Introduction
In this article, we’ll dive into creating a Software Bill of Materials (SBOM) for the Node.js (npm) ecosystem and emphasize the critical role of Software Composition Analysis (SCA) in ensuring the security and reliability of Node.js applications.
For the other blogs in this series focused on how to generate SBOMs in different ecosystem environments, such as Crates.io/Rust, Debian, and others, check out this blog here.
What are SBOMs, SCA Tools, and why are they important?
First, SBOM stands for Software Bill of Materials and serves as a comprehensive inventory of all software components and dependencies within a project. For Node.js, keeping an accurate SBOM is vital due to the constantly changing nature of npm packages.
SCA stands for Software Composition Analysis tools, which are essential for identifying and managing vulnerabilities in these components, and ensuring your applications stay secure.
What is Node.js and npm?
npm is the package manager for Node.js, an open-source, cross-platform JavaScript runtime environment. npm enables developers to share and reuse code, and it contains over one million packages.
The Steps to Generating an SBOM for Node.js
As previously mentioned, in our testing, we found that Syft generated the most well-formed and accurate SBOM. Due to its accuracy and compatibility with Vigiles, it is our chosen tool for generating the SBOMs in this blog series. To generate an SBOM with Syft, follow the steps below.
Steps to Generate an SBOM with Syft:
- First, be sure that you have downloaded and installed Syft:
`curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.3.0`
- Next, change the directory to your project/application directory.
- To install dependencies, run the below command:
`npm install`
- Now to generate SBOM, run the following command:
`syft scan dir:./ --select-catalogers npm -o cyclonedx-json=npm.json`
Steps to Generating a Vulnerability Report with Vigiles
Timesys offers Vigiles, a complete tool for SBOM management, vulnerability monitoring, and remediation. To review the SBOM created by Syft and produce a vulnerability report, follow these steps:
- Upload to Vigiles using the WebUI or using the vigiles-cli tool as shown below. Once uploaded, the tool will return a URL to the webUI.
`vigiles -k </path/to/key> manifest upload </path/to/sbom>`
Please note, an active Vigiles Enterprise subscription is required. You can learn more about Vigiles here.
Sample SBOM WebUI View
In the following Vigiles WebUI, you can view the SBOM component details such as name, version, and license information.
Sample Vulnerability View
This next view displays all the vulnerabilities linked to each package and the available fixes for them.
Vigiles sources data from numerous security advisories, such as NVD, OSV (GitHub Security Advisory), PyPI Advisory, Go Vulnerability Database, Rust Advisory, Haskell Security Advisories, OSS-Fuzz, Debian Security Advisories, and RConsortium Advisory.
Limitations for npm/node.js
As of this writing, Syft does not include all elements outlined in the National Telecommunications and Information Administration minimum elements for an SBOM. The following fields are missing in the CycloneDX JSON format:
- Dependencies
- Supplier
Ready to Upgrade Your Software Security Level?
By combining Syft’s accurate SBOM generation with Vigiles’ comprehensive vulnerability management, you can significantly enhance your software’s security posture. Vigiles not only helps in identifying vulnerabilities but also provides direct links to patches and remediation options, simplifying the process of securing your software.
Get Started with Vigiles Today!
Experience the full benefits of SBOM and vulnerability management with Vigiles. Try Vigiles Prime free for 30 days and discover how it can streamline your vulnerability management process, safeguard your software, and accelerate compliance workflows. Contact us for a free evaluation of Vigiles Enterprise and take the first step towards a more secure development journey.
———————————————
Tools Evaluated
- Syft (version 1.3.0): Syft on GitHub
- cdxgen (version – 9.9.9); https://github.com/CycloneDX/cdxgen