Demo: A free tool for generating an SBOM

If software were a plate of food, its “bill of materials” would let eaters know which ingredients are fresh, and which ones have reached their sell-by date.

Naomi Buckwalter, director of product security at Contrast Security, recently demo’d the company’s free tool—software composition analysis (SCA)—for generating the ingredient list known as a software bill of materials, or SBOM.

A nested inventory of code components has been on the minds of agencies and administrations looking to address supply-chain risk.

• President Biden’s 2021 executive order for federal-system requirements included “a formal record containing the details and supply-chain relationships of various components used in building software.”
• CISA has called the SBOM a “key building block in software security and software supply-chain risk-management.”

An SBOM lists components in a software project—including, say, an outdated instance of the Log4j library. (Software scans from security company Veracode in late 2023 found that 38% of applications currently use vulnerable versions of Log4j, despite the discovery in December 2021 of a flaw enabling remote control of a device.)

Product documentation frequently includes information about a software’s composition. Open-source software projects, hosted on GitHub, for example, often include a README note, detailing information about packages, libraries, and dependencies (where one software component relies on another to work).

“You’ve got to keep up with those dependencies and know what version they’re on and know if there’s different vulnerabilities with any one of them. A lot of those are constantly being updated, and we don’t want to spend a ton of time as an engineering team just updating to a new version and retesting it,” Mike Lempner, VP of engineering and technology at fintech company Mission Lane, told IT Brew.

Buckwalter demonstrated the company’s free tool for creating an SBOM for projects hosted on GitHub or other code-hosting platforms featuring a package manager file in the source.

The contrast scanner searches for project files and “loops through all the dependencies and the dependencies of the dependencies, and the dependencies of those dependencies, and it goes all the way down the tree. And it makes a list a nice easy list for you to understand. And then it generates a list of vulnerabilities, also,” Buckwalter said during the demo.

(Supported languages include Java, JavaScript, Python, Go, PHP, Ruby, and .NET. According to the site, users can scan up to 50 projects per month.)

How it works:

• After being given commands that install, authenticate, and audit, the tool scans for repositories in specified locations, providing details of libraries and versions for those libraries.

A screenshot of two library components found in a software sample

• A company demo available online shows how a “--save” command preserves a local SBOM copy on a computer. “contrast audit --save” will run against every package manager file found within a project, generating individual SBOMs for each.
• Going into the text editor, and hitting command “F” for the desired library, like Log4j, will reveal version numbers (for example, ​​vulnerable versions, Log4j2 2.0-beta9 through 2.15.0).
• The SCA scanner also provides notice of vulnerabilities and their severity.

A description of a found vulnerability and its severity, from Contrast’s SCA tool

A scan is only one part of a vigilant security strategy, according to Buckwalter, who advised coders to frequently visit sites that watch for ingredients gone bad—destinations like Mitre and the National Vulnerability Database.

“I still need to do my due diligence and make sure this current version of Log4j is not vulnerable to anything,” Buckwalter said.