Skip to main content

Software Bill of Materials Repository for Django

Project description

Software Composition Analysis by Surface Security

sbom-repo

The SBOM repo has data from OSV.dev as it's main source of truth and we're using it as a dependency vulnerability database.

The SBOM repo is a complementary module of Surface SCA is within the main surface app, docs and code are available in https://github.com/surface-security/surface/blob/sca/surface/sca. You can use it solo or via pypi as a python application.

Database Source

OSV.dev is an open-source vulnerability database and triage infrastructure project, designed to help both open-source maintainers and consumers of open-source software effectively identify and address security vulnerabilities. It aims to provide precise vulnerability information in a way that is both easily accessible and actionable for developers and users of open-source software. It achieves this by automating the triage of vulnerabilities and maintaining a database where vulnerabilities are directly linked to exact affected package versions, rather than relying on the more traditional, often vague, vulnerability descriptions. The vulnerability database and the tools provided by OSV.dev are continuously updated to reflect new vulnerabilities, improved triage mechanisms, and evolving best practices in software security. This ensures that using OSV.dev every project we scan will always be equipped with the latest in security intelligence.

SBOM repo is configured to be a stand alone module, which means, it's a vulnerability database, currently it's importing vulnerabilities from OSV.DEV, but in theory it could be importing from anywhere else.

We've configured it management/commands/resync_vulnerabilities.py. Where we import the vulnerabilities from OSV.DEV and create a Vulnerability object for it.

Process

By uploading an SBOM into the SBOM repo, we're able to quickly identify known vulnerabilities within software dependencies. This rapid identification allows for quicker remediation efforts, thereby reducing the window of exposure to potential exploits.

We use the concept of purl to manage and track the dependencies. A "purl" stands for "Package URL." It's a standardized way to identify and locate a software package within a package management system or ecosystem. The concept of purls is designed to simplify the process of referring to software packages across different programming languages, package managers, and packaging conventions. More in Pypi.

The SBOM repo, will save the SBOM for each app/repo plus information about which of these dependencies are vulnerable and details about it. The SBOM would be imported then into Surface for both visibility and track of both dependencies and vulnerabilities.

Once we receive a SBOM we check for vulnerabilities within our Vulnerability Database and return a .json. That ´.json` will be cleaned and prepared to create everything we need for a final sbom to import into our Application where we will display and track every dependency and vulnerability, along side several other features. More in Surface SCA.

How to run it

The SBOM repo is pypi package. You can install it using pip install django-sbomrepo within your django application. Make sure you include the sbomrepo in your INSTALLED_APPS in your settings.py file and update your urls.py file to include the sbomrepo urls.

Features

  • Import SBOM: curl -F 'file=@./sbom.json' "http://localhost:8000/sbomrepo/v1/sbom?repo=${{GIT_URL}}&branch=${{GIT_BRANCH}}&main_branch={branch}"
  • Get SBOM: curl "http://localhost:8000/sbomrepo/v1/sbom/<serial_number>"
  • Get SBOM and Vulnerabilities: curl "http://localhost:8000/sbomrepo/v1/sbom/<serial_number>?vuln_data=true"
  • List All SBOMs: curl "http://localhost:8000/sbomrepo/v1/sbom/all"
  • Delete SBOMs: curl -X DELETE "http://localhost:8000/sbomrepo/v1/sbom/delete"
  • Reimport SBOM: curl -X POST "http://localhost:8000/sbomrepo/v1/sbom/<serial_number>/reimport"
  • Get Vulnerability: curl "http://localhost:8000/sbomrepo/v1/vulnerability/<id>"
  • Get Ecosystems: curl "http://localhost:8000/sbomrepo/v1/ecosystems"

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django_sbomrepo-0.0.8.tar.gz (19.2 kB view details)

Uploaded Source

Built Distribution

django_sbomrepo-0.0.8-py3-none-any.whl (12.7 kB view details)

Uploaded Python 3

File details

Details for the file django_sbomrepo-0.0.8.tar.gz.

File metadata

  • Download URL: django_sbomrepo-0.0.8.tar.gz
  • Upload date:
  • Size: 19.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.12.6

File hashes

Hashes for django_sbomrepo-0.0.8.tar.gz
Algorithm Hash digest
SHA256 69ecfc201273af68a5066f54a0d1fdff0e73c9af7a3a2657a4970a3162ef2030
MD5 e6a72ec0f627796ca4f8b6856779ea74
BLAKE2b-256 2777e7c69cf60f8b5d65f05d32b844d6011d5a16fd9e9d319ccb8d35801c051c

See more details on using hashes here.

File details

Details for the file django_sbomrepo-0.0.8-py3-none-any.whl.

File metadata

File hashes

Hashes for django_sbomrepo-0.0.8-py3-none-any.whl
Algorithm Hash digest
SHA256 fa52b58ab21157c969c2027f6a8bbf60df3c52f9640280a0c9e0d7c48bd27e2d
MD5 f1a391668dac566df57e5bc658db1441
BLAKE2b-256 0954ca6c288e13bfede8e2fcaa53e0d841f641d9f5ba364a3491c0cdb6f5d96d

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page