Introduction
In the eleventh blog in our ecosystem series, we’ll be covering the process of generating a Software Bill of Materials (SBOM) for the Python (PyPI) ecosystem, emphasizing the significance of Software Composition Analysis (SCA) in ensuring the security and reliability of Python projects.
What is PyPI and Python?
PyPI (Python Package Index) is the official third-party software repository for Python. It enables Python developers to publish and share their software, facilitating the reuse of code and collaboration among the Python community.
Decoding SBOMs and Software Composition Analysis
A Software Bill of Materials or SBOM serves as a thorough inventory of all software components and dependencies used in a project. In the Python ecosystem, it’s vital to maintain an up-to-date SBOM due to the ever-changing landscape of PyPI packages. SCA tools assist in uncovering and addressing vulnerabilities within these components, ensuring your projects stay secure.
Generating an SBOM for Python with Syft
Why is Syft exceptional? Our extensive testing revealed that Syft generates the most well-formed SBOMs. Due to this and its compatibility with Vigiles, we have selected Syft as our preferred tool for SBOM generation in this blog series.
Steps to Generate an SBOM with Syft:
- Do you have Syft already? If so, skip this step. Otherwise, download and install the tool:
`curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.3.0`
- Afterwards, change the directory to your project/application directory.
- Now we can generate the SBOM by running the following command:
`syft scan dir:./ -o cyclonedx-json=python.json`
Note: Syft scans for requirements.txt to find the Python package dependencies.
Generating a Vulnerability Report with Vigiles
Offered by Timesys, Vigiles is a robust tool for SBOM management, vulnerability monitoring, and remediation. To review the SBOM produced by Syft and create a vulnerability report, use these steps:
Upload to Vigiles using the WebUI or using the vigiles-cli tool as shown below. Once uploaded, the tool will return a URL to the webUI.
`vigiles -k </path/to/key> manifest upload </path/to/sbom>`
Note: If you don’t have an active Vigiles Enterprise subscription already, please note that one is required for this process. You can get one here.
Sample SBOM WebUI View
Within the Vigiles WebUI shown below, you can inspect SBOM component details like name, version, and licensing information.
Sample Vulnerability View
You can view all vulnerabilities associated with each package and the fixes available, as seen in the below section.
Vigiles gathers information from a variety of security advisories, including NVD, OSV (GitHub Security Advisory), PyPI Advisory, Go Vulnerability Database, Rust Advisory, Haskell Security Advisories, OSS-Fuzz, Debian Security Advisories, and RConsortium Advisory.
Limitations of PyPI and Python
Currently, Syft does not encompass all the elements required by the NTIA minimum elements for an SBOM. The missing fields in the CycloneDX JSON format include:
- Supplier
- License information
Simplifying SBOM and Vulnerability Control with Syft and Vigiles
Combining Syft and Vigiles offers a formidable solution for generating and managing SBOMs in the Python ecosystem. Syft’s precision in SBOM creation is enhanced by Vigiles’ comprehensive vulnerability monitoring and remediation capabilities, ensuring your software remains secure and industry-compliant.
Get Started with Vigiles Today
Experience the full benefits of SBOM and vulnerability management with Vigiles. Try Vigiles Prime free for 30 days and discover how it can streamline your vulnerability management process, safeguard your software, and accelerate compliance workflows. Contact us for a free evaluation of Vigiles Enterprise and take the first step towards a more secure development journey.
———————————————
Tools Evaluated
- Syft (version 1.3.0): Syft on GitHub
- cdxgen (version – 9.10.1); https://github.com/CycloneDX/cdxgen
