Introduction
In this blog, we’ll be exploring how to generate a Software Bill of Materials (SBOM) for the Dart (Pub) ecosystem and discuss the importance of Software Composition Analysis (SCA) in maintaining the security and integrity of Dart projects.
What is Pub and Dart?
Pub is the package manager for Dart, a client-optimized programming language for fast apps on any platform. Dart is designed for building web, server, desktop, and mobile applications.
The Essentials of SBOMs and SCA Explained
An SBOM (Software Bill of Materials) is a comprehensive list of all software components and dependencies within a project. For Dart projects, keeping an accurate SBOM is crucial given the constantly evolving nature of Pub packages.
SCA (Software Composition Analysis) tools are invaluable in detecting and managing vulnerabilities within these components, thus maintaining project security.
Generating an SBOM for Dart with Syft
What is great about Syft? We found, through vigorous testing, that Syft produces the most well-formed SBOM. For this reason and it’s compatibility with Vigiles, we are using Syft as our chosen tool for generating SBOMs throughout this blog series.
Steps to Generate an SBOM with Syft:
- To start with, be sure that you have downloaded and installed the tool:
`curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.3.0`
- Now change the directory to your project/application directory.
- Next, run the below command to fetch dependencies:
`dart pub get`
- And finally to generate the SBOM, run the following command:
`syft scan dir:./ -o cyclonedx-json=pub.json`
How to Generate a Vulnerability Report with Vigiles
Vigiles, provided by Timesys, is an all-encompassing tool for SBOM management, vulnerability monitoring, and remediation. To analyze the SBOM created by Syft and generate a vulnerability report, follow these steps
- Upload to Vigiles using the WebUI or using the vigiles-cli tool as shown below. Once uploaded, the tool will return a URL to the webUI.
`vigiles -k </path/to/key> manifest upload </path/to/sbom>`
As previously mentioned in our other ecosystem blogs, an active Vigiles Enterprise subscription is required for this process.
Sample SBOM WebUI View
The following Vigiles WebUI view allows you to see the SBOM component details, including the name, version, and license information of each component.
Sample Vulnerability View
This next view displays all vulnerabilities linked to each package and the available fixes
Vigiles sources data from numerous security advisories, such as NVD, OSV (GitHub Security Advisory), PyPI Advisory, Go Vulnerability Database, Rust Advisory, Haskell Security Advisories, OSS-Fuzz, Debian Security Advisories, and RConsortium Advisory.
What are the limitations of Pub and Dart?
As of this blog post, Syft does not include all elements outlined in the NTIA minimum elements for an SBOM. The following fields are missing in the CycloneDX JSON format:
- Supplier
- License information
Ways to Maximize Security in the Dart Ecosystem
Using Syft to generate your SBOMs allows you to maintain a detailed inventory of your software components and dependencies. When you integrate Vigiles into your workflow, you gain access to a curated CVE database, continuous security feeds, and powerful filtering tools. This integration within the Dart ecosystem significantly reduces the risk of security breaches by keeping you informed about vulnerabilities in real-time
Ready to Get Started with Vigiles Today?
Experience the full benefits of SBOM and vulnerability management with Vigiles. Try Vigiles Prime free for 30 days and discover how it can streamline your vulnerability management process, safeguard your software, and accelerate compliance workflows. Contact us for a free evaluation of Vigiles Enterprise and take the first step towards a more secure development journey.
———————————————
Tools Evaluated
- Syft (version 1.3.0): Syft on GitHub
- cdxgen (version – 9.10.1); https://github.com/CycloneDX/cdxgen
