[研究]OWASP Dependency-Track - 用 CyCloneDX 建立 SBOM 清單

[研究]OWASP Dependency-Track - 用 CyCloneDX 建立 BOM 清單

2021-07022

續這篇，本篇要製作 SBOM 或 BOM

[研究] OWASP Dependency-Track 4.2.2 安裝 (CentOS 8.4)
https://shaurong.blogspot.com/2021/07/owasp-dependency-track-centos-84_19.html

根據

Best Practices | Dependency-Track
https://docs.dependencytrack.org/best-practices/

要使用 DependencyTrack (以下簡稱 DT 或 DTrack )，需要先準備好一份 SBOM（Software Bill of Material，軟體物料清單）或 BOM（Bill of Material，軟體物料清單），然後發送給DT，等待DT完成掃描檢測之後，在DT的管理介面上查看結果。

********************************************************************************

得到CycloneDX.exe

到下面網址下載 CODE ( 得到 cyclonedx-dotnet-master.zip )

GitHub - CycloneDX/cyclonedx-dotnet: Creates CycloneDX Software Bill of Materials (SBOM) from .NET Projects
https://github.com/CycloneDX/cyclonedx-dotnet

下載的 Code 是 Source Code，所以要自己下載 Visual Studio 2019 去編譯產生 CycloneDX.exe。

Visual Studio 2019 下載和安裝
https://docs.microsoft.com/zh-tw/visualstudio/releases/2019/release-notes
https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes
https://visualstudio.microsoft.com/zh-hant/downloads/

把 cyclonedx-dotnet-master.zip 解壓縮，用 Visual Studio 2019 去開啟 CycloneDX.sln，該方案有5個專案，只要編譯其中的 CycloneDX 專案就好。不要整個方案都建置 or 重建 or 編譯，否則會一堆 ERROR。

敝人得到了 C:\CODE\cyclonedx-dotnet\CycloneDX\bin\Debug\netcoreapp3.1\publish\CycloneDX.exe

********************************************************************************

建立測試用方案

用 Visual Studio 2019 建立一個測試用方案，NuGet 安裝一個老舊比較可能有 CVE 弱點的套件，敝人選了較常用的 jQuery 的老舊版本。

(Click 圖片可看 100% 原始尺寸圖片)

********************************************************************************

用 CyCloneDX.exe 替測試方案產出 BOM

參考這篇指令

GitHub - CycloneDX/cyclonedx-dotnet: Creates CycloneDX Software Bill of Materials (SBOM) from .NET Projects
https://github.com/CycloneDX/cyclonedx-dotnet

語法：CycloneDX <path> -o <OUTPUT_DIRECTORY>

path 是 .sln, .csproj, .vbproj, or packages.config 的目錄。

C:\CODE\cyclonedx-dotnet\CycloneDX\bin\Debug\netcoreapp3.1\publish>CycloneDX.exe C:\CodeTemp\BOMTest1 -o C:\CodeTemp\BOM Found the following local nuget package cache locations: C:\Users\Administrator\.nuget\packages\ Retrieving jQuery 1.4.1 Retrieving Microsoft.CodeDom.Providers.DotNetCompilerPlatform 2.0.1 Creating CycloneDX BOM Writing to: C:\CodeTemp\BOM\bom.xml C:\CODE\cyclonedx-dotnet\CycloneDX\bin\Debug\netcoreapp3.1\publish>

然後 C:\CodeTemp\BOM\bom.xml 檔案就誕生了。內容如下：

<?xml version="1.0" encoding="utf-8"?> <bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:052d473a-fb34-4c65-a60c-503bdfe73220" version="1" xmlns="http://cyclonedx.org/schema/bom/1.2"> <metadata> <tools> <tool> <vendor>CycloneDX</vendor> <name>CycloneDX module for .NET</name> <version>1.0.0.0</version> </tool> </tools> </metadata> <components> <component type="library"> <publisher>John Resig</publisher> <name>jQuery</name> <version>1.4.1</version> <description>jQuery is a fast and concise JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions for rapid web development</description> <hashes> <hash alg="SHA-512">11514F179BE0C33C346B027E6C3B360897DA1C97B54EF9499BA7A47066BDEED28D51640F0F2C2404A1556995E9DDEC7D3A9813175B05871C1C9E4B1C0F499F14</hash> </hashes> <purl>pkg:nuget/jQuery@1.4.1</purl> </component> <component type="library"> <publisher>Microsoft</publisher> <name>Microsoft.CodeDom.Providers.DotNetCompilerPlatform</name> <version>2.0.1</version> <description>Replacement CodeDOM providers that use the new .NET Compiler Platform ("Roslyn") compiler as a service APIs.</description> <hashes> <hash alg="SHA-512">B41366851E1E83EDC77A7DD317903DF27268B9EFC1F5879E44F2BB66751007594E4B3A6AD932E2EBC4F99BEBD09764B88D90C3768F07173E584CC486BC78CFA6</hash> </hashes> <licenses> <license> <url>http://www.microsoft.com/web/webpi/eula/net_library_eula_ENU.htm</url> </license> </licenses> <copyright>© Microsoft Corporation. All rights reserved.</copyright> <purl>pkg:nuget/Microsoft.CodeDom.Providers.DotNetCompilerPlatform@2.0.1</purl> <externalReferences> <reference type="website"> <url>http://www.asp.net/</url> </reference> </externalReferences> </component> </components> </bom>

接下來要把 BOM 檔案丟給 OWASP Dependency-Track 系統。

(待續)