Introduction

In our twelfth blog of the ecosystem series, we explore how to generate a Software Bill of Materials (SBOM) for the Ruby (RubyGems) ecosystem. We’ll also be underscoring the vital role of Software Composition Analysis (SCA) in maintaining the safety and robustness of Ruby applications.

For the other ecosystem blogs in our series on how to generate SBOMs in different environments, check out this blog here.

 

What is RubyGems and Ruby?

RubyGems is the package manager for Ruby, a dynamic, open-source programming language with a focus on simplicity and productivity. RubyGems allows developers to easily distribute and manage the libraries or gems they create.

 

A Comprehensive Guide to SBOMs and SCA

A Software Bill of Materials (SBOM) is a detailed inventory of all software components and dependencies within a project. In the Ruby ecosystem, maintaining an accurate SBOM is essential due to the dynamic nature of RubyGems packages and dependencies. Software Composition Analysis (SCA) tools help identify and manage vulnerabilities in these components, ensuring your projects remain secure.

 

Generating an SBOM for Ruby with Syft

What makes Syft stand out? Through rigorous testing, we discovered that Syft produces the highest quality SBOMs. Because of this and its seamless compatibility with Vigiles, we have chosen Syft as our go-to tool for generating SBOMs in this blog series.

 

Steps to Generate an SBOM with Syft:

  1. If you don’t have Syft already, then be sure that you have downloaded and installed the tool:
`curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.3.0`
  1. Now change the directory to your project/application directory.
  2. Next, run the below command to configure the bundler and install dependencies:
`bundle config set --local path './'`
`bundle install`
  1. Lastly, let’s generate the SBOM by running the following command:
`syft scan dir:./ -o cyclonedx-json=gems.json`

 

Generating a Vulnerability Report with Vigiles

Timesys offers Vigiles, a powerful tool for SBOM management, vulnerability monitoring, and remediation. To examine the SBOM generated by Syft and produce a vulnerability report, follow these steps:

  1. Upload to Vigiles using the WebUI or using the vigiles-cli tool as shown below. Once uploaded, the tool will return a URL to the webUI.
`vigiles -k </path/to/key> manifest upload </path/to/sbom>`

Note: Remember, an active Vigiles Enterprise subscription is needed to accomplish these steps. Find out more about Vigiles and get a subscription here.

 

Sample SBOM WebUI View

In the Vigiles WebUI, you have access to SBOM component details, including each component’s name, version, and license information. Below is a demonstration of this view.

 

Sample Vulnerability View

In this next sample view, all vulnerabilities tied to each package and the available fixes are displayed.

 

Vigiles retrieves data from multiple security advisories, such as NVD, OSV (GitHub Security Advisory), PyPI Advisory, Go Vulnerability Database, Rust Advisory, Haskell Security Advisories, OSS-Fuzz, Debian Security Advisories, and RConsortium Advisory.

 

What are the limitations of RubyGems and Ruby?

At the present time, Syft lacks some elements specified in the NTIA minimum elements for an SBOM. The CycloneDX JSON format is missing the following fields:

  • Supplier
  • License information

 

Improving Your SBOM and Security Management with Syft and Vigiles

The partnership of Syft and Vigiles delivers an effective solution for generating and managing SBOMs in the Ruby ecosystem. Syft’s proficiency in creating detailed SBOMs is amplified by Vigiles’ extensive vulnerability monitoring and remediation capabilities, keeping your software secure and compliant with industry standards. How? By providing you with:

  • A Curated CVE Database: Enjoy improved accuracy in CVE reporting with a meticulously curated database.
  • A Continuous Security Feed: Stay ahead of vulnerabilities with updates that align with your SBOMs.
  • Advanced Filtering & Triage Tools: Quickly identify and prioritize vulnerabilities, streamlining the remediation process.
  • Compliance Support: Easily meet industry compliance requirements for cybersecurity documentation and SBOM management.
  • Integration & Collaboration: Seamlessly integrate with major Linux build systems and collaborate efficiently through tools like Jira.

 

Get Started with Vigiles Today

Contact us to try Vigiles Prime free for 30 days, or get a free evaluation of Vigiles Enterprise, and discover how it can streamline your vulnerability management process, safeguard your software, and accelerate compliance workflows.

 

———————————————

Tools Evaluated