mastering SBOMs and Software Composition Analysis Tools

First, it’s important to have an understanding of what an SBOM is. “SBOM” is an acronym that stands for Software Bill of Materials. An SBOM features a comprehensive inventory of the software components and dependencies used in a project.

In the Debian ecosystem, maintaining an accurate SBOM is crucial due to the extensive use of deb packages and various components within the file system. SCA tools, or Software Composition Analysis tools, can help in identifying and managing vulnerabilities in these components, ensuring your projects remain secure.


What is Debian?

Next, let’s briefly review the Debian ecosystem. Debian is a free operating system (OS) for your computer. An operating system is the set of basic programs and utilities that make your computer run. Debian is known for its stability and reliability and is widely used in servers and desktop environments.

Now that we have an understanding of SBOMs, SCA tools, and Debian, let’s get into the process of generating an SBOM for Debian by leveraging Syft and Vigiles.


Generating an SBOM for Debian with Syft

Why are we using Syft in this process? Our thorough testing showed that Syft creates the most well-structured SBOMs. This, along with its compatibility with Vigiles, is why we are using Syft as our primary tool for SBOM generation throughout this blog series.


Steps to Generate an SBOM with Syft:

1. This may seem like a very basic first step but it’s among the most important. If you don’t have Syft installed, download and install the tool now: 

`curl -sSfL | sh -s -- -b /usr/local/bin v1.4.1`

2. With that done, we can now generate the SBOM by running the below command:

`sudo syft scan dir:/ --select-catalogers debian -o cyclonedx-json=syft-debian-sbom.json`

3. The command above only generates the SBOM for packages installed using the Debian package manager. In order to generate an SBOM for the entire root filesystem, including packages installed by other package managers (such as pip) or download external binaries, we’ll need to use the below command:

`sudo syft scan dir:/ -o cyclonedx-json=syft-debian-sbom.json`


How do you Generate a Vulnerability Report with Vigiles?

Vigiles is a comprehensive SBOM management, vulnerability monitoring, and remediation tool offered by Timesys that helps bridge the gap with vulnerability reporting. To view the SBOM generated by Syft and generate a vulnerability report, follow these steps:

1. First, download the fixup script located here.

2. Next, run the Fixup Script:

`python <generated/sbom/path> -o <optional: output/sbom/file/name>`

For Example:

`python syft-debian-sbom.json -o debian-updated-sbom.json`

3. Afterwards, upload to Vigiles using the WebUI or the vigiles-cli tool as shown below. Once uploaded, the tool will return a URL to the webUI.

`vigiles -k </path/to/key> manifest upload </path/to/sbom>`

Important Note: In order to complete these steps and others in our following ecosystem blog series, you will need an active Vigiles Enterprise subscription. Not sure about getting one? No worries! You can try Vigiles Prime for free for 30-days by clicking here.


Sample SBOM WebUI View

Let’s take a look at some sample views that Vigiles provides for Debian now. In the following Vigiles WebUI, you can see the SBOM component details such as name, version, and license information.


Sample Vulnerability View

In this next sample view, you can see all the vulnerabilities associated with each package and fixes available for them.


Vigiles pulls from multiple security advisories for enhanced accuracy, including but not limited to NVD and OSV (GitHub Security Advisory, PyPI Advisory, Go Vulnerability Database, Rust Advisory, Haskell Security Advisories, OSS-Fuzz, Debian Security Advisories, RConsortium Advisory).


What are the limitations of Debian or Syft?

Vigiles relies on the Debian security advisory (DSA) / Debian Long Term Support Security Advisory (DLA) to report vulnerabilities and fixes for OS packages. Vulnerabilities for Debian-installed packages without a DSA or DLA will not be reported by Vigiles. These are typically issues the Debian security team has deemed as minor issues, or packages that have reached the end of their life.

At the time of writing this blog, Syft does not contain all the elements prescribed in the NTIA (National Telecommunications and Information Administration) minimum elements for an SBOM. Below are the missing fields in the CycloneDX JSON format:

  • Dependencies
  • Supplier

Other quirks:

  • To avoid duplicate package entries from the SBOM, remove all previously generated SBOMs from the targeted directory before generating a new one.


Optimizing Your SBOM Creation and Vulnerability Tracking by Leveraging Syft and Vigiles

The combination of Syft and Vigiles offers a powerful solution for generating and managing SBOMs in the Debian ecosystem. While Syft excels at creating well-formed SBOMs with high accuracy, Vigiles enhances this process by providing robust vulnerability monitoring and remediation capabilities.

This synergy ensures your software remains secure and compliant with industry standards. In addition, Vigiles offers numerous benefits that make it an ideal companion to Syft:

  • Curated CVE Database: Enjoy improved accuracy in CVE reporting with a meticulously curated database.
  • Continuous Security Feed: Stay ahead of vulnerabilities with updates that align with your SBOMs.
  • Advanced Filtering & Triage Tools: Quickly identify and prioritize vulnerabilities, streamlining the remediation process.
  • Compliance Support: Easily meet industry compliance requirements for cybersecurity documentation and SBOM management.
  • Integration & Collaboration: Seamlessly integrate with major Linux build systems and collaborate efficiently through tools like Jira.


Take Your Software Security to the Next Level with Vigiles Today

Experience the full benefits of SBOM and vulnerability management with Vigiles. Try Vigiles Prime free for 30 days and discover how it can streamline your vulnerability management process, safeguard your software, and accelerate compliance workflows. Contact us for a free evaluation of Vigiles Enterprise and take the first step towards a more secure development journey.



Tools Evaluated