Introduction
Today’s post in our ecosystem SBOM generation blog series examines the process of generating a Software Bill of Materials (SBOM) for the Kotlin ecosystem and highlights the significance of Software Composition Analysis (SCA) in maintaining the security and robustness of Kotlin projects.
What is Kotlin?
Kotlin is a statically typed programming language that runs on the Java virtual machine (JVM) and can also be compiled to JavaScript or native code. It is known for its interoperability with Java, concise syntax, and safety features.
Why are SBOMs and SCA tools important?
An SBOM, or Software Bill of Materials, is an extensive list of all software components and dependencies in a project. In the Kotlin ecosystem, it’s crucial to maintain an accurate SBOM because of the evolving nature of Kotlin libraries. SCA tools help identify and address vulnerabilities within these components, thus securing your projects.
Generating an SBOM for Kotlin with Syft
As mentioned in our previous blog in this series, Syft is our chosen tool for generating SBOMs due to its accuracy in SBOM generation and compatibility with Vigiles.
Steps to Generate an SBOM with Syft:
1. First, download and install the tool:
`curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.3.0`
2. Next, change the directory to your project/application directory.
3. We assume gradle is used for building the Kotlin application. Once you’re done with the previous step, configure the build for dependency locking and run the below command:
`gradle dependencies --write-locks`
Note: This command must be run from the application directory.
4. Now generate the SBOM by running the below command:
`syft scan dir:./ -o spdx-json=kotlin.json`
Generating a Vulnerability Report with Vigiles
Vigiles, provided by Timesys, is a thorough tool for SBOM management, vulnerability monitoring, and remediation. To analyze the SBOM generated by Syft and create a vulnerability report, follow these steps:
- Upload to Vigiles using the WebUI or using the vigiles-cli tool as shown below.
`vigiles -k </path/to/key> manifest upload </path/to/sbom>`
- Once uploaded, the tool will return a URL to the webUI.
Note that an active subscription to Vigiles Enterprise is necessary. See our Vigiles page for more details.
Sample SBOM WebUI View
In the Vigiles WebUI, you can inspect the SBOM component details like name, version, and licensing information.
Sample Vulnerability View
You can view all vulnerabilities associated with each package and the fixes available in this section.
Vigiles gathers information from a variety of security advisories, including NVD, OSV (GitHub Security Advisory), PyPI Advisory, Go Vulnerability Database, Rust Advisory, Haskell Security Advisories, OSS-Fuzz, Debian Security Advisories, and RConsortium Advisory.
Kotlin Limitations
Currently, Syft does not encompass all the elements required by the NTIA minimum elements for an SBOM. The missing fields in the CycloneDX JSON format include:
- Supplier
- License information
Streamlining SBOM and Vulnerability Management with Syft and Vigiles
Syft and Vigiles together offer a powerful approach for generating and managing SBOMs in the Kotlin ecosystem. Syft’s capability to create well-formed SBOMs, combined with Vigiles’ strong vulnerability monitoring and remediation features, ensures your software stays secure and industry-compliant.
Make the Most of Your Security in the Kotlin Ecosystem
By using Syft to generate your SBOMs, you maintain a thorough inventory of your software components and dependencies. Integrating Vigiles into your workflow gives you access to a curated CVE database, continuous security feeds, and powerful filtering tools, significantly lowering the risk of security breaches by keeping you informed about vulnerabilities in real-time.
Get Started with Vigiles Today
Experience the complete advantages of SBOM and vulnerability management with Vigiles. Try Vigiles Prime free for 30 days and find out how it can streamline your vulnerability management process, secure your software, and accelerate compliance workflows. Contact us for a free evaluation of Vigiles Enterprise and take the first step towards a more secure development journey.
———————————————
Tools Evaluated
- Syft (version 1.3.0): Syft on GitHub
- cdxgen (version – 9.9.9); https://github.com/CycloneDX/cdxgen