Introduction
The fifth blog in our series, today we’re exploring how to generate a Software Bill of Materials (SBOM) for the Haskell (Hackage) ecosystem and the importance of Software Composition Analysis (SCA) in maintaining the security and integrity of Haskell projects.
What are SBOMs and SCA Tools?
A Software Bill of Materials (SBOM) is an essential piece in product security. SBOMs offer a detailed inventory of all software components and dependencies within a project. In the Haskell ecosystem, maintaining an accurate SBOM is crucial due to the dynamic nature of Hackage packages and dependencies.
Software Composition Analysis (SCA) tools help you identify and manage vulnerabilities in these components, ensuring your projects remain secure.
What is Hackage and Haskell?
Hackage is the Haskell community’s central package archive of open-source software. Haskell is a purely functional programming language known for its strong static typing, high-level abstractions, and lazy evaluation.
How Do You Generate an SBOM for Haskell with Syft?
Syft is our chosen tool for generating SBOMs due to its compliance with SPDX/CycloneDX specifications and compatibility with Vigiles. Throughout our testing, Syft generated the most well-formed SBOM.
Steps to Generate an SBOM with Syft:
1. Download and Install Syft:
`curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.3.0`
2. Change Directory to Your Project/Application Directory
3. Build Your Project:
`cabal build`
4. Freeze Dependencies:
`cabal freeze`
5. Generate SBOM:
`syft scan dir:./ -o cyclonedx-json=hackage.json`
How Do You Generate a Vulnerability Report with Vigiles?
Vigiles is the industry’s first Software Composition Analysis (SCA) and CVE (Common Vulnerabilities and Exposures) monitoring tool optimized for embedded Linux and usable for all open source software. Offered by Timesys, Vigiles is a comprehensive SBOM management, vulnerability monitoring, and remediation tool.
To view the SBOM generated by Syft and generate a vulnerability report, upload to Vigiles using the WebUI or using the vigiles-cli tool as shown below. Once uploaded, the tool will return a URL to the webUI.
`vigiles -k </path/to/key> manifest upload </path/to/sbom>`
Note: An active Vigiles Enterprise subscription is required to do this step. If you don’t have one already, you can try Vigiles Prime for free for 30-days here.
Sample SBOM WebUI View
In the Vigiles WebUI, you can view the SBOM component details such as name, version, and license information.
Sample Vulnerability View
In this view, you can see all the vulnerabilities associated with each package and available fixes.
Vigiles pulls from multiple security advisories, including but not limited to NVD, OSV (GitHub Security Advisory, PyPI Advisory, Go Vulnerability Database, Rust Advisory, Haskell Security Advisories, OSS-Fuzz, Debian Security Advisories, RConsortium Advisory).
What are the limitations of Haskell and Hackage?
At the time of writing, Syft does not contain all the elements prescribed in the NTIA minimum elements for an SBOM. Below are the missing fields in the CycloneDX JSON format:
- Supplier
- License information
Take Your Hackage and Haskell Software Security to the Next Level with Vigiles
Within the Hackage and Haskell ecosystems, the combination of Syft and Vigiles offers a powerful solution for generating and managing SBOMs. While Syft excels at generating well-formed SBOMs with high accuracy, Vigiles enhances this process by providing robust vulnerability monitoring and remediation capabilities. This synergy ensures your software remains secure and compliant with industry standards.
In addition, Vigiles offers:
- Curated CVE Database: Enjoy improved accuracy in CVE reporting with a meticulously curated database.
- Continuous Security Feed: Stay ahead of vulnerabilities with updates that align with your SBOMs.
- Advanced Filtering & Triage Tools: Quickly identify and prioritize vulnerabilities, streamlining the remediation process.
- Compliance Support: Easily meet industry compliance requirements for cybersecurity documentation and SBOM management.
- Integration & Collaboration: Seamlessly integrate with major Linux build systems and collaborate efficiently through tools like Jira.
———————————————
Tools evaluated
- syft (version – 1.3.0); https://github.com/anchore/syft
