Introduction
Our tenth blog in our SBOM ecosystem series discusses the creation of a Software Bill of Materials (SBOM) for the NuGet/.NET ecosystem and stresses the importance of Software Composition Analysis (SCA) in maintaining the security and integrity of .NET projects.
What is NuGet/.NET?
NuGet is the package manager for .NET, a developer platform made up of tools, programming languages, and libraries for building many different types of applications. NuGet provides developers with a mechanism to create, share, and consume useful .NET libraries.
Understanding SBOMs and SCA
SBOM is an acronym for Software Bill of Materials. An SBOM is a comprehensive inventory of all software components and dependencies in a project. For the NuGet/.NET ecosystem, keeping an accurate SBOM is essential due to the dynamic nature of NuGet packages.
SCA tools, an acronym for Software Composition Analysis tools, help in identifying and managing vulnerabilities within these components, ensuring your projects remain secure.
Generating an SBOM for NuGet/.NET with Syft
Why is Syft our chosen tool for generating SBOMs? Throughout our rigorous testing, we found that Syft generated the most well-formed SBOM. In addition, Syft is compatible with Vigiles.
Steps to Generate an SBOM with Syft:
- First, if you haven’t already, be sure to download and install Syft:
`curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.3.0`
- Afterwards, change the directory to your project/application directory.
- To build your project, run this command:
`dotnet build`
- With that complete, we can generate the SBOM by running the following command:
`syft scan dir:./ -o cyclonedx-json=dotnet.json`
Generating a Vulnerability Report with Vigiles
Offered by Timesys, Vigiles is an all-encompassing tool for SBOM management, vulnerability monitoring, and remediation. To examine the SBOM created by Syft and produce a vulnerability report, follow these steps:
- Upload to Vigiles using the WebUI or using the vigiles-cli tool as shown below. Once uploaded, the tool will return a URL to the webUI.
`vigiles -k </path/to/key> manifest upload </path/to/sbom>`
Keep in mind, an active Vigiles Enterprise subscription is necessary. To learn more about Vigiles and our 30-day free trial of it, click here.
Sample SBOM WebUI View
The Vigiles WebUI allows you to view detailed information about SBOM components, such as names, versions, and licenses.
Sample Vulnerability View
Here, you can see all vulnerabilities associated with each package and the corresponding fixes.
Vigiles collects information from several security advisories, including NVD, OSV (GitHub Security Advisory), PyPI Advisory, Go Vulnerability Database, Rust Advisory, Haskell Security Advisories, OSS-Fuzz, Debian Security Advisories, and RConsortium Advisory.
Limitations of Nuget and .NET
As of now, Syft does not include all the elements defined by the NTIA minimum elements for an SBOM. The following fields are missing in the CycloneDX JSON format:
- Supplier
- License information
Optimizing SBOM Creation and Vulnerability Tracking Using Syft and Vigiles
By combining Syft’s precise SBOM generation with Vigiles’ extensive vulnerability management, you can greatly enhance your software’s security posture. Vigiles assists in identifying vulnerabilities and provides direct links to patches and remediation options, making the process of securing your software easier.
Start Your Journey with Vigiles Today
Unlock the full potential of SBOM and vulnerability management with Vigiles. Try Vigiles Prime free for 30 days and see how it can streamline your vulnerability management process, safeguard your software, and speed up compliance workflows. Contact us for a free evaluation of Vigiles Enterprise and take the first step towards a more secure development journey.
———————————————
Tools Evaluated
- syft (version – 1.3.0); https://github.com/anchore/syft
- cdxgen (version – 9.10.1); https://github.com/CycloneDX/cdxgen
- sbom-tool (version – 2.0.0); https://github.com/microsoft/sbom-tool
- spdx-sbom-generator (version – 0.0.15); https://github.com/opensbom-generator/spdx-sbom-generator
- covenant (version – 0.16.0); https://github.com/patriksvensson/covenant
