How to create SBOMs for free with CodeSec by Contrast
Jacob Mages-Haskins, Staff Software Engineer, Contrast Security
Jacob is a software developer with decades of experience. He lives in New England with his family and loves reading, gardening and the outdoors.
Subscribe to the Kontrast blog
By subscribing to our blog, you can stay up to date with the latest Appsec news and developer best practices. You will also be informed about the latest Contrast product news and exciting application security events.
A recently supreme command from the Biden Whitehouse is directing various government agencies to take action to improve our country’s cybersecurity. One of these measures is the provision of guidelines and standards for software bills of materials (SBOMs). In this article we will explore what SBOMs are and how to easily create them using Contrast Security’s free developer toolset – CodeSec.
An SBOM is a standardized format for recording all components of a software product. It lists all open source libraries used, other third party proprietary libraries and some metadata about the custom code in the product. The hope is that software buyers like the federal government will be able to use SBOMs in a searchable way to early detect and fix vulnerabilities hidden in the various parts of the products they use.
Compiling and authoring an SBOM by hand can be a maintenance nightmare. No one in their right mind wants the chore of going through all the libraries used in a project and recording their information in a very strict JSON (JavaScript Object Notation) format. Imagine making a mistake just a few hours after starting such a project when your mind starts dreaming about something more interesting.
Luckily, CodeSec by Contrast provides a very simple command to create SBOMs. To Install Codesecin your terminal navigate to the top level of your project and run the following command:
Run the command: Contrast check – save
SBOM file saved at the end contrast audit Exit
Towards the end of the check command’s output, CodeSec lists the name of the saved SBOM file. Viewing this file shows that it is a very large JSON dataset of the example project and the many libraries used. Some other highlights worth mentioning are that the SBOM format used, the software vendor and the project name are listed.
Once this file is created, it can be made available to customers or other security professionals in your organization as needed.
Since CodeSec is a command line tool, it is also possible to build software automation around the creation of SBOMs. For example, it is possible to add the following line to your project Pre-commit Git hook to create the SBOM and then add it to the commit, automatically and free for each commit:
git add ‘$(contrast audit –save | grep -e “(SBOM)” | cut -d ” ” -f 10)’
This command, when placed in a pre-commit hook, would run the audit of CodeSec, tell it to create an SBOM, use grep to find the line in the audit output where the SBOM is filename, and then cut that line into chunks at each space and grab the tenth chunk — that’s the full SBOM filename. After that, it would run Git’s “add” command to add the SBOM file to the current commit.
An SBOM provides more transparency into the components that a software product uses, and this knowledge can help reduce cybersecurity risks for buyers of that product. CodeSec provides a super simple mechanism to automatically create SBOMs, which then offers even more possibilities to automate the SBOM creation process. Get started today!