Introduction
In this fourth blog of our SBOM generation for various ecosystems series, we explore generating a Software Bill of Materials (SBOM) for the Go language ecosystem and review the significance of Software Composition Analysis (SCA) in maintaining the security and integrity of Go projects.
Understanding SBOMs and SCA
What does SBOM mean? SBOM stands for Software Bill of Materials and features a detailed inventory of all the software components and dependencies within a project. In the Go ecosystem, maintaining an accurate SBOM is essential due to the dynamic nature of Go modules and dependencies. Software Composition Analysis (SCA) tools help identify and manage vulnerabilities in these components, ensuring your projects remain secure.
What is Go (ecosystem)?
Go, also known as Golang, is an open-source programming language developed by Google. It is known for its simplicity, efficiency, and strong support for concurrent programming.
How Can You Generate an SBOM for Go with Syft?
First, why Syft? As we tested each ecosystem, we found that Syft generated the most well-formed SBOM. As such, Syft is our chosen tool in this series for generating SBOMs. In addition, Syft offers SPDX/CycloneDX compliance specifications and compatibility with Vigiles.
The steps to generate an SBOM with Syft:
- If you haven’t done so already, first download and install Syft:
`curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin v1.3.0`
- Next, change the directory to your project/application directory.
- Now run the below command if it has not been previously run:
go mod download`
Note: By default, transitive dependencies are not included and are typically not needed. However, if you need them in the SBOM you can optionally run the below command before running the previous command:
-
mkdir cache_module
-
SET GOMODCACHE=<your-project-directory/cache_module>
- Finally, generate the SBOM by running the following command:
`syft scan dir:./ -o spdx-json=go.json`
Generating a Vulnerability Report with Vigiles
Vigiles is a comprehensive SBOM management, vulnerability monitoring, and remediation tool offered by Timesys. To view the SBOM generated above and generate a vulnerability report, follow these steps:
- Upload to Vigiles using the WebUI or using the vigiles-cli tool as shown below. Once uploaded, the tool will return a URL to the webUI.
`vigiles -k </path/to/key> manifest upload </path/to/sbom>`
Note: If you don’t have one already, you will need an active Vigiles Enterprise subscription.
Sample SBOM WebUI View
In the Vigiles WebUI, you can view the SBOM component details such as name, version, and license information.
Sample Vulnerability View
In this view, you can see all the vulnerabilities associated with each package and available fixes.
Vigiles pulls from multiple security advisories, including but not limited to NVD, OSV (GitHub Security Advisory, PyPI Advisory, Go Vulnerability Database, Rust Advisory, Haskell Security Advisories, OSS-Fuzz, Debian Security Advisories, RConsortium Advisory).
What are the limitations of Go?
At the time of writing, Syft does not contain all the elements prescribed in the NTIA minimum elements for an SBOM. Below are the missing fields in the CycloneDX JSON format:
- Supplier
- License information
How Can You Streamline SBOM and Vulnerability Management with Syft and Vigiles?
The combination of Syft and Vigiles offers a powerful solution for generating and managing SBOMs in the Go ecosystem. Syft excels at creating well-formed SBOMs with high accuracy and Vigiles further enhances this process by providing robust vulnerability monitoring and remediation capabilities.
This synergy ensures your software remains secure and compliant with the constantly evolving industry standards.
Take Your Go Ecosystem Software Security to the Next Level
By combining Syft’s accurate SBOM generation with Vigiles’ comprehensive vulnerability management within the Go ecosystem, you can greatly enhance your software’s security posture. Not only does Vigiles help in identifying vulnerabilities, but Vigiles will also provide you with direct links to patches and remediation options, streamlining the process of securing your software.
Get Started with Vigiles Today
Ready to experience the full benefits of SBOM and vulnerability management with Vigiles? Try Vigiles Prime for free for 30 days and to unlock a streamlined vulnerability management process, safeguard your software, and accelerate compliance workflows.
———————————————
Tools evaluated
- syft (version – 1.3.0); https://github.com/anchore/syft
- cdxgen (version – 9.9.9); https://github.com/CycloneDX/cdxgen
- microsoft-sbom-tool (version 2.0.0); https://github.com/microsoft/sbom-tool
