This repo contains a Nodestream plugin to import SBOM files in JSON formatted CycloneDX and SPDX into an opinionated graph data model in a graph database. Nodestream is a developer friendly Python framework for materializing and working with graph databases.
- An opinionated graph data model for SBOM data analysis
- Support for JSON formatted CycloneDX and SPDX data files
- Automated download of SBOM files from Github and import them into a graph
- Automated export of SBOM files from Amazon Inspector and import them into a graph
For information on configuring and using Nodestream please visit the Documentation on Github Pages.
To use the Nodestream SBOM plugin you first must install it using PyPi.
pip install nodestream-plugin-sbomThe SBOM plugin comes with three pre-configured pipelines:
sbom- This will import SBOM files from a local directorysbom_github- This will export SBOM files from the provided Github repo and import them into a graph databasesbom_amazon_inspector- This will export SBOM files using Amazon Inspector and import them into a graph database
Once installed you will need to add some configuration depending on which pipeline you want to run:
nodestream.yaml configuration
plugins:
- name: sbom
config:
paths: <The local directory or file with SBOM files to import>
targets:
my-db:
database: neptune
graph_id: <YOUR GRAPH ID>
mode: analytics
To run the pipeline:
nodestream run sbom --target my-db -v
nodestream.yaml configuration
plugins:
- name: sbom
config:
repos: [A list of owner/repos to import e.g. nodestream-proj/nodestream]
targets:
my-db:
database: neptune
graph_id: <YOUR GRAPH ID>
mode: analytics
To run the pipeline:
nodestream run sbom_github --target my-db -v
To use this the Amazon Inspector pipeline you must provide
nodestream.yaml configuration
plugins:
- name: sbom
config:
bucketName: <S3 Bucket Name>
keyPrefix: <S3 Bucket Key Prefix>
kmsKeyArn: <KMS Key ARN>
targets:
my-db:
database: neptune
graph_id: <YOUR GRAPH ID>
mode: analytics
To run the pipeline:
nodestream run sbom --target my-db -v
For configuration of the S3 bucket and KMS key required for Amazon Inspector please refer to the documentation: https://docs.aws.amazon.com/inspector/latest/user/sbom-export.html
A software bill of materials (SBOM) is a critical component of software development and management, helping organizations to improve the transparency, security, and reliability of their software applications. An SBOM acts as an "ingredient list" of libraries and components of an software application that:
- Enables software creators to track dependencies within their applications
- Provides security personnel the ability to examine and risk potential vulnerabilities within an environment
- Provide legal personnel the information needed to assure that a particular software is in compliance with all licensing requirements.
When combined together, the functionality provided by SBOMs is a critical piece of
A software bill of materials (SBOM) is a comprehensive list of the components, libraries, and dependencies used in a software application or system. It provides a detailed breakdown of the software's architecture, including the names, versions, licenses, and optionally the vulnerabilities of each component.
An SBOM provides those who create, purchase, and operate software with insight and understanding of the supply chain enabling them to track known and newly emerged vulnerabilities and risks. SBOM and SBOM analysis are part of the foundational data layer on which further security tools, practices, and procedures should be built. SBOMs can be generated using a variety of tools and technologies, including open-source tools, automated tools, and manual processes. They can be formatted in different formats, such as JSON, YAML, or XML, to suit different needs and use cases. There are currently two main open-source and machine-readable formats for SBOMs:
-
CycloneDX - developed by the Open Web Application Security Project (OWASP) this is a format that is focused on providing simple automation to ease adoption. In addition to the minimum requirements for data in an SBOM, CycloneDX files can also contain information about associated vulnerabilities within the system or application.
-
SPDX - Developed by the Linux Foundation this format was originally created to facilitate the exchange of software metadata, with a particular focus on licensing information. Since it's creation in 2011 this has evolved to include additional data fields that enables its use as an SBOM format.
The key elements of this data model are:
Node Types
Document- This represents the SBOM document as well as the metadata associated with that SBOM. In a CycloneDX file, this is sourced from themetadataelement of the SBOM. In an SPDX file, this is sourced from the 'document' element of the SBOM.Component- This represents a specific component of a software system. In a CycloneDX file, this is sourced from theexternalReferenceselements of the SBOMcomponent. In an SPDX file, this is sourced from the 'packages' elements of the SBOM.Reference- This represents a reference to any external system which the system wanted to include as a reference. This can range from package managers, URLs to external websites, etc. In a CycloneDX file, this is sourced from thecomponentselements of the SBOM. In an SPDX file, this is sourced from the 'externalRef' elements of the SBOMpackages.Vulnerability- This represents a specific known vulnerability for a component. This is only available with CycloneDX files and is sourced from thevulnerabilitieselements of the SBOM.
Edge Types
DESCRIBES/DEPENDS_ON/DEPENDENCY_OF/DESCRIBED_BY/CONTAINS- This represents the type of relationship between aDocumentand aComponentin the system. For CycloneDX files only theDEPENDS_ONfield is used. For SPDX files the appropriate edge type is determined by the relationship type specified in therelationshipelements.REFERS_TO- This represents a reference between aComponentand aReferenceAFFECTS- This represents that a particularComponentis affected by the connectedVulnerability
Please file all issues and feature requests using Github issues on this repo. We will address them as soon as reasonable.
- Dave Bechberger (@bechbd)