Introduction

Welcome to our blog series on Software Bill of Materials (SBOM) generation tools for various ecosystems. In this post, we’ll explore the Rust ecosystem, specifically Cargo/Crates.io, and discuss the significance of SBOMs and Software Composition Analysis (SCA) in ensuring the security and integrity of your software projects.

 

Overview of SBOMs and SCA

An SBOM is a comprehensive inventory of software components and dependencies used in a project. In the Rust ecosystem, maintaining an accurate SBOM is crucial due to the rapidly evolving landscape of libraries and dependencies available on Crates.io. SCA tools help in identifying and managing vulnerabilities in these components, ensuring your projects remain secure.

 

What is Rust and Crates.io?

Crates.io is the package registry for Rust, a systems programming language designed for performance and safety, particularly safe concurrency. Crates.io is where Rust developers publish and manage their packages, known as “crates.”

 

How to Generate an SBOM for Rust with Syft

Syft is our preferred tool for generating SBOMs due to its compliance with SPDX/CycloneDX specs and compatibility with Vigiles. In our testing, syft also generated the most well formed SBOM.

1. Download and Install the Tool:

`curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.3.0`

2. Change directory to your project/application directory.

3. If you have not previously run the below command, run it to build your project:

`cargo build`

4. Finally, generate an SBOM by running the below command:

`syft scan dir:./ -o cyclonedx-json=crates.json`

 

How to Generate a Vulnerability Report with Vigiles

Vigiles is a comprehensive SBOM management, vulnerability monitoring, and remediation tool offered by Timesys. To view the SBOM generated by Syft and generate a vulnerability report, follow these steps:

  1. Upload to Vigiles using the WebUI or using the vigiles-cli tool as shown below. Once uploaded, the tool will return a URL to the webUI.
`vigiles -k </path/to/key> manifest upload </path/to/sbom>`

Note: You will need an active Vigiles Enterprise subscription to do this. Want to test Vigiles out? You can do so for free for 30-days by signing up for our Vigiles Trial here.

 

Sample SBOM WebUI View

In the Vigiles WebUI, you can view the SBOM component details such as name, version, and license information.

 

Sample Vulnerability View

In this view, you can see all the vulnerabilities associated with each package and their available fixes.

Vigiles pulls from multiple security advisories, including but not limited to the National Vulnerability Database (NVD) and OSV (GitHub Security Advisory, PyPI Advisory, Go Vulnerability Database, Rust Advisory, Haskell Security Advisories, OSS-Fuzz, Debian Security Advisories, RConsortium Advisory).

 

Limitations

At the time of writing this, Syft does not contain all the elements prescribed in the NTIA minimum elements for an SBOM. Below are the missing fields in the CycloneDX JSON format:

  • Supplier
  • License information

 

Streamlining SBOM and Vulnerability Management with Syft and Vigiles

The combination of Syft and Vigiles offers a powerful solution for generating and managing SBOMs in the Rust ecosystem. While Syft excels at creating well-formed SBOMs with high accuracy, Vigiles enhances this process by providing robust vulnerability monitoring and remediation capabilities. This synergy ensures your software remains secure and compliant with industry standards.

 

Maximizing Security in the Rust Ecosystem

Using Syft to generate your SBOMs allows you to maintain a detailed inventory of your software components and dependencies. When you integrate Vigiles into your workflow, you gain access to a curated CVE database, continuous security feeds, and powerful filtering tools. This integration significantly reduces the risk of security breaches by keeping you informed about vulnerabilities in real-time.

 

Take Your Software Security to the Next Level

By combining Syft’s accurate SBOM generation with Vigiles’ comprehensive vulnerability management, you can significantly enhance your software’s security posture. Vigiles not only helps in identifying vulnerabilities but also provides direct links to patches and remediation options, simplifying the process of securing your software.

 

Get Started with Vigiles Today

Contact us for a free evaluation of Vigiles Enterprise and take the first step towards a more secure development journey.

———————————————

Tools Evaluated